Data Processing Agreement

1. Definitions

• "Controller" means you, the customer using ChurnGuard.
• "Processor" means ChurnGuard, processing personal data on your behalf.
• "Personal Data" means any data relating to an identified or identifiable natural person.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data.

2. Scope of Processing

ChurnGuard processes the following Personal Data on behalf of the Controller:

• Data subjects: Your customers whose payments have failed.
• Data categories: Names, email addresses, invoice amounts, payment failure reasons.
• Processing purpose: Sending payment recovery emails and providing recovery analytics.
• Duration: For the duration of the service agreement, plus 30 days after termination for data deletion.

3. Obligations of the Processor

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures.
• Assist the Controller in responding to data subject requests (access, rectification, erasure).
• Notify the Controller of any Personal Data breach without undue delay (within 72 hours).
• Delete or return all Personal Data upon termination of the service.

4. Sub-processors

The Processor uses the following sub-processors:

5. Security Measures

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for data at rest.
• Access controls with principle of least privilege.
• Regular security audits and vulnerability assessments.
• Incident response procedures with 72-hour breach notification.

6. International Transfers

Where Personal Data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission.

7. Contact

For DPA-related inquiries: dpa@churnguard.dev