Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Varper LLC, operating as Kirn ("Processor"). It governs the processing of personal data that Kirn handles on your behalf in the course of providing its churn prediction service.
By creating a Kirn account, you agree to this DPA. If you are entering into this DPA on behalf of an organization, you represent that you have authority to bind that organization.
1. Definitions
Terms used but not defined here have the meaning given in the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR. "Personal data," "data subject," "processing," "controller," and "processor" have the meanings given in GDPR Art. 4.
"Services" means the Kirn churn prediction platform provided under the Terms of Service. "Sub-processor" means any third party engaged by Kirn to process personal data in connection with the Services.
2. Details of processing
The details of the processing covered by this DPA are set out below.
Processing details
| Item | Detail |
|---|---|
| Subject matter | Processing of subscription and billing data to compute churn risk scores |
| Nature of processing | Collection, storage, analysis, and automated scoring of billing events |
| Purpose | To identify subscribers at risk of churning and surface them via dashboard and digest email |
| Duration | For the term of the Controller's Kirn subscription; data deleted within 30 days of termination |
| Type of personal data | Stripe customer ID, subscription status and history, invoice and payment records, plan/price identifiers, seat counts, discount information |
| Categories of data subjects | The Controller's own customers who hold active or historical subscriptions on Stripe |
Kirn does not collect subscriber names, email addresses, postal addresses, phone numbers, payment card details, or any free-text metadata fields from Stripe.
3. Processor obligations
3.1 Instructions
Kirn will process personal data only on documented instructions from the Controller, which are set out in these Terms of Service and this DPA. Kirn will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
3.2 Confidentiality
Kirn will ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.
3.3 Security
Kirn will implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage (GDPR Art. 32). These measures include:
- Encryption of Stripe API keys and personal data at rest
- Encryption of data in transit (TLS)
- Access controls limiting data access to authorized personnel only
- Regular security reviews of infrastructure and dependencies
3.4 Sub-processors
The Controller grants Kirn general authorization to engage sub-processors, subject to the conditions in this section. Kirn currently uses the following sub-processors that may process personal data covered by this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Database and application hosting | United States |
| Vercel | Frontend hosting | United States |
| Resend | Digest email delivery | United States |
| Sentry | Error tracking (anonymized) | United States |
Kirn will notify the Controller of any intended changes to sub-processors by updating this DPA and providing at least 30 days' notice via email or in-app notification. If the Controller reasonably objects to a new sub-processor on data protection grounds, the Controller may terminate the affected Services on written notice. Kirn will impose data protection obligations on sub-processors equivalent to those in this DPA.
3.5 Data subject rights
Kirn will provide reasonable assistance to the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection). Requests received directly by Kirn from data subjects will be forwarded to the Controller without undue delay.
3.6 Assistance with compliance
Taking into account the nature of the processing and information available to Kirn, we will provide reasonable assistance to the Controller with: security of processing (Art. 32); notification of personal data breaches (Arts. 33–34); and data protection impact assessments where required (Art. 35).
3.7 Personal data breach notification
Kirn will notify the Controller without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting data processed under this DPA. Notification will be sent to the email address on the Controller's account and will include, to the extent then known: the nature of the breach, the categories and approximate volume of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
3.8 Deletion and return
On termination or expiry of the Controller's subscription, Kirn will delete all personal data processed under this DPA within 30 days, unless retention is required by applicable law. The Controller may request a copy of their processed data before deletion by emailing hello@getkirn.com.
3.9 Audit
Kirn will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA, and will allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to reasonable advance notice and confidentiality obligations. The Controller agrees to exercise audit rights no more than once per calendar year absent reasonable cause to believe a breach has occurred.
4. Controller obligations
The Controller represents and warrants that:
- It has a lawful basis under applicable data protection law for sharing subscriber data with Kirn for the purposes described in this DPA.
- It has provided any notices and obtained any consents required under applicable law in relation to the processing contemplated by this DPA.
- Its instructions to Kirn comply with applicable data protection law.
5. International data transfers
Kirn operates infrastructure in the United States. Where the Controller is located in the European Economic Area or United Kingdom, transfers of personal data to Kirn are made pursuant to the Standard Contractual Clauses for the transfer of personal data to third countries (EU Commission Decision 2021/914, Module 2: Controller to Processor), which are incorporated by reference into this DPA. The Controller may request a copy of the applicable SCCs by emailing hello@getkirn.com.
6. Governing law
This DPA is governed by the laws of the State of Delaware, United States, except that where GDPR or UK GDPR applies, the provisions required by those regulations shall be interpreted in accordance with EU or UK law as applicable.
7. Order of precedence
In the event of conflict between this DPA and the Terms of Service, this DPA governs with respect to the processing of personal data.
Contact
Data protection questions: hello@getkirn.com