Data Protection Addendum

Data Protection Addendum (DPA)

This Data Protection Addendum (“DPA”) forms part of the Cubik Terms and Conditions (the “Agreement”) between Chasers AI (Quetru B.V.) ("Processor") and the Customer ("Controller"), and applies to the extent Chasers AI processes Personal Data on behalf of the Customer in the course of providing the Cubik service.

1. Definitions

  • "Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation ("GDPR"), UK GDPR, CCPA/CPRA, Brazil LGPD, and similar laws.

  • "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in the GDPR.

2. Scope and Roles

  • The parties acknowledge and agree that, for the purposes of Data Protection Laws, the Customer is the Controller and Chasers AI is the Processor.

  • This DPA applies only where Chasers AI processes Personal Data on behalf of the Customer in the course of providing the Service.

3. Processor Obligations Chasers AI shall: (a) Process Personal Data only in accordance with the Customer’s documented instructions unless required by applicable law; (b) Ensure that personnel authorized to process Personal Data are subject to confidentiality obligations; (c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; (d) Assist the Customer in responding to Data Subject requests and fulfilling its obligations under Data Protection Laws; (e) Notify the Customer without undue delay upon becoming aware of a Personal Data Breach; (f) Make available information and audits reasonably necessary to demonstrate compliance with this DPA; (g) Delete or return Personal Data upon termination of the Agreement, at the Customer’s choice (except where retention is required by law); (h) Not transfer Personal Data outside the EEA, UK, or other jurisdiction without appropriate safeguards, including Standard Contractual Clauses or an approved transfer mechanism.

4. Subprocessing

  • The Customer grants Chasers AI a general authorization to engage subprocessors.

  • A current list of subprocessors is available at: [Insert URL]

  • Chasers AI shall enter into a written agreement with each subprocessor with data protection obligations no less protective than those in this DPA.

  • Chasers AI shall remain liable for the acts and omissions of its subprocessors.

5. International Transfers

  • If Personal Data is transferred outside the EEA/UK, Chasers AI shall ensure such transfer is subject to:

    • The EU Commission’s Standard Contractual Clauses (SCCs);

    • The UK International Data Transfer Agreement (IDTA); or

    • Any other mechanism approved under Data Protection Laws.

6. Data Subject Rights and Cooperation

  • Chasers AI shall, to the extent legally permitted, promptly notify the Customer if it receives a Data Subject request.

  • Chasers AI shall assist the Customer in fulfilling its obligations to respond to such requests.

7. Liability and Indemnity

  • Each party shall be liable for and indemnify the other against damages resulting from its breach of this DPA or applicable Data Protection Laws.

8. Term and Termination

  • This DPA shall remain in effect for as long as Chasers AI processes Personal Data on behalf of the Customer under the Agreement.

9. Conflict

  • In the event of any conflict between this DPA and the Agreement, this DPA shall prevail solely with respect to the processing of Personal Data.

Annex I: Details of Processing

  • Data Subjects: End users, employees, contractors, and other individuals whose data is uploaded or connected via Cubik

  • Categories of Personal Data: Names, email addresses, account IDs, analytics metadata, IP addresses, and marketing attribution data

  • Purpose of Processing: To provide analytics, automation, reporting, and campaign performance features

  • Retention: For the term of the Agreement, unless otherwise required by law

Annex II: Security Measures

  • Encryption of data in transit and at rest

  • Role-based access controls and least privilege enforcement

  • Incident response protocols and breach notification procedures

  • Subprocessor due diligence and risk assessments

  • Regular vulnerability assessments and audits

Annex III: Subprocessors

  • Amazon Web Services (AWS) – Cloud Hosting

  • Google Cloud Platform (GCP) – Data Infrastructure

Executed as an addendum to the Agreement.