Document version: 1.0.0

Personal Data Processing Policy of Koinonia LLC

Parties and details

Operator / Processor of personal data:

Full name
ООО «Койнония»
Short name
ООО «Койнония»
OGRN
1265000035035
INN
5029299826
KPP
502901001
Registration date
18.05.2026 (Inter-District Inspectorate of the Federal Tax Service No. 23 for the Moscow Region)
Registered address
Московская область, г. Мытищи, ул. Юбилейная 4-336
General Director (sole founder)
Грушенков Роман Викторович
Email address for inquiries regarding the processing of personal data
support@koinonia.ru

This Personal Data Processing Policy (hereinafter the "Policy") is an official document of Koinonia LLC and defines the procedure for processing and protecting the personal data of natural persons when using the Koinonia software and services (hereinafter the "Platform"). The Policy has been developed in accordance with Federal Law No. 152-FZ of 27.07.2006 "On Personal Data" (hereinafter the "152-FZ") and other regulatory legal acts of the Russian Federation in the field of personal data processing.

1. General provisions and terms

1.1. This Policy has been developed pursuant to the requirements of paragraph 2 of part 1 of Article 18.1 of 152-FZ and defines the policy of Koinonia LLC regarding the processing of personal data.

1.2. Dual status of Koinonia LLC. Within the operation of the Platform, Koinonia LLC acts in two distinct legal roles, which are strictly delineated in this Policy:

  • Independent operator — with respect to a narrow set of data processed by Koinonia LLC on its own behalf and for its own purposes: data of the user's passport account, technical data, data of persons who have submitted a request on the website, data of persons who have contacted support, as well as minimal payment data. Governed by Section A (sections 3–13) of this Policy.
  • Processor of personal data on behalf of the operator — with respect to the content of the workspaces of operator organizations: messages, media files, information about the membership and roles of participants. The operator of this data is the relevant organization. Governed by Section B (section 14) of this Policy.

1.3. The provisions of the Policy apply solely in the respective role of Koinonia LLC. Mixing of roles is not permitted: for data processed on behalf, the operator is the relevant organization, not Koinonia LLC.

1.4. Terms and definitions:

  • Personal data — any information relating directly or indirectly to a determined or determinable natural person (data subject).
  • Processing of personal data — any action (operation) or set of actions (operations) performed on personal data, including collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction, use, transfer (provision, access), de-identification, blocking, deletion, destruction of personal data.
  • Operator — a person who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing, the composition of the personal data, and the actions performed on it. The operator may be either an organization (with respect to the data of its participants) or Koinonia LLC (with respect to the passport layer of data).
  • Processor (a person carrying out processing on behalf of the operator) — a person processing personal data on behalf of and in the interests of the operator on the basis of a contract (assignment). Koinonia LLC acts in this role with respect to the content of the workspaces of organizations.
  • Data subject — a natural person to whom the relevant personal data relates.
  • Platform — the Koinonia software, including the mobile and desktop application, the web client, and the server infrastructure.
  • Passport account — the minimal account identity of a Platform user (phone number, first name, last name, username, optionally an avatar and email address, as well as technical data). The passport account does not contain information about religious beliefs, membership in religious associations, or correspondence. By itself, the passport account does not provide communication capabilities.
  • Workspace — a separate information space of an organization within the Platform, within which the management of participants and communication take place.
  • Special category of personal data — personal data concerning, in particular, religious beliefs (Article 10 of 152-FZ). At the same time, the very fact of a person's membership or participation in a religious community belongs to the special category of personal data even in the absence of a separate "religion" field.
  • DPA (Data Processing Agreement) — an agreement between Koinonia LLC (processor) and the organization (operator) defining the terms for processing participants' data on its behalf. In this Policy it is referred to as the "Data Processing Agreement".

1.5. The publisher of the application in the application stores is not an operator or a data processor. The placement and distribution of the Koinonia mobile application in the App Store and Google Play is carried out by the company Shepherdstack LLC, acting solely as the publisher of the application. Shepherdstack LLC does not determine the purposes and composition of the processed personal data, does not carry out its processing, and is not an operator or processor of personal data within the meaning of 152-FZ. The operator of the passport layer of data and the processor of workspace data is solely Koinonia LLC; the operators of the data of workspace participants are the relevant operator organizations.

