Data Processing Addendum for EU customers.

Parties & definitions

This addendum is between Analytics Lab S.R.L. (the Processor, trading as Kustiq) and the customer entity that signed the Terms of Service (the Controller). Defined terms here override anything inconsistent in the main Terms for the purposes of personal-data processing.

Analytics Lab S.R.L. is registered in Romania (CUI: RO50212590, Reg: J2024011530406), with its registered office at Int. Gheorghe Simionescu 19, 014155 Sector 1, Bucharest, Romania. This DPA is entered into in accordance with GDPR Article 28 and applies whenever the Controller submits personal data to the Processor for processing as part of the Service.

Governing law is Romania. For data subjects in the EEA, UK, or Switzerland, the mandatory provisions of applicable data-protection law take precedence where they conflict with the terms of this DPA. For California residents to whom CCPA / CPRA applies, the Processor acts as a “Service Provider” that processes personal information solely for the business purposes specified below; no sale, no use outside the contracted services.

Controller

The customer entity that determines the purposes and means of processing personal data through the Kustiq service. You.

Processor

Analytics Lab S.R.L., trading as Kustiq, processing personal data on the Controller’s documented instructions under Art 28 GDPR.

Sub-processor

Any third party engaged by Kustiq to process personal data on the Controller’s behalf. The current list of 12 sub-processors with vendor name, purpose, and processing location is in §6.

Sub-processor location

The country and region where the sub-processor stores or accesses Controller data. Today, EU (Germany) and US regions only; no Asia-Pacific routing.

Data Subject

The natural person to whom personal data relates: a Controller employee using the workspace, or a data subject contained in public-web pages analysed during profiling.

Personal Data

Any information relating to a Data Subject, as defined in Art 4(1) GDPR. The categories Kustiq processes are listed in §4.

Personal Data Breach

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, as defined in Art 4(12) GDPR.

SCCs

The Standard Contractual Clauses approved by the European Commission under Implementing Decision (EU) 2021/914, Module 2 (controller to processor).

Subject matter & duration

The subject matter of processing is the Kustiq service: turning a domain into a company snapshot, profiling prospects, and storing the workspace’s outbound-research history. Processing continues for the duration of the Controller’s subscription, plus the 30-day grace window described in §11.

Processing terminates on the earlier of: subscription cancellation plus 30 days, written deletion request from the Controller, or court order. Section 11 governs what happens to the data at termination.

Nature & purpose of processing

Kustiq processes personal data only to provide the contracted service and to keep it secure. Three concrete operations: profile generation, prospect verification, audit retention.

1. Profile generation. The Controller submits a domain. Kustiq fetches public-web content, applies the AI classification and deterministic data pipelines (SMTP verification, Browserless scraping, 12-factor rule-based churn engine), and returns a structured snapshot. The free tier processes 1 profile per week (anonymous) or 3 per week (signed in); paid plans scale linearly.
2. Prospect verification. The Controller selects an ICP. Kustiq queries vetted directories, verifies email validity through real-time SMTP probes (no payload sent), and writes verified rows to the workspace.
3. Audit retention. Each pipeline run is logged with input domain, output snapshot ID, runtime, and the user who triggered it. The audit log supports billing reconciliation, security forensics, and Art 30 records.

Data submitted to AI sub-processors (Anthropic) via API is not used for model training. Anthropic’s API terms prohibit the use of API inputs and outputs for training purposes.

Lawful bases the Processor relies on for its own ancillary processing (security, billing reconciliation, compliance):

Categories of data subjects & data

Kustiq does not process special-category data under Art 9 GDPR. The categories below cover everything an EU procurement reviewer should expect on this service.

Security measures (Art 32)

Technical and organisational measures Kustiq implements as Processor. Posture is stated honestly: what is shipped today, what is delegated to infrastructure sub-processors, and what is not in scope.

Kustiq follows a defined incident-response playbook with named on-call. Personnel handling personal data are bound by confidentiality obligations.

Sub-processors

The Controller authorises Kustiq to engage the sub-processors below, plus any future sub-processors added with at least 30 days written notice. The full register lives on this page (see the foot of the preview card) and is mirrored in machine- readable form for procurement reviewers.

The Controller may object to a new sub-processor in writing within the 30-day notice period. If the parties cannot agree on a remedy, the Controller may terminate the affected service for cause without penalty under §11.

Full sub-processor list (12)

International transfers

Personal data is processed in the United States and Germany. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, the Processor relies on:

• The EU-US Data Privacy Framework, where sub-processors are certified.
• EU-Commission-approved Standard Contractual Clauses (EU) 2021/914 Module 2, supplemented by transfer-impact assessments where required.

