Cubbie Data Processing Addendum

Effective: May 7, 2026 · Last updated: May 7, 2026

This Data Processing Addendum (“DPA”) supplements the Cubbie Terms of Service (and any superseding written agreement, the “Agreement”) between you (“Customer”) and Cubbie (50Pros Inc.) and applies whenever Cubbie processes Personal Data on Customer’s behalf under the Agreement. By using the Service to process such data, Customer accepts this DPA. Customers who require a counter-signed copy may request one at legal@cubbie.com; the version posted here will otherwise govern.

1. Definitions

Applicable Data Protection Laws. All laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK GDPR and the UK Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by CPRA (“CCPA”), and comparable U.S. state privacy laws.
Personal Data, Controller, Processor, Processing, Data Subject have the meanings given in the EU GDPR (or, where applicable, equivalent terms in U.S. state privacy laws, e.g., “Personal Information,” “Business,” “Service Provider,” “Consumer”).
Customer Personal Data. Personal Data that Cubbie processes on Customer’s behalf in connection with the Service.
Standard Contractual Clauses or SCCs. The standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR adopted by the European Commission on June 4, 2021 (Decision 2021/914), as updated.
UK Addendum. The International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office and in force from March 21, 2022.
Sub-processor. Any third-party processor engaged by Cubbie to process Customer Personal Data.

2. Roles and scope

With respect to Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Cubbie is the Processor (or sub-processor, as applicable). Where U.S. state privacy laws apply, Cubbie acts as a “Service Provider” or “Processor” (as those terms are defined in the relevant law). This DPA does not apply to Personal Data Cubbie processes as a Controller (e.g., to operate the Cubbie marketplace or to perform Account-level relationship management); that processing is governed by the Privacy Policy.

3. Subject matter, duration, nature, purpose

Subject matter: Cubbie’s processing of Customer Personal Data in the course of providing the Service to Customer.

Duration: The term of the Agreement plus any post-termination period during which Cubbie retains data as permitted by Section 12.

Nature and purpose: Receiving, hosting, storing, transmitting, indexing, analyzing, securing, and otherwise processing Customer Personal Data as necessary to provide, operate, secure, and improve the Service in accordance with the Agreement and Customer’s documented instructions.

Categories of data subjects: Customer’s personnel, end users, contacts, vendors, and other individuals whose Personal Data Customer or its authorized users submit to the Service.

Categories of Personal Data: Identifiers (name, email, IP address, device identifiers); employer / role / team information; subscription registry entries (vendor, contact, owner email, renewal dates, spend); contracts and uploaded documents; transaction and payment metadata; and any other data Customer submits via the Service.

Special category data: The Service is not designed to receive special-category data (e.g., health, biometric, racial, political, or genetic data). Customer agrees not to submit such data unless agreed in writing in advance.

4. Customer’s instructions

Cubbie will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers. The Agreement (including this DPA), Customer’s use of the Service’s features and configurations, and any other written instructions Customer provides, constitute Customer’s complete and final documented instructions. If Cubbie believes an instruction would violate Applicable Data Protection Laws, Cubbie will inform Customer (unless prohibited by law).

5. Confidentiality and personnel

Cubbie ensures that personnel authorized to process Customer Personal Data are bound by appropriate written confidentiality obligations and are trained on data protection and security responsibilities relevant to their role.

6. Security measures

Cubbie has implemented and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access, as further described in Annex II below. Cubbie may update these measures from time to time, provided that such updates do not materially reduce the level of protection.

7. Sub-processors

Customer authorizes Cubbie to engage Sub-processors to process Customer Personal Data, provided that Cubbie:

Maintains a list of Sub-processors at Annex III below, updated as Sub-processors change.
Imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA.
Remains liable to Customer for any failure of a Sub-processor to meet those obligations.
Provides at least 30 days’ advance notice (by email or in-product notice) of any new Sub-processor that processes Customer Personal Data, during which Customer may object on reasonable, documented grounds related to data protection. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Service for convenience and receive a pro rata refund of pre-paid fees.

