Data Processing Agreement

• "Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Sub-processor" have the meanings given in the GDPR.
• "Customer Personal Data" means Personal Data that Customer (or its end-users) submits to the Services and that CloudStation processes solely on Customer's behalf.
• "Service Operations Data" means data CloudStation generates from operating the Services (aggregated usage statistics, security telemetry, performance metrics) that does not directly identify individual Data Subjects. CloudStation may use Service Operations Data to operate, secure, bill for, and improve the Services.
• "Sub-processor" means any third party engaged by CloudStation to process Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the EU Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries (Implementing Decision (EU) 2021/914), Module 2 (Controller→Processor) and Module 3 (Processor→Sub-processor) as applicable.

CloudStation processes Customer Personal Data only on documented instructions from Customer. The Principal Agreement, this DPA, and the Services configuration are such instructions. CloudStation will inform Customer if, in its opinion, an instruction infringes applicable data protection law.

CloudStation ensures personnel authorised to process Customer Personal Data are subject to confidentiality obligations or statutory duties of confidentiality, surviving termination of engagement.

CloudStation implements appropriate technical and organisational measures (TOMs) detailed in Exhibit C, including encryption (AES-256 at rest, TLS 1.2+ in transit), strong access controls, MFA, audit logging, and 24/7 uptime monitoring.

CloudStation maintains a SOC 2 Type I attestation (in progress) and a public uptime status page at up.cloud-station.io/status/cs.

6.1 General authorisation

Customer grants general authorisation to engage Sub-processors. The current list is published at up.cloud-station.io/status/cs and the CloudStation trust portal, and is updated as Sub-processors change.

6.2 Notice of change

CloudStation will give Customer at least 30 days' advance notice before engaging a new Sub-processor or replacing an existing one, except in cases of urgent security replacement, where notice will be given as promptly as practicable.

6.3 Objection

Customer may object on reasonable grounds within 30 days of notice. If Customer does not object within that window, the new Sub-processor is deemed authorised. If the parties cannot resolve a timely objection, Customer's sole remedy is to terminate the affected Service for convenience without penalty for unaccrued fees; accrued fees remain payable.

6.4 Sub-processor obligations

CloudStation enters into written agreements with each Sub-processor imposing data protection obligations no less protective than this DPA, including SCCs where required.

6.5 Material consequence

Customer acknowledges that some Sub-processors are essential to providing the Services; objecting to those Sub-processors may prevent CloudStation from providing the Services in whole or part.

CloudStation provides functionality and reasonable assistance to enable Customer to fulfil obligations to Data Subjects under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection).

If a Data Subject contacts CloudStation directly, CloudStation will promptly forward the request to Customer and not respond directly except to confirm receipt.

Erasure (Art. 17): On Customer's instruction or termination, CloudStation will delete Customer Personal Data within 30 days, subject to Customer's documented retention requirements and CloudStation's legal obligations. Where deletion is not technically or legally possible, CloudStation will block the data from further processing.

CloudStation will notify Customer without undue delay and in any event no later than 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.

Where complete information is not available within that timeframe, CloudStation will provide such information as is reasonably available and supplement promptly thereafter. Notification under this Section is not an acknowledgement of fault or liability.

9.1 Tier 1 — Certifications and reports (preferred)

On written request, not more than once every 12 months, CloudStation will provide its current SOC 2 report (or equivalent third-party attestation) and a summary of relevant controls.

9.2 Tier 2 — Written questionnaire

If Tier 1 documentation is materially insufficient, Customer may submit a reasonable written questionnaire; CloudStation will respond within 30 days.

9.3 Tier 3 — On-site or remote inspection

Where Tiers 1 and 2 are insufficient, Customer (or a qualified independent auditor mutually agreed) may audit CloudStation's compliance with this DPA, subject to:

• at least 30 days' advance written notice;
• during business hours and not unreasonably disruptive;
• no more than once per 12 months;
• restricted to data and systems relevant to Customer's Personal Data; and
• Customer pays all third-party costs and reimburses CloudStation for personnel time at CloudStation's then-current rates.

