1. Parties & roles
Each parish using Symphonia is a data controller under GDPR Article 4(7) (and the equivalent terms in CCPA & PIPEDA): it determines the purposes and means of processing personal data belonging to its parishioners and staff.
Ancient Designs LLC, acting as the operator of the Symphonia software, is the data processor under GDPR Article 4(8): it processes parish personal data strictly on the parish's documented instructions, as captured by the Symphonia application contract and this agreement.
2. Scope of processing
The processor processes parishioner personal data for the sole purpose of operating the Symphonia application on the parish's behalf. This includes: storing member records, household structure, sacramental records, giving history, communications, holy bread and commemoration submissions, inbox messages, audit logs, and access logs. The processor does not mine the data for advertising, share it with third parties for marketing, or train AI/ML models on it.
Categories of personal data processed:
- Identity (name, saint name, baptismal name)
- Contact (email, phone, mailing address)
- Household structure and family relationships
- Sacramental records (special category under GDPR Art. 9 — religious data)
- Giving and pledge records (financial data)
- Pastoral notes (clergy-only; encrypted at rest per §7)
- Communications metadata and delivery state
- Authentication factors (password hashes, TOTP secrets, push tokens)
Categories of data subject: parishioners, clergy, parish staff, parish council members, visitors who submit a form on the parish website.
3. Subprocessors
Ancient Designs engages the following subprocessors to deliver the service. The current list is maintained in this section and is updated at least 30 days before any change.
| Subprocessor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Server hosting (web, studio, database) | Germany, EU |
| Cloudflare, Inc. | DNS, CDN, DDoS mitigation | US / global edge |
| Amazon Web Services, Inc. (SES) | Transactional email delivery | US |
| Amazon Web Services, Inc. (KMS) | Encryption key custody (field-level encryption at rest) | US |
| Telnyx LLC | SMS delivery (opt-in only) | US |
| Stripe, Inc. | Online donation processing | US |
| Cloudflare R2 | Media + certificate storage | US / global edge |
| Sentry (Functional Software, Inc.) | Server-side error monitoring | US |
4. Processor obligations
The processor commits to:
- Process personal data only on the parish's documented instructions (this contract).
- Ensure that everyone with access is bound by confidentiality.
- Implement appropriate technical and organisational measures (§7 below).
- Help the parish meet its own obligations under GDPR Articles 32–36 (security, breach, DPIA, prior consultation).
- On request, support data subject rights (access, rectification, erasure, portability) — most are already self-service in the parishioner portal.
- Delete or return all personal data at the end of the service contract, at the parish's choice.
- Make available all information necessary to demonstrate compliance and submit to audits.
5. Controller obligations
The parish, as controller, commits to:
- Have a lawful basis for the personal data it puts into Symphonia.
- Inform its parishioners about the processing (this contract is referenced from the parish's privacy notice at
/privacy). - Capture appropriate consents where required (this is built into Symphonia's parishioner-registration and preferences flows).
- Restrict staff access to those who need it; assign roles appropriately (rector, staff, treasurer, etc.).
6. Data subject rights
Parishioners exercise their rights through Symphonia's self-service surfaces:
- Right of access —
/portal/account/data-export - Right to rectification —
/portal/family,/portal/profile - Right to erasure —
/portal/account/delete - Right to portability —
/portal/account/data-export(JSON) - Right to restrict —
/portal/account/preferences - Right to object —
/portal/account/preferences(per-channel)
The processor will not respond directly to parishioner rights requests received outside these surfaces; it will forward them to the parish (controller) without undue delay.
The deletion flow respects two carveouts: sacramental records (canonical history) and giving records (tax retention). Both are documented to the parishioner at the moment of deletion.
7. Security measures
Technical and organisational measures Ancient Designs maintains:
- Transport encryption (TLS 1.3) for all parish traffic; HSTS on cutover.
- At-rest encryption for the database volume and the R2 storage buckets.
- Application-layer encryption for sensitive pastoral fields (confession notes, rector's private notes) keyed per-parish.
- Password hashing with bcrypt (cost ≥10) and TOTP-based 2FA available to all roles.
- Role-based access control with capability-level gating; a written 2-person rule for bulk deletes.
- Audit logging for all state-changing administrative actions; an append-only access log records every impersonation session.
- Least-privilege impersonation: studio refuses writes while an Ancient Designs operator is impersonating, and the operator can see only the pastoral content the parish has consented to (confession notes are redacted by default).
- Vulnerability scanning, security patching, and weekly off-site backups.
- Disaster-recovery runbook with documented RTO ≤ 24h and RPO ≤ 1h.
8. Breach notification
In the event of a personal-data breach, Ancient Designs will notify the parish without undue delay and in any event no later than 72 hours after becoming aware. The notification will include the categories of data and approximate number of records affected, likely consequences, and the measures taken or proposed.
Ancient Designs operates an automated alert that fires when audit-log heuristics indicate a mass-export, unusual cross-parish access, or a sustained attack on the authentication surface. Parishes can request a Data Protection Impact Assessment ("DPIA") template from /symphonia/contact.
9. International transfers
Personal data is primarily processed in the European Union (Hetzner GmbH, Germany). Where a subprocessor (e.g. Stripe, Postmark, Telnyx) processes data in the United States, transfers are made under the EU-US Data Privacy Framework (where the subprocessor is self-certified) or under Standard Contractual Clauses. Ancient Designs is registered with the FTC for the purposes of the DPF and maintains the underlying Module 3 SCCs (processor-to-processor) on file with each US subprocessor.
10. Term & termination
This DPA is effective for the duration of the parish's Symphonia subscription and ends with it. On termination, Ancient Designs will, at the parish's choice, return or securely delete all personal data within 30 days, except where retention is required by law.
11. Signing this agreement
For most parishes the DPA is incorporated by reference into the Symphonia subscription agreement; no separate signature is required. If your parish's local supervisory authority requires a counter-signed copy, write to legal@ancient-designs.com with the parish name and address; we will return a counter-signed PDF within five business days.
Questions? Write to us. We answer privacy questions from parishes within one business day.
Version 1.0 · last reviewed May 2026