Data Processing Agreement

Data Processing Agreement (DPA)

This is a courtesy translation. In case of discrepancy, the French version prevails.

Roles

In the context of using the unitae.app service, each local congregation is the data controller of its data. It determines the purposes and means of processing the personal data of its members.

MindsersIT acts as data processor. MindsersIT processes personal data only on documented instructions from the data controller and within the scope of providing the service.

Subject matter and duration

  • Subject matter: hosting and processing of local congregation data via the Unitae platform
  • Duration: for the entire duration of the subscription to the unitae.app service
  • Types of data: identification data, contact details, religious data (special category), activity reports, territory assignments
  • Data subjects: members of the local congregation

Processor obligations

MindsersIT commits to:

  • Process data only on documented instructions from the data controller
  • Ensure confidentiality: anyone with access to the data is bound by a confidentiality obligation
  • Implement appropriate technical and organizational security measures (Article 32)
  • Not engage another sub-processor without prior written authorization — the list of sub-processors is published and kept up to date
  • Assist the data controller in responding to data subject rights requests (built-in export and anonymization tools)
  • Notify the data controller without undue delay in the event of a data breach (and assist with CNIL notification within 72 hours)
  • Delete or return data at the end of the contract, at the data controller's choice (JSON export available)
  • Make available the information necessary to demonstrate compliance with obligations and allow audits

Special category data

The processed data includes data revealing religious beliefs (Article 9 of the GDPR). MindsersIT implements enhanced protection measures:

  • Strict data isolation per congregation (PostgreSQL Row-Level Security)
  • Encryption in transit (TLS) and at rest
  • Granular access control (20 fine-grained permissions, built-in and custom roles)
  • Hosting exclusively in the European Union (OVH France)
  • Explicit consent collected from each user

International transfers

Primary data is hosted in France (OVH). Some sub-processors are located in the United States and are covered by the EU-US Data Privacy Framework. See the full list of sub-processors.

End of contract

At the end of the subscription, the data controller may:

  • Export all congregation data in JSON format
  • Request complete data deletion (irreversible anonymization)

MindsersIT deletes the data within 30 days after the end of the contract, unless legally required to retain it.

Contact

For any questions about data processing or to obtain a signed copy of the DPA: privacy@mindsers.it