10.1 SCCs incorporation

Where Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country not deemed adequate, the transfer is subject to the Standard Contractual Clauses, hereby incorporated by reference, with the appropriate Module: Module 2 (Controller→Processor) where Customer is Controller and CloudStation is Processor, and Module 3 (Processor→Sub-processor) between CloudStation and its Sub-processors.

10.2 Annexes

SCC Annexes I, II and III are populated by Exhibits A, B and C of this DPA respectively.

10.3 Optional clauses disabled

The optional docking clause in SCC Clause 7 does not apply.

10.4 UK transfers

The UK International Data Transfer Addendum (issued under section 119A of the UK Data Protection Act 2018) applies to transfers from the UK; Exhibit D sets out the addendum tables.

10.5 Swiss transfers

For transfers subject to the Swiss FADP, references in the SCCs to "GDPR" include the Swiss FADP; the Swiss FDPIC is the competent authority; and references to EU Member State courts include Swiss courts.

10.6 Government and law-enforcement requests

If CloudStation receives a binding legal request from a public authority for Customer Personal Data, CloudStation will, where lawfully permitted, redirect the authority to request the data directly from Customer. If compelled to disclose, CloudStation will, where lawfully permitted, give Customer reasonable advance notice and cooperate with Customer to seek a protective order or other appropriate remedy. CloudStation reviews each such request for legality and minimises disclosure to what is strictly necessary. Either party may suspend transfers if circumstances make compliance with the SCCs impossible.

On termination or expiry of the Principal Agreement, CloudStation will, at Customer's written choice, delete or return all Customer Personal Data within 30 days, except to the extent retention is required by law. Where deletion is not technically or legally possible, CloudStation blocks the data from further processing.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions set forth in the Principal Agreement, which shall apply in the aggregate to claims under both this DPA and the Principal Agreement.

Nothing in this DPA or the Principal Agreement limits or excludes either party's liability for: (a) liability that cannot be limited under applicable mandatory law (including GDPR Article 82 where applicable); (b) gross negligence or wilful misconduct; or (c) breach of confidentiality obligations.

Where applicable mandatory law requires joint and several liability between Controller and Processor (e.g., GDPR Article 82(4)), each party retains its right of recourse against the other in proportion to its responsibility for the damage.

This DPA does not constitute a service level agreement. Any service level commitments, uptime targets, or recovery objectives (RTO/RPO) are operational targets only and are governed by the Principal Agreement or separate Service Order Form. Numerical targets referenced in Exhibit C are non-binding planning aids and do not create service credits, refunds, or termination rights.

CloudStation has designated a Data Protection Officer (DPO) responsible for monitoring compliance with applicable data protection law. The DPO operates with appropriate independence from operational decision-making on processing of Personal Data and reports directly to the Board of Directors on DPO matters. The DPO's contact details appear in the Contact Information section of this DPA and on the CloudStation Privacy Policy.

Customer represents and warrants that:

• it has obtained all necessary consents and provided all necessary notices to its Data Subjects to enable CloudStation to process Customer Personal Data lawfully under this DPA; and
• its instructions to CloudStation comply with applicable data protection law.

Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which it acquired such data.

In the event of conflict, the order of precedence is:

1. Mandatory provisions of applicable data protection law
2. The Standard Contractual Clauses (where incorporated)
3. This DPA
4. The Principal Agreement
5. The CloudStation Privacy Policy

This DPA is governed by the law of the United Arab Emirates. Disputes are subject to DIAC arbitration as specified in the Principal Agreement.

For SCC-arising clauses, governing law and jurisdiction follow the SCCs (typically law of the EU Member State of the Data Exporter). For UK transfers under the UK Addendum, governing law and jurisdiction follow the UK Addendum.

This DPA is executed by Customer providing acceptance through any of the following methods:

• click-accept during account signup or in the Services UI (for self-service contracts);
• countersigned PDF delivered to [email protected] (recommended for enterprise contracts and any agreement involving regulated industries or annual fees above customary thresholds); or
• DocuSign-equivalent electronic signature.

