Data Processing Addendum

Last updated May 01, 2025

This Data Processing Addendum (“DPA”) forms part of the agreement between Cuemby LLC (“Company”) and the customer (“Client”) for the use of Cuemby’s products and services, including but not limited to the Master Services Agreement, the Terms of Service, or other applicable agreement (collectively, the “Agreement”).

1. Definitions

“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (EU 2016/679) (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), the Brazilian General Data Protection Law (“LGPD”), and any similar or successor laws.

“Personal Data” means any information relating to an identified or identifiable natural person. “Processing”, “Processor”, “Controller”, “Data Subject”, and “Supervisory Authority” have the meanings given in the applicable laws.

2. Roles and Scope of Processing

The Client is the Controller and determines the purposes and means of the Processing of Personal Data. Cuemby acts as the Processor and will process Personal Data on behalf of the Client strictly in accordance with the documented instructions of the Client unless otherwise required by law.

3. Use of Sub-processors

Cuemby may engage Sub-processors to support the delivery of Services. A list of Sub-processors will be maintained and made available upon request. Cuemby shall enter into a written agreement with each Sub-processor ensuring equivalent data protection obligations as those set out in this DPA.

5. Data Subject Rights

Cuemby shall assist the Client, to the extent reasonably possible, in fulfilling its obligations to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Laws.

6. Data Breach Notification

Cuemby shall notify the Client without undue delay after becoming aware of a Personal Data Breach. Such notification shall include details of the breach, measures taken or proposed, and any relevant mitigation steps.

7. International Transfers

Cuemby shall not transfer Personal Data to a country outside of the jurisdiction from which the data originated unless it ensures appropriate safeguards are in place in accordance with applicable Data Protection Laws (e.g., Standard Contractual Clauses).

8. Data Return and Deletion

Upon termination of the Services or at the request of the Client, Cuemby shall, at the choice of the Client, return or delete all Personal Data unless otherwise required by law.

9. Audit Rights and Cooperation

Cuemby shall make available information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits or inspections by the Client or a mutually agreed third party, provided reasonable advance notice is given.

10. Contact and Miscellaneous

Cuemby’s primary contact for data protection matters is: elsa@cuemby.com.

This DPA shall remain in effect for the duration of the Agreement. In the event of conflict between the DPA and the Agreement, the DPA shall prevail with respect to data protection matters.