Data Processing Agreement

Last updated: March 31, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ChurnShield ("Processor," "we," "us") and the entity using our service ("Controller," "you," "your"). This DPA applies when we process personal data on your behalf.

Key point: ChurnShield acts as a data processor. You remain the data controller for your customers' personal data. We only process data as instructed by you and as necessary to provide our payment recovery service.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
Data Subject: The individual whose personal data is being processed (i.e., your customers).
Sub-processor: A third party engaged by ChurnShield to process personal data on your behalf.

2. Scope of Processing

We process personal data solely to provide the ChurnShield payment recovery service. The categories of data and processing activities are:

Data Category	Purpose
Customer email addresses	Sending dunning and win-back emails on your behalf
Customer names	Personalizing recovery communications
Payment failure details	Classifying failures and scheduling smart retries
Subscription/invoice data	Determining retry timing and recovery analytics

We do not process or store credit card numbers, bank account details, or other sensitive financial instruments. All payment processing occurs within Stripe.

3. Controller Obligations

As the data controller, you are responsible for:

Ensuring you have a lawful basis to process your customers' personal data
Providing appropriate privacy notices to your customers informing them of the processing
Ensuring the accuracy of personal data provided to us via Stripe
Responding to data subject access requests (we will assist upon request)

4. Processor Obligations

As the data processor, ChurnShield will:

Process personal data only on your documented instructions and as necessary to provide the service
Ensure all personnel with access to personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Not engage additional sub-processors without your prior knowledge (see Section 6)
Assist you in responding to data subject requests
Delete or return all personal data upon termination of the service, at your choice
Make available all information necessary to demonstrate compliance with this DPA

5. Security Measures

We implement the following technical and organizational measures to protect personal data:

256-bit TLS encryption for all data in transit
Encryption at rest for stored data and credentials
Access controls limiting data access to authorized personnel only
Regular security reviews of infrastructure and code
Secure deletion of data upon account termination
No storage of credit card numbers or sensitive financial data

6. Sub-processors

We use the following sub-processors to deliver our service:

Sub-processor	Purpose	Location
Stripe	Payment processing, subscription data, payment retries	United States
Supabase	Database hosting and storage	United States
Resend	Email delivery (dunning and notification emails)	United States
Anthropic (Claude)	AI-powered email personalization (optional, when enabled)	United States
Netlify	Application hosting and serverless functions	United States

We will notify you of any new sub-processors before engaging them. You may object to a new sub-processor within 14 days of notification. If we cannot reasonably accommodate your objection, either party may terminate the affected service.

7. Data Breach Notification

In the event of a personal data breach, we will:

Notify you without undue delay, and no later than 72 hours after becoming aware of the breach
Provide details of the nature of the breach, categories of data affected, and approximate number of data subjects
Describe the likely consequences and measures taken or proposed to mitigate the breach
Cooperate with you in notifying relevant supervisory authorities and affected data subjects as required

8. International Data Transfers

ChurnShield and its sub-processors are located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, personal data will be transferred to the United States. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers. Upon request, we will provide a copy of the applicable SCCs.

9. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests, including requests for:

Access to their personal data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability

If we receive a data subject request directly, we will promptly redirect the request to you unless legally required to respond directly.

10. Data Retention and Deletion

We retain personal data only for as long as necessary to provide the service. Upon termination of your account:

All personal data will be deleted within 30 days of your request
We will confirm deletion in writing upon request
Residual copies in backups will be overwritten within 90 days

11. Audit Rights

You may request reasonable information about our data processing activities and security measures to verify compliance with this DPA. We will respond to audit requests within 30 days. On-site audits may be conducted with 30 days' written notice, at your expense, during normal business hours.

12. Term and Termination

This DPA remains in effect for as long as we process personal data on your behalf. It terminates automatically when your ChurnShield subscription ends and all personal data has been deleted or returned.

13. Contact

For questions about this DPA or to exercise your rights, contact us at:

Email: privacy@getchurnshield.com