Cubyts
Legal

Legal Center

Policy, agreements, and security & compliance documentation.

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Subscription Agreement between the customer (the "Controller") and Cubyts (the "Processor") under which the Processor provides the Controller the platform and services (the "Services").

The Parties seek to implement this DPA in order to comply with the requirements of EU and UK Data Protection Law in relation to the Processor's Processing of Personal Data.

Definitions

  • "Data Transfer" — transfer of Personal Data from the Client to Controller or Processor, or onward transfer between establishments.
  • "EU and UK Data Protection Law" — EU GDPR 2016/679, applicable national laws, and UK Data Protection Law.
  • "EU Standard Contractual Clauses" — pursuant to European Commission Implementing Decision (EU) 2021/914.
  • "Subprocessor" — processor/sub-contractor appointed by the Processor for the provision of Services.
  • "UK Data Protection Law" — UK GDPR, UK Data Protection Act 2018, and related regulations.

Purpose of This Addendum

This DPA sets out the Processor's obligations in relation to the Processing of Personal Data. If there is a conflict between the Agreement and this DPA, this DPA shall prevail.

Processing Details

  • Purpose: limited to the Processor's provision of Services pursuant to the Agreement.
  • Controller's Processing: the Controller warrants it has the right and authority to request Processing.
  • Duration: for the duration of the Agreement, unless otherwise agreed in writing.

Processor's Obligations

  • Follow written and documented instructions from the Controller.
  • Provide reasonable assistance in responding to Data Subject requests.
  • Use only personnel informed of the confidential nature of the Personal Data.
  • Regularly train personnel in data security and privacy.

Audit Rights

Upon reasonable request, the Processor will make information available to demonstrate compliance with the GDPR. Onsite audits require at least fifteen (15) days' prior written notice.

Sub-processors

The Controller acknowledges that the Processor may engage Sub-processors. The Processor remains liable for any failure of a Sub-processor to fulfil its data protection obligations under this DPA.

Personal Data Breach Notification

  • Maintain defined procedures in case of a Personal Data Breach.
  • Notify Controller without undue delay upon awareness of any Personal Data Breach.
  • Provide all reasonable assistance with notification requirements.

Return and Deletion of Personal Data

Within thirty (30) days from the end of the Agreement or cessation of Services, the Processor shall return or delete all Personal Data, including all copies, as soon as reasonably practicable.

Technical and Organizational Measures

The Processor will take appropriate technical and organizational measures against unauthorized or unlawful processing, accidental loss, destruction or damage to Personal Data.

Contact

Questions? Contact legalqueries@cubyts.com.