8. International data transfers

Cubbie may transfer Customer Personal Data to the United States and to other countries in which Cubbie or its Sub-processors operate. Where transfers from the EEA, United Kingdom, or Switzerland to a country that has not received an adequacy decision are made, the parties agree that:

EEA: The SCCs are incorporated into this DPA. Module Two (Controller-to-Processor) applies where Customer is a Controller. Module Three (Processor-to-Processor) applies where Customer is a Processor on behalf of a third-party Controller. The optional clauses are included as set out in Section 13 below.
United Kingdom: The UK Addendum is incorporated and applies the SCCs (as amended) to UK transfers.
Switzerland: The SCCs apply with the modifications and supplementary clauses required by the Swiss Federal Data Protection and Information Commissioner.

9. Data subject rights

Cubbie will, taking into account the nature of the processing, provide reasonable assistance through appropriate technical and organizational measures (insofar as possible) for the fulfillment of Customer’s obligation to respond to data subject requests under Applicable Data Protection Laws. The Service includes self-service data export and deletion tools. If a data subject contacts Cubbie directly, Cubbie will (unless legally prohibited) promptly forward the request to Customer and not respond except as instructed by Customer.

10. Personal Data breach notification

Cubbie will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, categories and approximate number of data subjects and records concerned (where known), likely consequences, and measures taken or proposed to address the breach and mitigate its possible adverse effects. Cubbie will provide reasonable assistance to Customer in meeting its breach-notification obligations.

11. Audits

Cubbie will make available to Customer information necessary to demonstrate compliance with this DPA, including by providing on request:

Cubbie’s most recent third-party audit reports (e.g., SOC 2 Type II, ISO 27001) under non-disclosure;
Responses to a reasonable security questionnaire (no more than once per twelve months absent a Personal Data Breach or material change); and
On reasonable advance written notice and during business hours, an audit by Customer or a mutually approved third-party auditor of Cubbie’s data protection compliance, no more than once per twelve months absent a Personal Data Breach or regulator-mandated audit, and subject to confidentiality, scope, and reasonable cost-allocation requirements.

12. Return or deletion

Upon termination or expiration of the Agreement, Cubbie will, at Customer’s option, return or delete Customer Personal Data within 90 days, except to the extent retention is required by law or for the establishment, exercise, or defense of legal claims. Backups will be deleted in the ordinary course of Cubbie’s backup-rotation schedule.

13. SCCs — optional clauses and election

The parties agree that the SCCs are completed as follows:

Clause 7 (docking clause): not applied.
Clause 9 (sub-processors): Option 2 (general written authorization) applies, with the notice period in Section 7.
Clause 11 (redress): the optional independent dispute resolution body language is not selected; data subjects may bring complaints in accordance with the SCCs and Applicable Data Protection Laws.
Clause 17 (governing law): Module Two — the law of Ireland; Module Three — the law of Ireland.
Clause 18 (forum and jurisdiction): the courts of Ireland.
Annex I.A (parties): as identified in the Agreement; Customer is the data exporter and Cubbie is the data importer.
Annex I.B (description of transfer): as described in Section 3 of this DPA.
Annex I.C (competent supervisory authority): the Irish Data Protection Commission.
Annex II (technical and organizational measures): as set out in Annex II below.
Annex III (sub-processors): as set out in Annex III below.

In case of any conflict between the SCCs and the rest of this DPA, the SCCs prevail with respect to the matters they govern.

14. CCPA / U.S. state law terms

With respect to Personal Information governed by the CCPA or comparable U.S. state laws, Cubbie acts as a “Service Provider” or “Processor” for Customer. Cubbie will not:

Sell or share such Personal Information.
Retain, use, or disclose such Personal Information for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by law.
Retain, use, or disclose such Personal Information outside the direct business relationship with Customer.
Combine such Personal Information with information received from another business or its own consumers, except as permitted by law.

Cubbie certifies that it understands and will comply with these restrictions.

15. Liability

Each party’s liability arising under or in connection with this DPA is subject to the limitations on liability set out in the Agreement. Nothing in this DPA limits a party’s liability to a data subject under the SCCs or Applicable Data Protection Laws where such limitation is prohibited.

16. General

This DPA forms part of the Agreement. If there is any conflict between this DPA and the Agreement, this DPA prevails on data protection matters. This DPA may be updated by Cubbie from time to time as needed to reflect changes in Applicable Data Protection Laws or Sub-processors; material changes will be communicated as set out in the Agreement.

