A data processor has no say in how and for how long is the data stored. They implement exactly hat the data controller said, not more, not less. So in this case guaranteeing 100 years is just nonsense. But... in our case it's Evernote itself who gathered all its own data from its own users according to its own rules, so I really struggle to understand why you won't see them as data controllers.

As far as GDPR is concerned, I think they are a controller if they are processing data to provide their service they run to customers. The control how that service works, and are not processing data on behalf of a controller explicitly under their written instructions. If they were a service used by a company like this, they would be a processor. The rertention period here is presumably until the user closes their account or deletes the data from it, possibly plus some period to allow for Evernote to delete it, and the basis is performance of the contract created by their terms of service, or consent. If so, they don't have to delete it until they are instructed to bny the user. They would have to probvide for a way gfor it to be deleted by the organisation they setup to retain it when setting that up though. That organisation would be a processor, unless an explicit relationship with the customer was created with them (which I would expect there would be as part of the user accepting using it), in which case I think it would also be a controller. Either way, they would be responsible for deleting the data when the customer wants it deleted because either they would be as a result of their relationship with the cuastomer if they were a controller, or because it would (have to be) be part of the terms of the processoring agreement with Evernote.