Skip to main content
Cube5
Trust Center

Data Processing Agreement

Controller/processor obligations for GDPR-compliant Cube5 Cortex deployments.
← Back to Trust Center

Last updated: 2026-04-15

This Data Processing Agreement ("DPA") forms part of the agreement between Cube5 SAS (France) ("Cube5" or "Processor") and the customer identified in the applicable order form / SOW / subscription agreement ("Customer" or "Controller") for access to Cube5 Cortex (the "Service"). This DPA applies where Cube5 processes Personal Data on behalf of Customer in the course of providing the Service.

1) Definitions

Capitalized terms not defined in this DPA have the meaning given in the Terms of Service or the applicable Order.

  • "Data Protection Laws" means applicable data protection and privacy laws and regulations, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and, where applicable, the UK GDPR.
  • "Personal Data", "Processing", "Controller", "Processor", "Sub-processor" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data contained in Customer Content or otherwise processed by Cube5 on behalf of Customer under this DPA.
  • "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
  • "Order" means an order form, SOW, or other ordering document referencing the Terms of Service and this DPA.
  • "Terms of Service" means the Cube5 Cortex Terms of Service.
  • "Privacy Policy" means the Cube5 Cortex Privacy Policy.
  • "SCCs" means the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), as may be updated.

2) Roles and scope

2.1 Customer as Controller; Cube5 as Processor

Where Customer provides the Service to its personnel, end users, or other individuals and uploads or otherwise provides Customer Content for Customer’s business purposes, Customer acts as Controller of Customer Personal Data and Cube5 acts as Processor on Customer’s behalf.

2.2 Cube5 as Controller for its own purposes

This DPA does not apply to Personal Data processed by Cube5 as a Controller for its own purposes (for example, corporate administration, billing/finance, and marketing), which is described in the Privacy Policy.

2.3 Logs and telemetry (Processor vs. Controller)

  1. Customer-admin audit logs and workspace activity logs provided to Customer through the Service are processed by Cube5 as Processor to provide the Service.
  2. Security, abuse-prevention, and reliability logs (including logs necessary to secure and operate the Service) may be processed by Cube5 as Controller, as described in the Privacy Policy.

3) Processing details

The subject matter, nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1.

4) Processor obligations

Cube5 will:

  1. Process Customer Personal Data only on documented instructions from Customer (including as necessary to provide the Service under the Terms of Service, Orders, and Documentation), unless required by applicable law. If required by law, Cube5 will inform Customer of that requirement (unless prohibited).
  2. Ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentialityobligations.
  3. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2.
  4. Not disclose Customer Personal Data to a third party except as permitted under this DPA (including to Sub-processors) or as required by law.
  5. Upon Customer’s request, provide information reasonably necessary to demonstrate compliance with this DPA.

5) Customer obligations

Customer will:

  1. Ensure it has a valid legal basis to collect, use, and provide Customer Personal Data to Cube5 for Processing.
  2. Provide any required notices to, and obtain any required consents from, Data Subjects.
  3. Ensure its instructions comply with Data Protection Laws.
  4. Use the Service’s controls (e.g., RBAC and tenant configuration) to limit access to Customer Personal Data to Authorized Users.

6) Sub-processing

6.1 Authorization

Customer provides a general authorization for Cube5 to engage Sub-processors to process Customer Personal Data for the purpose of providing the Service.

6.2 Current Sub-processors

Cube5’s current Sub-processors for Cortex are listed in Annex3.

6.3 Changes to Sub-processors; notice and objection

Cube5 will update the Sub-processor list when adding or replacing Sub-processors used to provide Cortex.

  • Notice: where Cube5 adds or replaces a Sub-processor that will materially affect Processing of Customer Personal Data, Cube5 will provide at least thirty (30) days’ notice (for example, by updating the Sub-processor list and/or otherwise notifying Customer).
  • Objection: Customer may object in writing within fourteen (14) days of notice on reasonable grounds related to data protection.
  • Resolution: if Customer objects, the parties will work in good faith to address the objection, including (where commercially and technically reasonable) by providing the Service without the new Sub-processor.
  • Termination right: if the objection cannot be resolved, Customer may terminate the affected Order (or the affected part of the Service) upon written notice, and Cube5 will refund any prepaid, unused fees for the terminated portion.

6.4 Sub-processor obligations

Cube5 will enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protective than those in this DPA, including appropriate confidentiality and security commitments.

7) International transfers

Where Customer Personal Data is transferred outside the EEA/UK and such transfer is restricted by Data Protection Laws, Cube5 will ensure an appropriate transfer mechanism is in place.

7.1 SCCs

Where SCCs are required for a transfer, the parties agree that the SCCs are incorporated by reference as follows:

  • Controller-to-Processor transfers: SCCs Module Two (Controller to Processor).
  • The parties will complete/agree the SCC annexes consistent with Annex 1 (Processing details) and Annex 2 (TOMs).

8) Assistance with data subject rights

Taking into account the nature of Processing, Cube5 will provide reasonable assistance to Customer to enable Customer to respond to Data Subject requests under Data Protection Laws (e.g., access, rectification, erasure, restriction, objection, portability), to the extent Customer cannot do so independently through the Service.

Cube5 may charge for such assistance at its then-current professional services rates after providing notice, unless required by Data Protection Laws or unless otherwise included in an Order.

9) Assistance with DPIAs and prior consultation

To the extent required by Data Protection Laws and considering the information available to Cube5, Cube5 will provide reasonable assistance to Customer with:

  • data protection impact assessments (DPIAs), and
  • consultations with supervisory authorities.

Cube5 may charge for such assistance at its then-current professional services rates after providing notice, unless required by Data Protection Laws or unless otherwise included in an Order.