1.6. The Platform is a corporate system for the management of organizations and communities (including religious organizations) with built-in communication tools available solely within workspaces. The Platform is not a public communication venue. Communication is possible solely between participants of the same workspace; a passport account without active membership in at least one workspace does not provide communication functions. A user who has only a passport account does not have the ability to send messages to an arbitrary range of persons or to persons outside the workspaces of which they are a participant. The Platform does not provide open public registration with the right to communicate with an unlimited range of persons, global user search without their prior consent (opt-in), or public groups for an unlimited range of persons.

1.7. The Platform does not apply end-to-end (terminal) encryption of correspondence. The server of Koinonia LLC has technical access to data in decrypted form to the extent necessary for the functioning of the Platform and compliance with the requirements of the law. The applied encryption of data at rest (at-rest) and secure TLS connection are technical measures for protecting the infrastructure, and not a means of ensuring the confidentiality of correspondence from the operator.

Section A. Koinonia LLC as an independent operator

2. Scope of Section A

2.1. This Section governs the processing of personal data with respect to which Koinonia LLC independently determines the purposes of processing, the composition of the personal data, and the actions performed on it, acting in the capacity of an operator on its own behalf.

2.2. Such data includes: data of the user's passport account, technical data, data of persons who have submitted a request on the koinonia.ru website, data of persons who have contacted the support service, and minimal payment data.

3. Legal grounds and purposes of processing

3.1. Legal grounds for processing (Article 6 of 152-FZ). The processing of the user's passport account data is carried out on the basis of the separate consent of the data subject, provided in accordance with Article 9 of 152-FZ when creating a passport account (paragraph 1 of part 1 of Article 6 of 152-FZ). This consent is an independent legal ground for processing the entire passport set of data and is executed by a separate, non-pre-filled act (see paragraph 3.2). Other legal grounds are applied by Koinonia LLC only to narrow, objectively justified operations and do not replace consent with respect to the passport layer:

  • the necessity of performing a contract to which the data subject is a party — the End-User License Agreement (EULA) — applies solely to those operations that are objectively impossible without a concluded contract (in particular, the carrying out of settlements for paid features of the Platform when they are activated, the processing of payment data), and does not extend to the passport set of data as a whole (paragraph 5 of part 1 of Article 6 of 152-FZ);
  • the necessity of fulfilling obligations imposed on the operator, provided for by the legislation of the Russian Federation, including Federal Law No. 374-FZ of 06.07.2016, and storing information for the periods established by law (paragraph 2 of part 1 of Article 6 of 152-FZ);
  • the necessity of exercising the rights and legitimate interests of the operator that do not violate the rights and freedoms of the subject — solely with respect to ensuring the operability, integrity, and security of the Platform and preventing abuse (paragraph 7 of part 1 of Article 6 of 152-FZ).

The withdrawal of consent provided in accordance with Article 9 of 152-FZ entails the consequences provided for in section 11 of this Policy; the existence of a contract (EULA) by itself is not a ground for continuing to process the passport set of data in circumvention of the withdrawn consent, except for the narrow operations expressly listed in this paragraph, and cases where processing is mandatory by virtue of law.

3.2. Consent to the processing of personal data is executed by a separate act. In accordance with the requirements of 152-FZ and the requirement for separate and non-pre-filled consent in effect from 01.09.2025 (Federal Law No. 156-FZ), the consent of the data subject to the processing of their data by Koinonia LLC is executed by a separate, non-pre-filled expression of will and is not combined into a single action with the acceptance of this Policy, the End-User License Agreement (EULA), or other consents. The use of pre-checked marks (pre-filled "checkboxes") to obtain consent is not permitted.

3.3. Purposes of processing data with respect to which Koinonia LLC is the operator:

  • identification and authentication of the user when creating and using a passport account;
  • providing the user with the technical ability to join the workspaces of organizations and use the features of the Platform;
  • ensuring the operability, integrity, and security of the Platform, preventing fraud, unauthorized access, and other abuse;
  • processing and reviewing inquiries from persons sent to the support service;
  • processing requests (leads) submitted on the koinonia.ru website for the purpose of contacting a potential client and providing information about the Platform;
  • carrying out settlements for paid features and services of the Platform (when they are activated);
  • fulfilling the requirements of the legislation of the Russian Federation, including requirements for the storage of information.

