Trust Centre

Data Processing Agreement

How Cadence handles church data in line with UK GDPR expectations.

Churches and organisations using Cadence remain the data controllers of the personal data they place into the platform. Cadence acts as a data processor, providing the software and related services needed to support volunteer scheduling, team coordination, and service planning.

Our Data Processing Agreement (DPA) sets out how Cadence processes personal data on a customer’s behalf, the safeguards we apply, and how subprocessors are used.

What the DPA covers

Roles and responsibilities

The DPA explains the relationship between your organisation as controller and Cadence as processor.

Processing on your instructions

Cadence processes customer personal data only to provide the service you have signed up to use, and in line with your instructions and applicable law.

Confidentiality and security

The DPA covers the expectation that personal data is handled securely and only by people or providers who need it for service delivery.

Subprocessors

Cadence uses a limited number of third-party providers to help operate the service. These may include providers for hosting, payments, email delivery, support, and analytics. We publish those providers on our Subprocessors page for transparency.

International transfers

Where customer personal data is transferred outside the UK, we rely on the safeguards made available by our providers and reflected in our DPA, such as standard contractual clauses and, where applicable, DPF-related safeguards. Stripe states that its DPA forms part of its services agreement, and Loops and Resend both publish transfer-related protections in their legal materials.

Data subject rights

Cadence supports customers in responding to legitimate data rights requests where needed. Cadence provides tools that allow church administrators to export their organisation’s data and to delete individual records where appropriate.

Deletion and return of data

The DPA explains what happens to customer data when the service ends, including deletion or return of data where applicable, subject to legal and technical constraints.

Incident handling

If a security incident affects customer personal data, Cadence will investigate and communicate with affected customers as required.

Our current provider position

Some providers used by Cadence make a Data Processing Agreement available as part of their standard service terms. For example:

• Stripe includes its DPA as part of its services agreement

• Resend and Loops both publish DPAs and related privacy materials

• Webflow describes its use of appropriate data transfer mechanisms and subprocessors

Some infrastructure providers used by Cadence do not currently provide a standard DPA for self-service plans. In these cases, we rely on their published Privacy Policies and Terms of Service to understand how data is handled.

For example:

• Emergent AI (Emergent Labs Inc.) publishes its Privacy Policy and Terms of Service, and states that data may be processed in the United States and India, with security measures such as encryption, access controls, and monitoring in place.

Cadence is designed to complement the systems churches already use, while giving leaders greater confidence that volunteer data is handled with clarity, care, and appropriate safeguards.

Need a signed DPA?

If your church or organisation requires a copy of Cadence’s Data Processing Agreement, contact us and we’ll provide the current version for review and signature where required.

Request the DPA
UK churches onboarding now — join the waitlist