Data Processing Addendum

This Data Processing Addendum (“DPA”) describes how Sermon AI processes personal data on behalf of customer organizations when providing the service. It is intended as a practical starting point and should be reviewed by qualified legal counsel.

1. Roles

For customer workspace content, including uploaded files, transcripts, generated content, and organization records, the customer organization is the controller and Sermon AI is the processor. For account administration, billing, security, and platform operations, Sermon AI may act as an independent controller.

2. Processing instructions

Sermon AI processes customer personal data only to provide, secure, support, and improve the service according to the customer’s instructions, the Terms of Service, this DPA, and applicable law.

3. Categories of data

• Account identifiers such as name, email, role, and organization membership.
• Uploaded audio or video files and related metadata.
• Transcripts, summaries, outlines, newsletters, posts, study materials, and exports.
• Usage, processing, quota, audit, and security information.
• Billing and subscription identifiers where relevant.

4. Categories of data subjects

• Customer users, administrators, speakers, teachers, staff, volunteers, or team members.
• Speakers or contributors appearing in uploaded audio, video, or documents.
• Recipients or contacts included by the customer in workspace content.

5. Sensitive data

Customer content may include information that reveals religious beliefs or other sensitive information. Customers must ensure they have an appropriate legal basis and required notices or permissions before uploading such content. Sermon AI will process such content only to provide the requested service.

6. Sub-processors

Sermon AI uses sub-processors to provide infrastructure, storage, AI, payments, and email delivery. Current providers include Render, Cloudflare R2, OpenAI, Stripe, and Brevo. Sermon AI remains responsible for its sub-processors according to applicable data protection law.

7. Security measures

• HTTPS for data in transit.
• Private object storage and controlled file access.
• Organization-level data isolation.
• Role-based access controls.
• Malware scanning for uploads where enabled.
• Environment separation between staging and production.
• Logging practices designed to avoid exposing passwords, API keys, JWTs, and payment secrets.

8. International transfers

Some sub-processors may process data outside the European Economic Area. Where required, appropriate transfer mechanisms such as standard contractual clauses or equivalent safeguards should apply through the relevant provider agreements.

9. Assistance with data subject requests

Sermon AI will provide reasonable assistance to customers responding to access, correction, deletion, portability, objection, or restriction requests, taking into account the nature of the processing and available product functionality.

10. Deletion and return

Customers may delete workspace content through the service where supported. Upon termination, Sermon AI will delete or return customer personal data within a reasonable period, unless retention is required by law, security, billing, or legitimate operational obligations.

11. Security incidents

If Sermon AI becomes aware of a personal data breach affecting customer personal data, it will notify affected customers without undue delay and provide information reasonably available to help customers meet their obligations.

12. Audits

Sermon AI will make reasonable information available to demonstrate compliance with this DPA. Audits must be reasonable, confidential, limited to relevant systems, and must not compromise security or other customers.

13. Contact

Data processing questions can be sent to contact@sermonai.app.