3.4. Koinonia LLC does not use the personal data of subjects for purposes incompatible with those specified in paragraph 3.3, and does not carry out its processing beyond the scope necessary to achieve these purposes (the principle of minimization, part 5 of Article 5 of 152-FZ).

4. Categories of subjects and list of processed personal data

4.1. Platform users (holders of a passport account). The following personal data is processed:

  • mobile phone number;
  • first name and last name;
  • username;
  • avatar (profile image) — provided that it is voluntarily supplied by the user (Article 152.1 of the Civil Code of the Russian Federation — the use of a citizen's image is carried out with their consent);
  • email address — provided that it is voluntarily supplied by the user.

4.2. Technical data of users. For the purpose of ensuring the operability and security of the Platform, the following is processed:

  • information about the user's devices (model, operating system and its version, device name);
  • network identifiers and IP addresses;
  • session identifiers, access and refresh tokens (including device push tokens for the delivery of notifications);
  • event and activity logs in the Platform, technical and diagnostic records necessary for the functioning and ensuring the security of the Platform.

4.3. Persons who have submitted a request (lead) on the koinonia.ru website. The data voluntarily provided by the person when filling out the feedback form is processed: name, contact data (phone number and (or) email address), as well as other information voluntarily indicated in the text of the request.

4.4. Persons who have contacted the support service. The contact data of the person who contacted and the content of the inquiry are processed, including information voluntarily provided during correspondence for the purpose of reviewing the inquiry.

4.5. Payment data (when paid features are activated). Koinonia LLC processes the minimal amount of data necessary for carrying out settlements: information about the fact, amount, date, and purpose of the payment, the operation identifier. Koinonia LLC does not receive or store the full details of payment cards. The acceptance of payments and the processing of the details of payment instruments are carried out by licensed payment organizations (banks, payment aggregators) acting as independent operators with respect to such data in accordance with their own policies.

4.6. Within the passport layer of data, Koinonia LLC does not process special categories of personal data (including information about religious beliefs) and information about membership in religious associations. Such data is processed solely within the workspaces of operator organizations on their behalf (see Section B).

5. List of actions with personal data and methods of their processing

5.1. With respect to the data listed in section 4, Koinonia LLC performs the following actions: collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction, use, transfer in cases provided for by law or the subject's consent, blocking, de-identification, deletion, and destruction.

5.2. Methods of processing. The processing of personal data is carried out both with the use of automation tools and without the use of such tools, as well as by a mixed method. Given that the Platform is software, the predominant method is automated processing using the operator's information systems.

5.3. Koinonia LLC does not make decisions that give rise to legal consequences with respect to the subject or otherwise affect their rights and legitimate interests solely on the basis of automated processing of personal data, without human participation.

6. Periods of processing and storage of personal data

6.1. The personal data of the passport account is processed for the entire period of validity of the user's account on the Platform.

6.2. Upon termination of the use of the Platform and (or) upon withdrawal of consent, the personal data is subject to deletion in the manner established by section 11 of this Policy, taking into account the period provided for by law (grace period) and mandatory storage periods.

6.3. Storage by virtue of the requirements of the law. Certain categories of information are stored for the periods established by the legislation of the Russian Federation, including:

  • in accordance with Federal Law No. 374-FZ of 06.07.2016, information about the facts of the receipt, transmission, delivery, and (or) processing of users' messages, as well as text messages and other communications are stored for the periods established by law (no less than six months) and are not subject to physical deletion before the expiration of these periods. Upon expiration of the storage periods, the data is deleted or de-identified (see also paragraphs 11.4–11.6 and section 14);
  • information necessary for the fulfillment of the tax and accounting obligations of the operator is stored for the periods established by the relevant legislation.

6.4. The data of persons who have submitted a request on the website, and the data of inquiries to support, are stored for the period necessary for reviewing the relevant inquiry and contacting the person, as well as for a reasonable period to confirm the quality of service, after which they are deleted or de-identified.

6.5. Upon achievement of the purposes of processing or in the event of the loss of the need to achieve these purposes, the personal data is subject to destruction or de-identification, unless otherwise provided by law or the subject's consent.

7. Cross-border transfer of personal data

7.1. Cross-border transfer of personal data is not carried out. All servers and databases used for processing personal data are located on the territory of the Russian Federation.

