Legal
Kinglify Data Processing Agreement (DPA)
Version 1.0 · Last updated: 6 July 2026
0. Incorporation
This DPA is incorporated into, and forms part of, the Terms of Service accepted by the Organisation via clickwrap at sign-up.
1. Purpose
This Data Processing Agreement (“DPA”) forms part of the agreement between Kinglify (“Processor”) and the Organisation (“Controller”) and governs Kinglify’s processing of personal data on the Organisation’s behalf.
2. Definitions
- Controller: the Organisation, which determines the purposes and means of processing its members’ personal data.
- Processor: Kinglify, which processes personal data solely on the Controller’s documented instructions.
- Data Subject: an individual whose personal data is processed (e.g., a church member).
- Personal Data: any information relating to an identified or identifiable Data Subject, including sensitive categories such as data revealing religious affiliation.
- Sub-processor: a third party engaged by Kinglify to assist in processing (see Section 6).
3. Scope and Nature of Processing
Kinglify processes the following categories of personal data on the Controller’s behalf, for the purpose of providing the Platform:
| Category | Examples |
|---|---|
| Identity data | Name, title, date of birth, gender |
| Contact data | Email, phone, address |
| Membership data | Join date, department, membership type |
| Family data | Marital status, spouse name, children count |
| Sensitive data | Pastoral notes; religious affiliation (implicit in the nature of the service) |
Processing continues for the duration the Controller’s account remains active.
4. Controller Obligations
The Controller warrants that:
- It has a valid legal basis for collecting and providing all personal data to Kinglify
- It has obtained any necessary consents, including parental/guardian consent where data relates to a minor
- Its instructions to Kinglify comply with applicable data protection law
5. Processor Obligations
Kinglify shall:
- Process personal data only on the Controller’s documented instructions
- Ensure personnel with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures, including:
- Encrypted connections
- Database-level tenant isolation (Row Level Security) preventing any Organisation from accessing another’s data
- Restricted internal access to sensitive fields (e.g., pastoral notes limited to pastoral/admin roles)
- Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller’s data
- Assist the Controller in responding to Data Subject rights requests
- Delete or return all personal data upon termination of services, except where retention is required by law
- Not engage a new Sub-processor without giving the Controller a reasonable opportunity to object
6. Sub-processors
The Controller authorizes Kinglify to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication | Provider-managed — see Section 7 (International Transfers) |
| Vercel | Application hosting | Provider-managed — see Section 7 (International Transfers) |
| Paystack | Payment processing (NGN) | Nigeria |
| Stripe | Payment processing (international) | Provider-managed — see Section 7 (International Transfers) |
7. International Transfers
Where a Sub-processor stores or processes personal data outside Nigeria, Kinglify shall ensure such Sub-processor maintains security measures materially equivalent to those described in this DPA. The Controller consents to such transfers as necessary for Kinglify to provide the Platform.
8. Data Breach Notification
Kinglify shall notify the Controller within [72] hours of becoming aware of a breach affecting the Controller’s data, including known details of the breach and mitigation steps taken.
9. Audits
Kinglify shall, upon reasonable written request no more than once per year, provide the Controller with a written summary of its security practices. Kinglify is not obligated to permit on-site audits given the shared, multi-tenant nature of the Platform, but will cooperate in good faith with reasonable information requests.
10. Liability
Liability under this DPA is subject to the same limitations set out in Section 11 (Limitation of Liability) of the Kinglify Terms of Service, which this DPA incorporates by reference.
11. Term and Termination
This DPA remains in effect for as long as Kinglify processes personal data on the Controller’s behalf under the main service agreement.
12. Contact
Data protection queries: info@kinglify.com
