Skip to main content

Version 1.0 · July 14, 2026

Data Processing Addendum

This basic DPA applies when a customer uses churnplug to process personal data and forms part of the service agreement.

1. Roles and instructions

The customer is the controller and churnplug is the processor for subscriber data. churnplug processes that data only to provide the service, meet documented customer instructions, secure the service, and comply with law.

2. Data and people

Processing may cover subscriber identifiers, subscription and invoice metadata, cancellation feedback, transactional email delivery, and recovery records. Data subjects are the customer's subscribers and authorized team members.

3. Security

churnplug maintains tenant-level row security, least-privilege server access, encrypted secret storage, signed webhook verification, hashed single-use magic tokens, and Stripe-hosted card updates. Card data never enters churnplug systems.

4. Subprocessors

The currently intended subprocessors are Vercel for application hosting, Supabase for database and authentication infrastructure, Stripe for subscription actions and hosted payment pages, and Resend for transactional email when enabled.

5. Incidents and assistance

churnplug will notify the customer without undue delay after confirming a personal-data breach and will reasonably assist with data-subject requests, security assessments, and required impact reviews.

6. Return and deletion

At termination, churnplug will delete or return customer data on request unless retention is required by law. Backup copies age out through normal provider retention cycles.

7. Transfers and priority

Where an international transfer mechanism is required, the parties will use the applicable standard contractual clauses or provider transfer safeguards. This addendum controls over conflicting service terms for personal-data processing.