7.2. In accordance with part 5 of Article 18 of 152-FZ, when collecting personal data, including via the "Internet" information and telecommunications network, the recording, systematization, accumulation, storage, refinement (updating, modification), and extraction of the personal data of citizens of the Russian Federation are carried out using databases located on the territory of the Russian Federation.

8. Transfer of personal data to third parties

8.1. Koinonia LLC does not disclose or transfer personal data to third parties, except in the following cases:

  • the transfer is necessary for the performance of a contract with the subject (for example, the transfer of payment information to a licensed payment organization for carrying out settlements in the amount specified in paragraph 4.5);
  • the transfer is carried out to persons engaged by Koinonia LLC for the technical support of the operation of the Platform (for example, providers of hosting and communication services on the territory of the Russian Federation), on the condition that they comply with the requirements of confidentiality and security;
  • the transfer is provided for by the legislation of the Russian Federation and is carried out at the request of authorized state bodies in the manner established by law;
  • the data subject has given separate consent to such transfer or to the dissemination of their data in accordance with Article 10.1 of 152-FZ.

8.2. Koinonia LLC does not carry out the dissemination of personal data (that is, disclosure to an indeterminate range of persons) within the passport layer of data.

9. Measures to ensure the security of personal data

9.1. Koinonia LLC takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions, in accordance with Articles 18.1 and 19 of 152-FZ.

9.2. Person responsible for organizing the processing of personal data. In accordance with paragraph 1 of part 1 of Article 18.1 of 152-FZ, Koinonia LLC appoints a person responsible for organizing the processing of personal data. As of the date of approval of this version of the Policy, the functions of the person responsible for organizing the processing of personal data are performed by the General Director of Koinonia LLC Грушенков Роман Викторович; inquiries regarding the processing of personal data are sent to the email address support@koinonia.ru or to the registered address of Koinonia LLC. In the event of the appointment of another responsible person, up-to-date information about their position and channel of communication is communicated by Koinonia LLC to the subjects together with this Policy.

9.3. Access to information about the implemented requirements for the protection of personal data. Pursuant to part 2 of Article 18.1 of 152-FZ, Koinonia LLC ensures unrestricted access to this Policy, as well as — separately from it — to information about the implemented requirements for the protection of personal data. The said information is published (provided) by Koinonia LLC together with this Policy at koinonia.ru/legal and is provided upon request sent to the contacts specified in paragraph 9.2.

9.4. Organizational measures include:

  • appointment of a person responsible for organizing the processing of personal data (paragraph 9.2);
  • issuance of local acts on matters of processing and protection of personal data, familiarizing employees with them;
  • identification of threats to the security of personal data during their processing in information systems;
  • restriction and differentiation of employees' access to personal data based on the principle of official necessity (access control);
  • carrying out internal control of the compliance of the processing of personal data with the requirements of the law.

9.5. Technical measures include:

  • application of encryption of data at rest (at-rest) using the AES-256 algorithm;
  • use of a secure connection (TLS) when transmitting data over the network;
  • control of access to data at the level of the organization (workspace) and at the level of the information system;
  • maintenance of access and activity logs, backup of data;
  • application of information security tools that have passed the conformity assessment procedure in the established manner.

9.6. Koinonia LLC ensures the protection of personal data information systems to an extent corresponding to security level UZ-3, in accordance with the requirements for the protection of personal data approved by Order No. 21 of the FSTEC of Russia of 18.02.2013, as well as taking into account the requirements of Resolution No. 1119 of the Government of the Russian Federation of 01.11.2012.

10. Rights of the data subject and the procedure for their exercise

10.1. In accordance with Article 14 of 152-FZ, the data subject has the right to:

  • obtain information concerning the processing of their personal data, including information about the purposes, methods, and periods of processing, about the processed data and its source, as well as about the actions carried out or intended with the data;
  • demand the refinement of their personal data, its blocking or destruction in the event that the data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
  • withdraw consent to the processing of personal data in the manner provided for by part 2 of Article 9 of 152-FZ and section 11 of this Policy;
  • appeal the actions or inaction of the operator to the authorized body for the protection of the rights of data subjects (Roskomnadzor) or in court.

10.2. Procedure for exercising rights. To exercise the said rights, the subject sends a written inquiry (request) to the email address support@koinonia.ru or to the registered address of Koinonia LLC.

