1. Scope & Purpose
This Data Processing Agreement ("DPA") governs the processing of personal data by ChurnGuard AI ("Processor") on behalf of the customer ("Controller") when using the ChurnGuard AI platform for churn prediction and customer analytics.
The Processor processes uploaded CSV data solely for the purpose of generating churn predictions, risk scores, and retention recommendations. Processing occurs exclusively in-memory and no raw customer data is persisted after the session ends.
2. Data Processing Details
Nature of processingIn-memory analysis, ML prediction
PurposeChurn prediction & customer retention
DurationPer-session only (no persistence)
Data subjectsController's end customers
Categories of dataCustomer IDs, emails, usage metrics, revenue
3. Technical & Organisational Measures
- Encryption in transit: All data transmitted over HTTPS with modern TLS encryption.
- Encryption at rest: All uploaded data is encrypted before transmission using industry-standard encryption.
- Secure processing: Uploaded data is processed securely and discarded immediately after analysis. No raw customer data is persisted.
- Authentication: Secure token-based authentication required for all API calls.
- Access control: Strict user-scoped data isolation ensures each account can only access its own data.
- Pseudonymisation: Customer identifiers are cryptographically hashed before any server-side storage.
- Infrastructure: Enterprise-grade, SOC 2 Type II certified cloud infrastructure.
- Monitoring: Automated error monitoring with PII scrubbing enabled by default.
- Rate limiting: All endpoints protected against abuse.
4. Sub-Processors
The following sub-processors are engaged in the delivery of the Service:
| Sub-Processor | Purpose | Location |
|---|
| Enterprise Cloud Provider | Backend hosting, encrypted database | US |
| Cloud Authentication Provider | Secure authentication & identity | US |
| PCI-DSS Payment Processor | Payment processing | US/EU |
| Error Monitoring Service | Error monitoring (PII scrubbed) | US |
5. Data Subject Rights
The Processor provides the following self-service tools to support the Controller's obligations:
- Right to Access (Art. 15): Users can export all their data via Settings → Security & Privacy → Download My Data.
- Right to Erasure (Art. 17): Users can permanently delete their account and all data via Settings → Security & Privacy → Delete Account.
- Right to Data Portability (Art. 20): Data export is provided in machine-readable JSON format.
- Right to Rectification (Art. 16): Users can update their profile information in Settings.
6. Data Retention
- Raw CSV data: Never stored. Processed securely and discarded immediately after analysis.
- Prediction results: Stored in your encrypted browser session only. Cleared on logout.
- Session cache: Temporary, auto-expires with session. No PII stored.
- Engagement metadata: Retained (encrypted) until account deletion. Contains only anonymized identifiers and status flags — no PII.
- Audit logs: Retained for 12 months for compliance, then auto-deleted. No customer PII.
- Account data: Retained (encrypted) until user-initiated deletion.
7. Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.
8. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audit requests should be directed to dpa@churnguardai.com with at least 30 days' notice.
9. Contact
For DPA-related enquiries, contact: dpa@churnguardai.com
Data Protection Officer: privacy@churnguardai.com