Data Processing Terms

These Data Processing Terms (the “DPT”) supplement the Terms of Service and apply where Maximora Global processes personal data on behalf of your church under the Kenya Data Protection Act and, where applicable, the EU GDPR or UK GDPR. A full Data Processing Agreement (DPA) is available on request for churches that require one.

1. Roles

• Controller — the church account that decides why and how personal data is processed in its tenant.
• Processor — Maximora Global, processing personal data only on documented instructions from the controller (those instructions being the controller’s use of the Service’s features).

2. Subject matter, nature and purpose

Processing is necessary to provide the Service: hosting, displaying, searching and securing membership, giving, attendance, events, media, pastoral and governance data for the controller’s church.

3. Duration

Processing lasts for the term of the subscription, plus a 30-day export window and the deletion timelines set out below.

4. Categories of data subjects and data

• Data subjects: members, visitors, leaders, pastors, administrators, donors, ministry participants and children (under the church’s parental consent process).
• Data: identification, contact, family relationships, attendance, giving, pastoral notes, prayer requests, media and authentication metadata.

5. Security measures

• Encryption in transit (TLS) and at rest.
• Tenant isolation enforced by row-level security and server-side role checks (super_admin, head_office_admin, regional_admin, area_admin, district_admin, church_admin, pastor, ministry_leader, member).
• Least-privilege access for Maximora staff and full audit logging of privileged actions.
• Backups, monitored email delivery with bounce/complaint suppression, and queued retries.
• Secrets and service keys held outside the application bundle and never exposed to browsers.

6. Sub-processors

Maximora uses a curated set of sub-processors listed on the Sub-processors page. We will provide reasonable notice before adding or replacing a sub-processor that processes Customer Data, so controllers can object on legitimate grounds.

7. International transfers

Where personal data is transferred outside Kenya, we rely on appropriate safeguards such as standard contractual clauses or provider-level compliance commitments equivalent to those required by the Kenya Data Protection Act.

8. Data subject rights

Maximora provides tools in-app that allow controllers to fulfil access, rectification, erasure, restriction, portability and objection rights for their members. Where Maximora is contacted directly by a data subject of a church, we will forward the request to the relevant controller without undue delay.

9. Personal data breaches

Maximora notifies the controller’s billing contact without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting that controller’s data, with the information reasonably available at the time. The controller is responsible for any notifications it must make to its members or to the Data Protection Commissioner.

10. Audit and information

On reasonable written notice and subject to confidentiality, Maximora will provide information necessary to demonstrate compliance with these DPT. Where a controller is required by law to perform an on-site audit, the parties will agree scope, timing and cost in advance.

11. Deletion or return of data

On termination, Customer Data is available for export for 30 days, deleted from production within 30 days, and from backups within 90 days, except where retention is required by law.

12. Contact

DPA requests: info@maximoraglobal.com.