Data Processing Addendum

The Customer is the data controller (or data fiduciary, where applicable under India's DPDP Act 2023). Hubzoid acts as data processor (or data processor / data fiduciary's processor, as applicable) and processes personal data only on the Customer's documented instructions.

Hubzoid processes personal data only to provide the services set out in the SOW. Categories of data subjects, categories of personal data, processing operations, and retention are described in Appendix A.

The Customer authorises Hubzoid to engage the sub-processors listed at /legal/subprocessors. Hubzoid will provide notice of changes to that list and the Customer may object on reasonable grounds.

Hubzoid will impose data-protection obligations on each sub-processor that are no less protective than this DPA.

Customer data is processed in the cloud region the Customer elects for its hub deployment.

Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the parties incorporate the relevant Standard Contractual Clauses by reference.

Hubzoid implements the technical and organisational measures described in Appendix B. These map to commonly recognised control families including access control, change management, audit logging, and incident response.

A full description of how Hubzoid deploys, and the perimeter map of what does and does not cross the boundary, is available on request from contact@hubzoid.com.

Hubzoid will notify the Customer without undue delay, and in any event within seventy-two hours of becoming aware of a personal data breach affecting Customer data. The notice will include the information reasonably available at the time, with updates as the investigation progresses.

Hubzoid will provide reasonable assistance, taking into account the nature of the processing, to enable the Customer to respond to data-subject requests under applicable law.

The Customer may audit Hubzoid's compliance with this DPA on reasonable advance notice and no more than once per twelve-month period, except where required by a regulator or following a confirmed personal data breach.

Hubzoid may satisfy audit obligations by providing recent independent assessments where available.

On termination of the engagement, Hubzoid will return or delete Customer personal data held on Hubzoid systems and certify the deletion on request. Customer-cloud copies remain under Customer control.

Categories of data subjects: Customer's personnel, Customer's customers and counterparties to the extent reflected in source systems connected to the hub.

Categories of personal data: business contact information, employment context, content the Customer routes through the hub.

Processing operations: storage in Customer cloud; routing to Customer-contracted model providers for inference; logging within Customer cloud for audit.

Retention: as described in Section 09 of this DPA and the underlying SOW.

Single-tenant deployment per Customer.

Time-bound, customer-approved engineer access; revoked at handover.

Audit logging of agent decisions including prompt, policy, and sources read.

Change management with version control on world models and runbooks.

Incident response procedure with documented escalation and notification SLAs.

A complete perimeter map showing what crosses the boundary and what does not is available on request from contact@hubzoid.com.