Data processing addendum

For the purposes of this DPA, the Customer (your masjid or organization) is the data controller, and MasjidDesk is the data processor. MasjidDesk processes Personal Data only on documented instructions from the Customer.

MasjidDesk processes Personal Data for the duration of the master agreement and only as necessary to provide the service: managing prayer times, donations, members, events, communications, and finances on behalf of the Customer.

The categories of Personal Data processed include:

• Identifiers: name, email, phone number.
• Membership data: family relationships, attendance, roles.
• Donation records: amounts, dates, payment metadata (no card numbers).
• Communications metadata: opens, clicks, delivery status.

Data subjects include staff, members, donors, volunteers, and event registrants.

MasjidDesk uses a limited set of vetted subprocessors (hosting, email and SMS delivery, payment processing, analytics). A current list with locations and purposes is available at masjiddesk.com/subprocessors. We will give 30 days' notice before adding a new subprocessor and you may object.

MasjidDesk implements appropriate technical and organizational measures, including encryption in transit and at rest, role-based access control, audit logging, regular backups, vulnerability scanning, and a documented incident response plan. See the Security page for details.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the Standard Contractual Clauses (2021/914/EU) and the UK Addendum apply and are incorporated by reference into this DPA.

MasjidDesk provides self-serve tools for Customers to fulfill data subject requests (access, correction, deletion, portability). We will assist Customers with reasonable requests that cannot be fulfilled through the product, at no additional cost.

MasjidDesk will notify the Customer without undue delay — and in any event within 72 hours — after becoming aware of a Personal Data breach affecting the Customer's data. The notice will include the nature of the breach, affected data, likely consequences, and measures taken.

Upon termination of the agreement, MasjidDesk will, at the Customer's choice, return or delete all Personal Data within 30 days, except where retention is required by law.

MasjidDesk will make available all information necessary to demonstrate compliance with this DPA. Customers may request third-party audit reports (e.g. SOC 2) under NDA, at no cost, no more than once per year.

This DPA is incorporated by reference into our Terms of Service. Enterprise customers who require a counter-signed copy may request one at [email protected].