Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Destm Technologies Pvt Ltd ("Processor" or "Destm") and the entity agreeing to these terms ("Controller" or "Customer") for the use of the CuberIQ platform (the "Service"). This DPA applies where and only to the extent that Destm processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws. This DPA is incorporated into and subject to the Terms of Service.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Destm on behalf of Customer through the Service, as defined under applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and any other applicable privacy or data protection legislation.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party appointed by Destm to process Personal Data on behalf of the Customer in connection with the Service.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.

2. Scope and Purpose

This DPA applies to the processing of Personal Data that Customer submits to the CuberIQ platform, including but not limited to content contributor information, end-user data collected through content personalization features, and any other Personal Data stored within Customer's CuberIQ workspace. Destm Technologies will process Personal Data solely for the purpose of providing the Service as described in the Terms of Service and as further instructed by the Customer in writing. The categories of data subjects and types of Personal Data processed are determined by the Customer's use of the Service.

3. Customer Obligations

The Customer, as the Controller of Personal Data, shall:

• Ensure that all Personal Data provided to CuberIQ has been collected in accordance with applicable Data Protection Laws, including obtaining all necessary consents and providing appropriate privacy notices to data subjects.
• Provide documented instructions to Destm regarding the processing of Personal Data, ensuring such instructions comply with all applicable laws.
• Be responsible for the accuracy, quality, and legality of Personal Data submitted to the Service.
• Promptly notify Destm of any changes to applicable Data Protection Laws that may affect the processing of Personal Data under this DPA.
• Implement appropriate measures to ensure that individuals whose Personal Data is processed through the Service can exercise their data subject rights.

4. Processor Obligations

Destm, as the Processor, shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law, in which case Destm will inform the Customer of such legal requirement before processing (unless prohibited by law).
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Section 6 of this DPA.
• Assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including access, rectification, erasure, restriction, portability, and objection requests.
• Assist the Customer in ensuring compliance with its obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• Not process Personal Data for any purpose other than providing the Service, including not using Personal Data for training AI models unless explicitly authorized by the Customer.

5. Sub-processors

Customer provides general authorization for Destm to engage Sub-processors to assist in providing the Service, subject to the following conditions:

• Destm maintains a current list of Sub-processors at cuberiq.com/legal/sub-processors, which includes the Sub-processor's name, location, and the nature of processing performed.
• Destm will notify the Customer of any intended changes to Sub-processors at least 30 days before the new Sub-processor begins processing Personal Data.
• Customer may object to a new Sub-processor on reasonable grounds within 14 days of receiving notice. If the objection is not resolved, Customer may terminate the affected Service.
• Destm will impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, through a written contract.
• Destm remains fully liable to the Customer for the performance of each Sub-processor's obligations.

6. Data Security Measures

Destm implements and maintains the following technical and organizational security measures:

• Encryption: All Personal Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Encryption keys are managed through dedicated key management services with automatic rotation.
• Access Control: Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication required for all personnel accessing systems containing Personal Data.
• Network Security: Firewalls, intrusion detection and prevention systems, DDoS protection, and network segmentation to isolate customer data environments.
• Monitoring: Continuous security monitoring with 24/7 SOC coverage, automated alerting, and comprehensive audit logging of all access to Personal Data.
• Physical Security: Data center facilities with biometric access controls, 24/7 surveillance, and environmental controls. All infrastructure is hosted in data centers that meet SOC 2 Type II standards.
• Business Continuity: Automated backups, geographically distributed redundancy, and disaster recovery procedures with documented Recovery Time and Recovery Point Objectives.

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, Destm shall:

• Notify the Customer without undue delay and in any event within 48 hours of becoming aware of the Data Breach.
• Provide the Customer with sufficient information to enable the Customer to meet its obligations under Data Protection Laws, including the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the breach.
• Cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
• Maintain documented records of all Data Breaches, including the facts, effects, and remedial actions taken.

8. Audits

Destm shall make available to the Customer all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. Customer audit rights include:

• The right to request and receive copies of relevant certifications and audit reports as they become available, including SOC 2 Type II reports (in progress), penetration test summaries, and compliance documentation.
• The right to conduct or commission an independent audit of Destm Technologies' processing activities, subject to reasonable advance notice (at least 30 days), scope limitations, and confidentiality obligations.
• Audits shall be conducted during normal business hours, no more than once per year (unless required by a supervisory authority or following a Data Breach), and at the Customer's expense.

9. International Transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, Destm ensures that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into this DPA by reference.
• Transfer impact assessments to evaluate the level of data protection in the destination country and supplementary measures where necessary.
• UK International Data Transfer Addendum for transfers from the United Kingdom.
• Data residency options available on Enterprise plans, allowing Customers to restrict Personal Data storage to specific geographic regions (EU, US, APAC).

10. Data Deletion

Upon termination or expiration of the agreement, or upon Customer's written request, Destm shall:

• Delete all Personal Data processed on behalf of the Customer within 30 days, unless retention is required by applicable law.
• Provide the Customer with the ability to export their data in a structured, commonly used, and machine-readable format (JSON or CSV) prior to deletion.
• Certify the deletion of Personal Data in writing upon the Customer's request.
• Ensure that all Sub-processors also delete Personal Data within the same timeframe.
• Backup copies of Personal Data will be deleted within 90 days of the deletion of primary data.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, except where Data Protection Laws require otherwise. To the extent that this DPA conflicts with the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data. For EU data subjects, the competent supervisory authority shall be determined in accordance with the GDPR. Nothing in this DPA limits Customer's ability to seek remedies under applicable Data Protection Laws.

For questions regarding this DPA, contact our Data Protection Officer at [email protected] or write to: Destm Technologies Pvt Ltd, Attn: Data Protection Officer, 123 Innovation Drive, Suite 400, San Francisco, CA 94105.