On request, Kustiq will provide the executed SCC and the underlying transfer-impact assessment for any sub-processor named in §6. Email support@kustiq.com; turnaround 5 business days.

Assistance with data-subject rights

The Processor assists the Controller in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible, and assists with security, breach notification, data-protection impact assessments, and prior consultation with supervisory authorities.

Where a request cannot be handled by the Controller alone (legal escalation, court order, regulator notice), Kustiq assists at no extra fee. Contact path is support@kustiq.com; first response in 1 business day, completion within the regulatory window.

Personal-data breach notification

The Processor notifies the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Controller data. Notice is sent to the workspace-owner email and the listed billing contact.

The breach notice contains, to the extent known:

• The nature of the breach, including categories and approximate counts of data subjects and records affected.
• The likely consequences and the measures taken or proposed to address the breach.
• The contact point at the Processor for further information.

The Processor does not notify the Controller of unsuccessful access attempts, port scans, or routine security events.

Audit & inspection

The Controller may audit Kustiq’s compliance with this addendum. The clauses below set the scope, frequency, and limits, all standard practice for a vendor audit by a customer.

Findings are shared in a written report. The audit log is excluded from third-party access where it would expose unrelated tenants.

Return & deletion of data

On termination of the contract, the Controller may, at its written choice, either receive all personal data exported in a structured, machine-readable format or have all personal data securely deleted within 30 days. Existing copies are deleted unless storage is required by applicable law. The Processor confirms deletion in writing on request.

The Controller may also request immediate erasure during the active subscription. Erasure is irreversible. Anonymised, aggregated data that cannot be linked back to individual data subjects may be retained.

Liability

Liability under this addendum is structured into the four buckets below. Each bucket inherits the cap and exclusions in the Terms of Service unless explicitly stated otherwise here.

General cap
12 months fees

For all claims under this addendum and the Terms not specifically called out below, liability is capped at the fees paid by the Controller in the 12 months preceding the event giving rise to the claim.

Breach of DPA
Per Terms cap

Direct damages caused by Kustiq’s breach of Art 28(3), Art 32, or Art 33 GDPR are subject to the same cap as the general cap above. Indirect, consequential, and lost-profit damages remain excluded.

Regulatory fines
As apportioned

Each party indemnifies the other for fines or penalties imposed by a supervisory authority strictly to the extent the imposing authority apportions fault to that party.

Data-subject claims
Allocated by fault

Where a Data Subject claim under Art 82 is paid out, the parties contribute according to fault as determined by the competent court or, failing that, by good-faith negotiation.

Contact & jurisdiction

As of this DPA’s effective date, the Processor has not appointed a Data Protection Officer because its processing activities do not require one under GDPR Article 37. All data-protection inquiries route to a single inbox monitored every business day.

This DPA is governed by the laws of Romania. For data subjects in the EEA, UK, or Switzerland, the mandatory provisions of applicable data-protection law take precedence where they conflict with the terms of this DPA.

How acceptance works

This DPA is incorporated into the Terms of Service by reference. Accepting the Terms when the Controller’s workspace is created is acceptance of this DPA. Procurement reviewers can confirm version and effective date inline; a counter-signature flow inside the workspace is on the roadmap.

// dpa_acceptances row · target schema (server-side, per Controller)
{
  org_id:               "org_…",
  dpa_version:          "v1.3",
  accepted_at:          "ISO-8601",
  accepted_by_user_id:  "usr_…",
  accepted_by_email:    "owner@controller.tld",
  ip:                   "0.0.0.0",
  user_agent_hash:      "sha256:…",
  supersedes:           "v1.1 (2025-09-02)",
}

Version history

• v1.3 · 2026-05-16 Legal cluster lock. Canonical Organization entity-graph shared with /trust /privacy /terms. Cloudflare Turnstile and Browserless added to the §6 register (10 → 12). “Sub-processor” terminology canonicalised. Breadcrumb mesh aligned to /trust as the legal hub.
• v1.2 · 2026-03-24 Audit clause expanded with NDA + competitor exclusion. Liability split into the four-row table above. Sub-processor list surfaced as preview + full register inline. CCPA / CPRA and governing-law folded into §1.
• v1.1 · 2026-03-23 Added sub-processors (Hetzner, Resend, HubSpot). Technical and organisational measures documented. CCPA / CPRA terms and AI training opt-out statement added.
• v1.0 · 2026-03-05 Initial publication. GDPR Art 28 compliant.