Annex I — Description of processing

Categories of data subjects	Customer’s personnel, end users, business contacts, vendors, and other individuals whose Personal Data Customer submits to the Service.
Categories of Personal Data	Identifiers; employment / role information; subscription registry entries; uploaded contracts and documents; transaction metadata; communications.
Sensitive data	None expected. Customer agrees not to submit special-category data unless agreed in writing.
Frequency of transfer	Continuous, as Customer uses the Service.
Nature of processing	Hosting, storage, transmission, indexing, analytics, AI inference, security, customer support, and other operations necessary to provide the Service.
Purpose	To provide, operate, secure, and improve the Service for Customer in accordance with the Agreement.
Retention period	Term of the Agreement plus the post-termination period in Section 12.

Annex II — Technical and organizational measures

Cubbie implements and maintains a written information-security program with measures appropriate to the nature, scope, and risk of processing, including:

Access control

Single sign-on with TOTP / WebAuthn for personnel access to production systems.
Role-based access controls; least-privilege production access; just-in-time elevation for sensitive operations.
Per-organization session policies (idle timeout, absolute timeout, sensitive-action re-auth).

Encryption

TLS 1.2+ for data in transit on public networks.
Encryption at rest for the primary database and object storage using AES-256 or equivalent.
Secrets management with rotation tooling and short-lived credentials where practical.

Logging and monitoring

Centralized application logs with retention according to the log-retention policy.
Tamper-evident audit log chain for sensitive records (Merkle-style chain with daily roots and an integrity verifier).
Real User Monitoring with sampling for performance regression detection; alerting rules with on-call routing.

Network and infrastructure

Production hosted on hyperscale providers with documented availability and isolation guarantees.
Web application firewall, DDoS protection, and rate limiting.
Separation of production from non-production environments.

Application security

Code review for changes to security-sensitive paths; CI checks include dependency scanning and type-checking.
Idempotency reconciliation for state-changing endpoints.
Input validation, output encoding, and CSRF protection on user-facing routes.

Data protection

Self-service data export and deletion in product, with cooling-period cancellation for deletions.
Backups with documented restore procedures; periodic backup verification.
Documented incident response runbook with internal RTO / RPO targets.

Vendor management

Risk-tiered vendor review; written processor / sub-processor agreements; periodic review.

Personnel

Background checks where permitted by law; security and privacy training; signed confidentiality and acceptable-use policies.

Annex III — Authorized sub-processors

The following entities are authorized as Sub-processors. Cubbie will keep this list current and will provide notice of additions or replacements as set out in Section 7. Each entity provides services in the country listed; transfers outside the EEA / UK / Switzerland are subject to the SCCs / UK Addendum / FADP equivalents as described in Section 8.

Sub-processor	Service	Location
Amazon Web Services, Inc.	Underlying cloud infrastructure (via Supabase / Vercel)	United States
Vercel Inc.	Application hosting, CDN, Serverless functions	United States
Supabase Inc.	Managed Postgres database, auth, object storage	United States
Stripe, Inc.	Payment processing, payouts, KYB / KYC, Stripe Connect	United States
Resend, Inc.	Transactional and lifecycle email delivery	United States
Anthropic, PBC	AI model inference (Claude family)	United States
Upstash, Inc.	Distributed rate limiting (Redis)	United States
Cloudflare, Inc.	DNS, edge security (where used)	United States

Optional Sub-processors that are activated only when a Customer enables a specific feature (e.g., WorkOS for SAML SSO, Tango Card / Tremendous / Runa for credit redemption, DocuSign / HelloSign / Adobe Sign for e-signature, NetSuite / QuickBooks / Sage Intacct / Brex / Ramp / Mercury / Workday Spend / Coupa for finance integrations, Track1099 / Tax1099 for IRS filings) act as Sub-processors only with respect to that Customer’s use of the relevant feature, and are added to the active list when the feature is enabled.

Contact

DPA inquiries: legal@cubbie.com. Privacy inquiries: privacy@cubbie.com. Security incidents: security@cubbie.com.