10.3. The subject's request must contain information allowing the subject to be identified and their right to receive the information to be confirmed (in particular, information allowing the connection of the subject with the personal data processed by the operator to be established), as well as the signature of the subject or their representative. Koinonia LLC has the right to request additional information to identify the applicant.

10.4. Periods for the exercise of rights. Koinonia LLC reviews the inquiry and provides a response within the periods established by 152-FZ in relation to the relevant procedure:

  • when providing the subject with information about the processing of their personal data upon request in accordance with part 1 of Article 14 of 152-FZ, the required information is provided within thirty days from the date of receipt of the subject's request (parts 1 and 7 of Article 14 of 152-FZ);
  • if there are grounds to believe that the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, Koinonia LLC, at the request of the subject, makes the necessary changes to it, blocks, or destroys the relevant data and, within a period not exceeding seven working days from the day the subject provides the information confirming the said circumstances, notifies the subject of the changes made and the measures taken (Article 21 of 152-FZ);
  • upon the detection of unlawful processing of personal data or upon the withdrawal of consent by the subject, the periods for terminating processing and destroying the data established by Articles 9 and 21 of 152-FZ apply.

10.5. The subject may exercise part of their rights independently through the interface of the Platform: change profile data, withdraw consent, and initiate the deletion of the account (section 11).

10.6. The exercise of the subject's rights with respect to data processed by Koinonia LLC on behalf of an operator organization (Section B) is carried out with the participation of the relevant organization as the operator of this data.

11. Procedure for withdrawing consent, deleting an account, and de-identifying data

11.1. The data subject has the right at any time to withdraw consent to the processing of personal data by sending the relevant inquiry to the contacts specified in section 10, or by initiating the deletion of the account through the interface of the Platform.

11.2. The withdrawal of consent entails the termination of the processing of personal data carried out on the basis of this consent, and the deletion (destruction) of the personal data, except in cases where the retention of the data is required by virtue of law or where processing is possible on another legal ground (for example, the fulfillment of the requirements of Federal Law No. 374-FZ of 06.07.2016).

11.3. Deferred deletion period (grace period). After the initiation of account deletion, the account is transferred to an inactive state, logging into it becomes impossible, however, the data is retained for 30 (thirty) calendar days. During this period, the subject has the right to restore the account. Koinonia LLC sends the subject a preliminary notification of the upcoming final deletion before the expiration of the said period.

11.4. Final deletion (hard-delete). Upon expiration of the deferred deletion period, the personal data of the account is subject to final deletion from the operator's information systems, except for data with respect to which a mandatory storage period is established by law.

11.5. De-identification of messages. By virtue of the requirements of Federal Law No. 374-FZ of 06.07.2016, a user's messages are not physically deleted until the expiration of the storage periods established by law. Upon the final deletion of the account, the information identifying the sender (first name and last name) is replaced with a de-identified designation (for example, "Former participant"), the avatar is deleted, while the content of the messages is retained in a de-identified form.

11.6. The retention of the content of messages in group chats after the deletion of the account of one of the participants is also carried out for the purpose of protecting the rights and legitimate interests of other participants in the communication (paragraph 7 of part 1 of Article 6 of 152-FZ).

12. Notification of security breaches (incidents)

12.1. In the event of the establishment of the fact of an unlawful or accidental transfer (provision, dissemination, access) of personal data that has resulted in a violation of the rights of data subjects, Koinonia LLC, in accordance with paragraph 3.1 of Article 21 of 152-FZ:

  • within 24 (twenty-four) hours from the moment of detection of the incident, notifies the authorized body for the protection of the rights of data subjects (Roskomnadzor) of the incident that has occurred, its presumed causes and presumed harm, as well as of the measures taken to eliminate the consequences;
  • within 72 (seventy-two) hours from the moment of detection of the incident, notifies the authorized body of the results of the internal investigation and of the persons whose actions caused the incident (where they have been established).

12.2. If the incident affects data processed by Koinonia LLC on behalf of an operator organization (Section B), Koinonia LLC immediately informs the relevant organization as the operator and provides it with the necessary assistance in fulfilling its notification obligations.