10) Security; Security Incidents

10.1 Security measures

Cube5 will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, as described in Annex 2.

10.2 Security Incident notification

Cube5 will notify Customer without undue delay after becoming aware of a Security Incident and, in any event, within seventy-two (72) hours after confirming that a Security Incident has occurred.

Cube5 will provide information reasonably necessary for Customer to comply with its notification obligations and will provide follow-up information as it becomes available.

10.3 No admission of fault

A Security Incident notification is not an acknowledgment by Cube5 of fault or liability.

11) Audit and compliance

11.1 Information

Upon reasonable written request, Cube5 will make available to Customer information necessary to demonstrate compliance with this DPA.

11.2 Audits (limited)

Where Customer reasonably determines that the information made available is insufficient, Customer may audit Cube5’s compliance with this DPA subject to the following:

  • no more than once per year (unless required due to a Security Incident or binding regulator request),
  • at least thirty (30) days’ prior written notice,
  • during business hours,
  • limited to systems and controls reasonably necessary to verify compliance with this DPA,
  • subject to reasonable confidentiality, security, and access controls.

Audits may not include access to Cube5 source code or access to environments or data of other customers.

Customer will bear its own costs and reimburse Cube5 for reasonable time and expenses incurred responding to an audit, unless the audit reveals a material non-compliance by Cube5.

12) Return and deletion of Customer Personal Data

12.1 Deletion and return upon termination

Upon termination or expiration of the applicable Order, Cube5 will, at Customer’s choice and where technically feasible:

  • return Customer Personal Data, and/or
  • delete Customer Personal Data,

subject to the Service’s functionality, Customer’s configuration, and applicable law.

12.2 Deletion timelines

Unless otherwise specified in an Order and/or a data processing agreement:

  • Cube5 will delete Customer Personal Data from active production systems within thirty (30) days following termination/expiration, subject to Customer’s configuration and the Service’s functionality.
  • Customer Personal Data may remain in backups for up to ninety (90) days and will be deleted in accordance with Cube5’s backup rotation practices, unless a longer period is required by applicable law.

12.3 Baseline test retention

As a baseline for test access, Cube5 retains account and usage data only for the duration of the testing phase and deletes it within 90 days after the end of the access period, unless a longer period is required for security, support, or legal reasons.

13) Special categories of data

Customer determines whether special categories of personal data (GDPR Art. 9) are included in Customer Content.

Unless otherwise agreed in writing in an Order, Customer will not provide to the Service any special categories of data or other highly sensitive data where not necessary for Customer’s permitted use of the Service, and Customer is responsible for implementing appropriate safeguards and access restrictions for such data.

14) Confidentiality

Cube5 will treat Customer Personal Data as Customer’s Confidential Information and will apply confidentiality protections consistent with the Terms of Service.

15) Liability

Liability arising out of or related to this DPA (including claims under Data Protection Laws) will be subject to the limitations of liability in the Terms of Service and/or the applicable Order, unless prohibited by applicable law.

16) Order of precedence

In the event of a conflict between this DPA and the Terms of Service and/or an Order, the following order of precedence applies:

  1. the applicable Order,
  2. this DPA,
  3. the Terms of Service.

17) Governing law

This DPA is governed by the law specified in the Terms of Service and/or the applicable Order.

Annex 1. Details of Processing

A. Subject matter

Provision of the Cube5 Cortex platform to Customer, including authentication, access control, document ingestion, storage, search, AI processing, workflow execution, logging, and customer support.

B. Duration

For the duration of the subscription / Order term, plus any additional period required for return/deletion and as otherwise required by applicable law.

C. Nature and purpose of Processing

Processing activities may include: collection, recording, structuring, storage, retrieval, consultation, analysis, generation, transmission, and deletion of Customer Personal Data as necessary to:

  • provide and operate the Service,
  • secure and monitor the Service,
  • provide support,
  • troubleshoot and improve reliability/performance.

D. Categories of Data Subjects

May include (depending on Customer’s use):

  • Customer’s employees, contractors, and other personnel,
  • Customer’s end users,
  • individuals referenced in documents uploaded by Customer (e.g., clients, prospects, students, applicants, suppliers, counterparties).

E. Types of Personal Data

May include (depending on Customer’s use):

  • Account and identity data (e.g., email address, name if provided via identity provider, organization/tenant information),
  • Technical and usage data (e.g., device/browser information, timestamps, feature usage, error logs, IP address in server logs),
  • Content submitted to the Service (documents, files, prompts, and other inputs) and generated outputs (reports/pages) and metadata,
  • Support communications (messages, screenshots, logs provided).

F. Special categories of data

Customer determines whether special categories of data (GDPR Art. 9) are included in Customer Content.

G. Processing instructions

Customer’s documented instructions include: (i) these Terms and any Orders, (ii) Customer’s configuration and use of the Service, and (iii) written instructions agreed between the parties.

Annex 2. Technical and organizational measures (TOMs)

Cube5 maintains security measures designed to protect Customer Personal Data, including (as applicable to the deployment):

A. Access control and authentication

  • Authentication via Firebase / Google Identity Platform.
  • Role-based access control (RBAC) and tenant isolation.

B. Storage and transmission security

  • Secure storage and access controls for uploaded files (e.g., signed URLs).
  • Use of industry-standard encryption in transit; encryption at rest as provided by cloud infrastructure.

C. Logging and monitoring

  • Security and usage logging to detect abuse, incidents, and reliability issues.
  • Monitoring and alerting through cloud and observability tooling.

D. Secure development and operations

  • Controlled CI/CD processes and secret management (e.g., Google Cloud Build / Artifact Registry / Secret Manager).

E. Incident response

  • Processes to detect, respond to, and remediate Security Incidents, including customer notification.