Data Processing Addendum

1. The plain version

2. Definitions

• "Customer" — the church, organization, or individual that has accepted the Codencio Terms of Service.
• "Codencio" — CodeMushroom LLC and its affiliates operating the codenc.io and app.codenc.io services.
• "Customer Personal Data" — personal data Codencio processes on Customer's behalf in providing the service.
• "Data Subject" — the individual to whom Customer Personal Data relates (typically a member, volunteer, or visitor of the Customer's church).
• "Sub-processor" — a third party engaged by Codencio to process Customer Personal Data.
• "Applicable Data Protection Law" — any law applicable to processing of Customer Personal Data, including GDPR (if Customer or Data Subjects are in the EU/UK), CCPA/CPRA, and any U.S. state or sector-specific laws.

3. Scope and roles

This Addendum applies to Codencio's processing of Customer Personal Data on Customer's behalf to provide the service.

• Customer is the controller. Customer determines the purposes and means of processing — what to upload, who to invite, what to collect via Connection Cards, etc.
• Codencio is the processor. Codencio processes only on documented instructions from Customer (which include the Customer's use of the service per its documented features).

4. Subject matter, duration, nature, and purpose

Subject matter	Provision of church-administration software (service planning, slide projection, volunteer scheduling, communications, prayer / connection-card workflows).
Duration	For the term of the underlying Terms of Service plus the data-retention windows described in the Privacy Policy.
Nature of processing	Storage, retrieval, transmission, organization, and structured display of Customer Personal Data via the Codencio service.
Purpose	Operating the Codencio service for Customer's internal church administration as defined in the Terms of Service.

5. Categories of Data Subjects and personal data

Category of Data Subject	Categories of personal data typically processed
Church staff and volunteers	Name, email, phone, role, schedule assignments, two-factor enrollment metadata, push-notification subscriptions, audit-log entries on actions they take.
Members and attendees	Name, email, phone, address (if Customer collects it), small-group / ministry affiliations, prayer requests they have submitted (when a name is attached), birthdays.
Visitors / first-time guests	Whatever Customer's Connection Card form collects (typically name + email + interests + free-form notes). IP address and user-agent for abuse forensics, deleted automatically after 30 days.
Public / projection viewers	For Public Prayer Wall and Follow-Live attendees: only what they voluntarily submit (typically anonymous prayer pulses or first-name prayer requests). Their device IP for rate-limiting, deleted in <= 30 days.

Codencio does not intentionally process special-category data (health, racial / ethnic origin, sexual orientation, religious beliefs in detail, etc.). To the extent Customer chooses to record such data in free-form notes, Customer is responsible for the legal basis under Applicable Data Protection Law.

6. Codencio's obligations as processor

6.1 Documented instructions

Codencio will process Customer Personal Data only on Customer's documented instructions, which include: (a) Customer's use of the service in accordance with the Terms of Service; (b) configuration choices Customer makes in the application (data-retention settings, role permissions, etc.); and (c) any further written instructions agreed between the parties. Codencio will notify Customer if it believes an instruction violates Applicable Data Protection Law.

6.2 Confidentiality

Codencio ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

6.3 Security

Codencio implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit (TLS 1.2+ for all traffic).
• Encryption at rest for backups (AES-256 server-side encryption on AWS S3).
• Tenant isolation enforced at the database query level on every request.
• Two-factor authentication available for all administrator accounts.
• Hash-only password storage; production credentials never accessed in plaintext.
• Access to production infrastructure restricted to a small named set of operators with hardware-key-protected SSH access.
• Append-only audit log of privileged actions retained for 12 months.
• Regular software-supply-chain monitoring (NuGet vulnerability advisories, npm audit).

6.4 Sub-processors

Codencio uses the following sub-processors as of the effective date. We give Customer notice (via email or in-app banner) at least 30 days before adding or replacing a sub-processor; Customer may object on reasonable grounds, in which case the parties will work in good faith to agree on an alternative or, if no agreement can be reached, Customer may terminate the affected service.

Sub-processor	Purpose	Region
Amazon Web Services, Inc.	Compute, database, object storage, DNS	US (us-east-2; DR copies in us-west-2)
WorshipTeam.com	Optional integration: live song-library passthrough at Customer's request	US
Google LLC	Outbound transactional email (Workspace SMTP, default for Codencio platform email; OR Customer-provided SMTP per Customer's church-email-config setting)	US
Google LLC (FCM)	Push-notification delivery for native and PWA installs	Global
Internet Security Research Group (ISRG, Let's Encrypt)	Free TLS certificate issuance for Customer custom domains (when configured)	US
Stripe, Inc.	Subscription billing for Customer's Codencio plan; and donation processing when Customer enables online giving	US

Two Codencio-specific data flows worth calling out:

• Public-site contact relay. When a website visitor sends a message via the "Contact Name" button on a Customer staff card, the visitor's name + email + message are stored in the recipient's in-app inbox AND forwarded to the recipient's email via the configured SMTP path (Customer-provided or default). The visitor sees a thank-you confirmation; the staff email is not exposed in the page or in the response. Categories of data: limited identification + free-form message body. Retention: in-app inbox indefinite (Customer-managed); email transit logs 30 days.
• Custom domains. When Customer publishes their site at their own domain, visitor traffic to that domain is served from Codencio infrastructure under the same protections as the codenc.io subdomain. TLS certificates are issued via Let's Encrypt on Customer's behalf; the issuance log is public via the CT-log system per Internet standard.

6.5 Data subject requests

Codencio will assist Customer, taking into account the nature of processing and information available, in fulfilling Customer's obligations to respond to Data Subject requests for access, rectification, erasure, restriction of processing, portability, and objection. The application provides in-product tools for the most common requests (export and deletion); Codencio engineering will assist with complex cases on a best-effort basis.

6.6 Breach notification

Codencio will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting Customer Personal Data, providing the information needed for Customer to meet its own breach- notification obligations.

6.7 Data Protection Impact Assessments

Codencio will provide reasonable assistance to Customer in carrying out Data Protection Impact Assessments and prior consultations with supervisory authorities, where Applicable Data Protection Law requires them.

6.8 Audits

Codencio will make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum. On reasonable advance written notice and not more than once per year (except where required by a supervisory authority or after a security incident), Customer or its independent auditor may conduct an audit of Codencio's data- protection practices, subject to confidentiality and reasonable restrictions on disruption to operations.

6.9 Return or deletion at termination

On termination of the underlying Terms of Service, Codencio will, at Customer's choice, delete or return all Customer Personal Data within 30 days, except where retention is required by Applicable Law (in which case Codencio will document what is retained and why). Backups age out per the retention schedule in the Privacy Policy.

7. International transfers

Codencio's primary infrastructure is in the United States (AWS us-east-2). For Customers in the EU / UK, where applicable, Codencio relies on the EU Standard Contractual Clauses (Module Two: Controller to Processor, 2021/914) and the UK International Data Transfer Addendum, which are deemed incorporated into this DPA on Customer's signed request.

8. Term, conflicts, and signature

• Term. This Addendum is effective from the date Customer accepts it (or executes a counter-signed copy) and remains in force for as long as Codencio processes Customer Personal Data.
• Conflicts. If there is any conflict between this Addendum and the Terms of Service, this Addendum prevails with respect to data protection matters.
• Signature. Customer accepts this Addendum by continuing to use the service after the effective date. A counter-signed copy is available on request to legal@codenc.io.

9. Contact

Privacy: privacy@codenc.io
Legal: legal@codenc.io
Security incidents: security@codenc.io
Postal mail: please reach out by email first; if a postal address is required for legal service, we'll provide one in response to your email.