12.3. Koinonia LLC keeps records of incidents and the response measures taken.

13. Updating of the Policy and the re-consent mechanism

13.1. This Policy is an official document of Koinonia LLC, published pursuant to part 2 of Article 18.1 of 152-FZ, and may be amended by Koinonia LLC unilaterally with notification of the subjects. The current version of the Policy is posted at koinonia.ru/legal/privacy and comes into effect from the moment of its publication, unless another period is indicated in the new version. This Policy is not an offer; the acceptance of the terms of service (acceptance of the offer) is executed within the End-User License Agreement (EULA) by a separate act.

13.2. Versioning and recording of the date of approval. Koinonia LLC applies versioning of the Policy: each version is assigned a version number and a date of its approval and entry into force, indicated in the metadata block at the beginning of the document. The date of approval of each version is a formal requisite of the Policy and is recorded upon its approval by an authorized person of Koinonia LLC; previous versions are retained by Koinonia LLC in the version history.

13.3. The consent of the data subject is not an offer and cannot be amended unilaterally. The consent provided in accordance with Article 9 of 152-FZ constitutes an expression of will of the subject and retains force with respect to those purposes, composition of data, and list of persons carrying out the processing that were indicated when it was obtained.

13.4. Re-consent mechanism (reconsent). In the event of a material change in the terms of processing (in particular, in the event of a change in the purposes of processing, the composition of the processed personal data, or the list of persons carrying out processing on behalf), Koinonia LLC requests new consent from the subject. Until new consent is obtained, a notification of the change in the terms of processing is displayed to the subject in the interface of the Platform with a proposal to confirm consent. The previous version of the consent is retained in the history. Non-material changes (correction of typos, change of formatting) do not require re-consent and are recorded in the version history.

Section B. Koinonia LLC as a processor of personal data on behalf

14. Processing of personal data on behalf of operator organizations

14.1. Role and ground for processing. With respect to the content of the workspaces of organizations, Koinonia LLC acts in the capacity of a person carrying out the processing of personal data on behalf of the operator (part 3 of Article 6 of 152-FZ). The operator of this data is the relevant organization — the user of the workspace. The details of the specific operator organization are recorded in the Data Processing Agreement concluded with that organization, and are not provided in this Policy, which is uniform for all organizations that are users of the Platform.

14.2. Ground for the assignment. Processing on behalf is carried out on the basis of the Data Processing Agreement (DPA) concluded between Koinonia LLC (processor) and the organization (operator). The Data Processing Agreement is an integral part of the End-User License Agreement (EULA). The terms of the Data Processing Agreement, including the list of processed personal data and the list of actions with it, are determined by the operator (organization), who explicitly accepts the Agreement through an authorized person.

14.3. The composition of the data is determined by the operator. In accordance with part 3 of Article 6 of 152-FZ, the list of personal data, the purposes, and the actions for its processing within the workspace are determined by the organization as the operator. Koinonia LLC processes this data solely within the limits of the assignment and does not independently determine the purposes and composition of such processing. The data processed on behalf includes, in particular:

  • messages and other communications of workspace participants;
  • media files and attachments posted by participants;
  • information about membership and participation in the organization, the roles of participants in the workspace;
  • other information about participants, the composition of which is determined by the operator.

14.4. Special category of personal data (for operators that are religious associations). Information about the religious beliefs of participants, as well as the very fact of a person's membership or participation in a religious community, belongs to the special category of personal data (Article 10 of 152-FZ). The legal ground for their processing is determined by the organization as the operator:

  • the religious organization has the right to process such data in accordance with its constituent documents, provided that the personal data is not disseminated or disclosed to third parties without the written consent of the data subjects (paragraph 5 of part 2 of Article 10 of 152-FZ);
  • if the operator is a religious group acting without the formation of a legal entity and without constituent documents, the said ground is inapplicable, and the processing of the special category of data is carried out on the basis of the separate written consent of the subject.

The relevant consents of the subjects are executed by the documents "Consent to the processing of personal data by a religious organization" (membership and participation) and "Consent to the processing of a special category of personal data", provided to the operator organization for use when collecting the consents of participants (see section 15). As a processor, Koinonia LLC does not determine the legal ground for the processing of the special category of data and ensures that such data is not transferred or disclosed to third parties without the proper consent of the subjects or another legal ground.