By executing this DPA, Customer is deemed to have signed the Standard Contractual Clauses incorporated herein.

Categories of Data Subjects

• Customer's authorised end-users and administrators
• Customer's customers and contacts whose data is uploaded to the Services
• Visitors and prospects in Customer's customer-relationship workflows

Categories of Personal Data

• Identification & contact: Name, email, phone number, Telegram ID, Slack ID, profile image
• Authentication: Encrypted password, OAuth tokens (AES-256 encrypted at rest), session tokens
• Communication content: Messages, files, prompts, agent threads, attachments uploaded by Customer's end-users
• Usage & activity: IP addresses, user-agent strings, audit log entries, feature usage events, error reports
• Billing: Stripe customer ID, Lago wallet reference, subscription status (no PAN, no CVV, no PIN)

Special Categories

None processed by default. Customer is responsible for ensuring no special-category data is uploaded unless specifically agreed in writing.

Frequency & Duration

Continuous, for the duration of the Principal Agreement.

Nature & Purpose

Provision of the Services, security monitoring, incident response, billing, and Service improvement (aggregated/anonymised metrics only, where consented).

CloudStation maintains a live, public list of Sub-processors at up.cloud-station.io/status/cs. The list at the time of this DPA includes:

Customer agrees the live list at the URL above is the authoritative source. CloudStation will give 30 days' advance notice of changes per Section 6.2.

Information security policies

25 published security policies covering access control, encryption, vulnerability management, incident response, vendor risk, secure SDLC, business continuity, and data classification. Annual policy review; signed acknowledgement by all personnel.

Personnel

• Background screening on engagement
• Annual security awareness training
• Confidentiality obligations in employment / contractor agreements
• Documented onboarding and offboarding procedures
• Secret rotation upon contractor departure

Access control

• Production access limited to authorised personnel under documented procedures
• Privileged access reachable only via private VPN with cert-based authentication
• Single sign-on via Google Workspace with 2-Step Verification (enforced)
• Role-based authorisation in application layer; principle of least privilege
• Quarterly access reviews and immediate revocation on personnel change

Encryption

• AES-256 at rest for object storage, database fields containing OAuth tokens, and credentials
• TLS 1.2 or higher for all customer-facing transports
• Vault-managed secret storage with audit logging

Resilience

• GCP Cloud SQL managed Postgres with point-in-time recovery
• Frequent backups for billing data; daily backups for other production data
• Periodic DR restore drills

Numerical recovery targets, where stated, are operational planning aids only and are not contractual service-level commitments (see Section 13).

Incident response

• 72-hour Customer notification commitment for Personal Data Breaches
• Centralised alerting (Slack + email) to designated security personnel
• Public uptime monitoring at up.cloud-station.io/status/cs
• Documented incident logging and post-mortem process

Sub-processor management

• Documented vendor risk-review process
• Annual review of all Sub-processors
• Public Sub-processor list with 30-day change notification

Audit & monitoring

• Centralised log retention (Loki)
• TLS certificate inventory with quarterly review
• Continuous Uptime Kuma monitoring
• Annual penetration test / sandbox security review

Compliance

• SOC 2 Type I attestation in progress
• GDPR Article 28 compliance via this DPA
• UAE PDPL compliance
• Privacy Policy publicly available; Data Subject rights honoured within 30 days

This Addendum is incorporated where Personal Data is transferred from the United Kingdom to a country outside the UK that is not deemed adequate.

Selected SCCs, Modules and Optional Clauses

• SCCs: EU SCCs Implementing Decision (EU) 2021/914
• Module(s): Module 2 (Controller→Processor), Module 3 (Processor→Sub-processor)
• Clause 7 docking: Disabled (per Section 10.3)
• Clause 17 governing law: Republic of Ireland
• Clause 18 forum: Republic of Ireland

Appendix Information

Annex I = Exhibit A · Annex II = Exhibit C · Annex III = Exhibit B.