cuibit
/ Legal

Data processing addendum.

This DPA applies when Cuibit processes personal data on behalf of a client during a paid engagement. It forms part of the signed Master Services Agreement.

Last updated: April 20, 2026·Applies site-wide to https://cuibit.com

This Data Processing Addendum ("DPA") is entered into between the client ("Controller") and Cuibit ("Processor") and forms part of the Master Services Agreement ("MSA") between the parties. It sets out the terms on which Cuibit processes personal data on behalf of the Controller in connection with the services described in the applicable Statement of Work ("SoW"). Where this DPA conflicts with the MSA, this DPA prevails in respect of personal data processing.

1. Definitions

Terms used in this DPA have the meanings given in the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Saudi Personal Data Protection Law (PDPL), the UAE Personal Data Protection Law, and the California Consumer Privacy Act (CCPA), as applicable. "Personal Data" means any information relating to an identified or identifiable natural person processed by Cuibit on behalf of the Controller.

2. Subject matter, duration, nature and purpose

  • Subject matter — the development, maintenance and operation of software and digital products commissioned in the SoW.
  • Duration — the term of the MSA / SoW, plus any wind-down period agreed in writing.
  • Nature and purpose — design, engineering, deployment, maintenance and support of the product.
  • Categories of data subjects — the Controller's end users, customers, employees and contractors, as relevant to the product.
  • Categories of personal data — as described in the SoW. Special-category data is only processed when explicitly scoped.

3. Roles of the parties

The Controller determines the purposes and means of processing. Cuibit, as Processor, processes personal data only on documented instructions from the Controller (including as set out in the SoW), unless required to do otherwise by applicable law.

4. Cuibit's obligations

  • Process personal data only on the Controller's documented instructions.
  • Ensure that personnel authorised to process personal data are bound by confidentiality.
  • Apply technical and organisational security measures as described in Annex A below.
  • Assist the Controller, to a reasonable extent, in responding to data-subject requests and in meeting obligations under Articles 32–36 of the GDPR.
  • Notify the Controller without undue delay on becoming aware of a Personal Data Breach and cooperate on containment and remediation.
  • At the Controller's choice, delete or return all personal data at the end of the engagement and delete existing copies unless legally required to retain them.
  • Make available the information necessary to demonstrate compliance with this DPA and allow reasonable audits.

5. Sub-processors

The Controller grants Cuibit general authorisation to engage sub-processors to deliver the services, subject to Cuibit imposing data-protection obligations on them that are no less protective than this DPA. A current list of standing sub-processors (hosting, email, analytics, CRM) is available on request. Cuibit will give reasonable prior notice of new sub-processors and allow the Controller a right of reasonable objection.

6. International transfers

Where personal data is transferred from the EEA, UK or Switzerland to a country without an adequacy decision, transfers rely on the European Commission's Standard Contractual Clauses (Module 2 and, where applicable, Module 3) and the UK International Data Transfer Addendum, together with additional technical and organisational measures where required. EU-only data residency is available on request (AWS Frankfurt / AWS Ireland).

7. Data subject rights

Cuibit will, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to requests from data subjects to exercise their rights under applicable law (access, rectification, erasure, restriction, portability, objection).

8. Security measures (Annex A)

  • Encryption in transit (TLS 1.2+) and at rest on supported platforms.
  • Role-based access, least privilege and MFA on all admin accounts.
  • Separation of environments (development, staging, production); no client credentials shared between engagements.
  • Centralised logging, audit trails and alerting on anomalous access.
  • Managed secrets (no secrets in code), dependency vulnerability scanning and regular security review.
  • Written incident response runbook with defined roles, notification timelines and lessons-learned loops.
  • Backups with tested restores for data Cuibit is responsible for storing.
  • SOC 2-aligned controls; HIPAA-ready architecture available for US healthcare engagements by separate agreement.

9. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitation of liability provisions of the MSA.

10. Term and termination

This DPA is effective on the later of (a) the effective date of the MSA or (b) execution of this DPA, and remains in force for as long as Cuibit processes personal data on behalf of the Controller.

11. Contact

DPA requests, sub-processor enquiries and privacy contact: hello@cuibit.com.

Accepting projects
Book a call →