14.5. Obligations of the processor. Koinonia LLC, when processing on behalf:

  • processes the data solely for the purposes and to the extent determined by the operator in the Data Processing Agreement, and does not process it for its own purposes;
  • complies with the principles and rules for processing personal data established by 152-FZ, and ensures the confidentiality of the personal data;
  • applies to the data processed on behalf the same requirements for ensuring the security of personal data as established by section 9 of this Policy (at-rest encryption AES-256, TLS, access control, measures of security level UZ-3 under Order No. 21 of the FSTEC of Russia);
  • does not carry out the cross-border transfer of such data; all servers and databases are located on the territory of the Russian Federation;
  • is not obliged to obtain the consent of the data subjects for processing on behalf — obtaining such consent is the obligation of the operator (organization).

14.6. Distribution of responsibility (parts 3 and 5 of Article 6 of 152-FZ). The operator (organization) is responsible to the data subject for the actions of Koinonia LLC as a processor. Koinonia LLC as a processor is responsible to the operator. The obligation to obtain the consents of the subjects, to notify the authorized body of the commencement of processing (Article 22 of 152-FZ), and to ensure the legal grounds for processing, including the special category of data, lies with the organization as the operator. Koinonia LLC does not assume the said obligations of the operator.

14.7. Notification by the operator of the commencement of processing. With respect to data processed on behalf, the obligation to notify the authorized body of the intention to carry out the processing of personal data (Article 22 of 152-FZ) lies with the organization as the operator. The exemption that previously released religious associations from such notification has been abolished; as of the moment of publication of this Policy, each operator organization is obliged to independently submit the relevant notification. Koinonia LLC provides a template draft of such notification, however, it does not release the operator organization from the fulfillment of this obligation.

14.8. Exercise of subjects' rights and incidents. Upon the receipt by Koinonia LLC of subjects' requests with respect to data processed on behalf, as well as upon the detection of security incidents affecting such data, Koinonia LLC immediately notifies the relevant operator and provides it with assistance in fulfilling the obligations provided for by 152-FZ.

14.9. The detailed terms of processing on behalf, including the details of the operator organization, the list of data, purposes, periods, security measures, and the procedure for interaction of the parties, are established by the Data Processing Agreement.

14.10. Responsibility and legal significance of strict minimization. Information about the membership, participation, and religious beliefs of participants (for operators that are religious associations) belongs to the special category of personal data, and its processing entails heightened requirements for the legal ground and for security. The organization as the operator should take into account that a defect in the consent to the processing of the special category of personal data, a violation of the condition of their non-dissemination (disclosure to third parties without the written consent of the subject), as well as their leak entail administrative liability under Article 13.11 of the Code of the Russian Federation on Administrative Offenses (with increased amounts in the case of the special category and (or) leak of personal data), and, where the relevant elements are present, may entail criminal liability under Article 272.1 of the Criminal Code of the Russian Federation (unlawful use and (or) transfer of personal data). A defect in the consent deprives the processing of a legal ground, which, upon a subsequent leak of the special category of data, entails the application of the upper sanctions. It is precisely for this reason that the Platform implements the requirement of strict minimization of the processed data, the closed-by-default visibility perimeter (the absence of public disclosure of membership and information about participants by default), and the procedure for notification of incidents within 24 and 72 hours (section 12). Compliance with these requirements and with the written form of consents to the special category and to the dissemination of data is the obligation of the organization as the operator.

15. Related documents

15.1. This Policy applies in conjunction with the following documents of the Platform:

  • End-User License Agreement (EULA) — defines the terms of use of the Platform and includes the Data Processing Agreement as an integral part;
  • Data Processing Agreement (DPA) — defines the terms for the processing by Koinonia LLC of the data of workspace participants on behalf of operator organizations, as well as records the details of the specific operator organization (see Section B);
  • Consent to the processing of personal data by a religious organization (membership and participation) — the consent executed by a workspace participant to the processing by the operator organization of personal data related to membership and participation (paragraph 14.4 relies on it);
  • Consent to the processing of a special category of personal data — the consent executed by a workspace participant to the processing of information belonging to the special category of personal data (religious beliefs, the fact of membership/participation), including in the absence by the operator of the right to process such data under the constituent documents (paragraph 14.4 relies on it);
  • templates of consents of data subjects, provided by Koinonia LLC to operator organizations for use when collecting the consents of participants.

15.2. In the part not regulated by this Policy, the provisions of the legislation of the Russian Federation on personal data apply.