Data Processing Agreement

1. Scope and parties

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Kustiq and the customer (“Controller”) who subscribes to the Service.

Kustiq is operated by Analytics Lab S.R.L. (CUI: RO50212590, Reg: J2024011530406), with its registered office at Int. Gheorghe Simionescu 19, 014155 Sector 1, Bucharest, Romania, referred to in this DPA as the “Processor.”

This DPA applies whenever the Controller submits personal data to the Processor for processing as part of the Service. It is entered into in accordance with GDPR Article 28.

2. Definitions

• Personal data: any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
• Processing: any operation performed on personal data, including collection, storage, retrieval, use, and erasure.
• Sub-processor: a third party engaged by the Processor to process personal data on behalf of the Controller.

3. Nature and purpose of processing

• Purpose: to generate AI-powered company profiles and outreach intelligence from data submitted by the Controller.
• Duration:for the term of the Controller’s subscription, plus a 30-day deletion period after termination.
• Types of personal data: company email addresses, company domain names, and any personal data contained in publicly available web pages analyzed during profiling (e.g. employee names, job titles).
• Categories of data subjects: employees and contacts of companies submitted by the Controller for profiling.
• AI model training: data submitted to AI sub-processors (Anthropic) via API is not used for model training. Anthropic’s API terms prohibit the use of API inputs and outputs for training purposes.

5. Technical and organizational measures

The Processor implements the following measures to protect personal data in accordance with GDPR Article 32:

• Encryption in transit: all connections use TLS encryption.
• Encryption at rest: databases hosted by Supabase use AES-256 encryption at rest.
• Access control: production systems are accessible only via SSH key authentication with the principle of least privilege.
• API security: API keys are stored as SHA-256 hashes, never in plaintext. Webhook payloads are signed with HMAC-SHA256 for authenticity verification.
• Integration security: HubSpot OAuth tokens are encrypted at rest and never exposed to third parties.
• Role-based access: 6 granular permissions enforce team-level access control within customer organizations.
• Network security: all server infrastructure uses firewalled network configurations.
• Analytics isolation: no third-party analytics services have access to user data. All product analytics are first-party only.
• Physical security: delegated to infrastructure sub-processors (Hetzner, Supabase) who maintain their own physical security controls and certifications.
• Personnel: access to personal data is limited to personnel who require it for the purposes described in this DPA.

6. Controller obligations

As the data controller, you are responsible for the data you send us.

The Controller shall:

• Ensure that it has a lawful basis for submitting personal data to the Processor.
• Provide the Processor with documented processing instructions.
• Be responsible for the accuracy, quality, and legality of personal data submitted to the Processor.
• Comply with its obligations under applicable data protection law, including providing any required notices to data subjects.

7. Data breach notification

In plain terms: if there is a breach affecting your data, we will tell you within 72 hours with full details.

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include:

• A description of the nature of the breach.
• The categories and approximate number of data subjects and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach.

8. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

The Controller may conduct an audit, or appoint a third-party auditor, no more than once per year. The Controller must give at least 30 days’ written notice. Audits take place during normal business hours and at the Controller’s expense.

The Processor may satisfy audit requests by providing relevant security documentation, compliance certifications, or third-party audit reports.

9. Authorized sub-processors

The Controller provides general authorization for the following sub-processors (meaning you have approved these specific providers by agreeing to this DPA). The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. Notification will be sent to the email address associated with the Controller’s account. The Controller may object to a new sub-processor by providing written notice within 14 days of the notification.

Sub-processor list last updated: March 24, 2026

Each sub-processor maintains its own data processing and security documentation, available on their respective websites.

10. International data transfers

In plain terms: your data goes through US-based and EU-based services. We use EU-approved frameworks to keep those transfers legal.

Personal data is processed in the United States and Germany. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, the Processor relies on:

• The EU-US Data Privacy Framework, where sub-processors are certified.
• EU-Commission-approved Standard Contractual Clauses (SCCs) as a supplementary transfer mechanism.

11. Data deletion and return

In plain terms: when you cancel, we either send your data back or delete it within 30 days. Your call.

Upon termination of the Service, the Processor shall, at the Controller’s written request, either return all personal data in a structured, machine-readable format or securely delete all personal data within 30 days.

The Processor shall confirm deletion in writing upon request. Anonymized, aggregated data that cannot be linked back to individual data subjects may be retained.

12. Liability

Each party’s liability under this DPA is subject to the limitations set forth in the Terms of Service.

13. California privacy rights (CCPA/CPRA)

For California residents, where the California Consumer Privacy Act (CCPA/CPRA) applies, the Processor acts as a “Service Provider” as defined by CCPA. The Processor processes personal information solely for the business purposes specified in this DPA. The Processor does not sell personal information and does not retain, use, or disclose personal information for any purpose other than performing the services specified in this DPA.

14. Governing law

This DPA is governed by the laws of Romania. For data subjects in the EEA, UK, or Switzerland, the mandatory provisions of applicable data protection law shall take precedence where they conflict with the terms of this DPA.