Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") integrates and forms an inseparable annex to the Terms of Use of the ChurnDefense Platform and establishes the parameters for the processing of personal data by ChurnDefense ("Processor") on behalf of the subscribing Client ("Controller").

The Controller delegates to the Processor the processing of personal data with the specific purpose of enabling the delivery of SaaS analytical services focused on: predictive monitoring of subscriber churn, interactive retention prevention, and automated billing recovery (dunning).

The Processor commits to the following obligations:

• Process personal data solely under the documented instructions of the Controller, as configured in the Platform's dashboard
• Never process data for purposes beyond the contracted scope without prior written authorization
• Ensure that all personnel authorized to process data are bound by confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures (detailed in Clause 03)
• Assist the Controller in fulfilling data subject rights requests through documented APIs and dashboard tools
• Provide all information necessary to demonstrate compliance and allow audits (Clause 08)
• Immediately inform the Controller if, in its opinion, an instruction from the Controller violates applicable data protection legislation

The Processor's security architecture encompasses, at a minimum:

• Encryption in transit: TLS 1.2 or higher for all data in flight
• Encryption at rest: AES-256 for all stored personal data
• Access control: Role-based access with SSO and MFA for all production systems
• Network security: Firewalls, intrusion detection systems, and DDoS mitigation
• Data segregation: Logical tenant isolation in multi-tenant architecture
• Backup & recovery: Automated encrypted backups with defined Recovery Time Objectives (RTO)
• Monitoring: Real-time security event logging and anomaly detection
• Personnel: Mandatory security training for all employees with access to personal data

In the event of a confirmed personal data breach (unauthorized access, leak, destruction, or compromise of personal data under the Processor's custody), the Processor shall:

The Controller retains the exclusive obligation and responsibility for: formally notifying the ANPD (or other applicable supervisory authority) and affected data subjects, as required by Art. 48 of the LGPD and Art. 33 of the GDPR.

The Processor shall cooperate fully with the Controller's investigation, provide supplementary reports as requested, and implement corrective measures to prevent recurrence.

The Controller provides general written authorization for the Processor to engage sub-processors necessary for the delivery of the Platform's services (cloud hosting, payment processing, analytics infrastructure).

The Processor shall: maintain an up-to-date list of sub-processors available upon request; notify the Controller at least 30 days before engaging a new sub-processor or replacing an existing one; and ensure all sub-processors are contractually bound to equivalent data protection obligations.

If the Controller objects to a new sub-processor, it may terminate the affected service component within 30 days of notification. The Processor remains fully liable for the acts and omissions of its sub-processors.

The Controller acknowledges and authorizes the international transfer of personal data to data centers operated by the Processor's cloud infrastructure partners, in compliance with Art. 33 of the LGPD.

United States & Non-Adequate Jurisdictions

Transfers to jurisdictions without an ANPD adequacy decision (including the United States) are conducted under the mandatory Standard Contractual Clauses (SCCs) established by CD/ANPD Resolution No. 19/2024. These clauses are annexed to this DPA in their entirety and are non-negotiable.

European Economic Area

Transfers to the EEA are facilitated by the mutual adequacy recognition formalized in ANPD Resolution No. 32/2026, allowing free data flow without the bureaucracy of SCCs.

The Processor shall assist the Controller in complying with data subject rights requests by providing:

• Dashboard tools for data export, correction, and deletion
• Documented APIs for programmatic access to data subject records
• Technical support within 5 business days for complex requests requiring manual intervention
• Audit trails documenting all data subject request fulfillment

The Controller remains the primary respondent to data subjects. The Processor shall not respond directly to data subject requests unless instructed by the Controller.

The Controller (or an independent third-party auditor appointed by the Controller) has the right to conduct audits of the Processor's data processing activities, subject to:

• 30 days' prior written notice
• Audits conducted during normal business hours
• Maximum of one audit per 12-month period (unless a data breach or regulatory investigation warrants additional audits)
• The auditor is bound by confidentiality obligations

The Processor shall make available all information necessary to demonstrate compliance, including security certifications (SOC 2, ISO 27001), penetration test summaries, and internal audit reports.

Upon termination of the underlying contract, the Processor shall:

• Cease all processing of Controller personal data immediately
• Provide full data export capability in CSV or JSON format within 30 business days upon written request
• Permanently and securely delete all personal data from production databases within 30 days of the export window closing
• Provide written certification of data destruction upon Controller's request

Exception: Encrypted billing records, audit logs, and financial data required by law will be retained in cold archival storage for the legally mandated period, then securely destroyed.

For questions about this DPA or to request the current sub-processor list: