Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person that Customer submits to the Hubity platform.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.

"Sub-processor" means any third party engaged by Hubity to process Personal Data on behalf of the Customer.

"Data Protection Laws" means applicable data protection legislation including the GDPR (EU 2016/679), UK GDPR, CCPA, and any other applicable privacy regulation.

Hubity processes Personal Data solely to provide the services described in the Terms of Service. This includes storing company knowledge, generating briefings, managing tasks, and facilitating team communication within the Customer's organization.

The categories of Personal Data processed may include: names, email addresses, job titles, company affiliation, uploaded documents, conversation content, and calendar data.

Hubity shall:

• Process Personal Data only on documented instructions from the Customer, unless required by law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including enterprise-grade encryption at rest and in transit.
• Not engage another processor without prior written authorization from the Customer. A list of current sub-processors is provided in Section 7.
• Assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
• Assist the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
• At the Customer's choice, delete or return all Personal Data after the end of service provision, and delete existing copies unless storage is required by law.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA.
• Allow the Customer, or a qualified third-party auditor appointed by the Customer, to conduct audits of Hubity's compliance with this DPA, subject to reasonable advance notice (at least 30 days), confidentiality obligations, and a limit of one audit per year unless required by a supervisory authority.

Hubity maintains the following technical and organizational security measures:

• Encryption at rest: Enterprise-grade encryption with unique keys per record. Sensitive fields use separate encryption keys.
• Encryption in transit: Latest transport encryption standards on all connections.
• Access control: Role-based access with six-tier hierarchy. API endpoints enforce minimum role requirements.
• Authentication: Passwordless login, passkeys, two-factor authentication, and single sign-on.
• Audit logging: All significant actions are logged with encrypted details, retained for 6 years.
• Data isolation: Logical tenant isolation with row-level access controls.
• Infrastructure: Enterprise-certified hosting with automated backups and point-in-time recovery.

For full details, see our Security page.

In the event of a Personal Data breach, Hubity shall notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
• The name and contact details of the point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach and mitigate its effects.

Hubity shall assist the Customer in fulfilling its obligations to respond to data subject requests under applicable Data Protection Laws. This includes requests for access, rectification, erasure, data portability, restriction of processing, and objection to processing.

Hubity provides self-service tools for data export and account deletion. For requests that cannot be fulfilled through self-service, Customer may contact [email protected].

Customer authorizes the use of the following sub-processors:

Hubity shall notify the Customer of any intended changes to sub-processors at least 30 days in advance, giving the Customer the opportunity to object on reasonable grounds. If the Customer objects and the parties cannot resolve the objection within 30 days, the Customer may terminate the affected services by providing written notice. All AI providers (Anthropic, OpenAI, and Google) operate under contractual obligations that prohibit them from retaining Customer data beyond the request lifecycle and from using it for model training.

All Customer data is processed and stored in the United States. Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, Hubity relies on the EU-U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) as adopted by the European Commission.

Hubity retains Customer data for the duration of the service agreement. Upon termination or at Customer's request:

• Customer data is fully deleted within 30 days of account cancellation.
• Backups containing Customer data are purged within 90 days.
• Audit logs may be retained for up to 6 years as required for compliance purposes, after which they are securely deleted.

This DPA is governed by the laws of the Commonwealth of Virginia, United States, except where Data Protection Laws require otherwise.

For questions about this DPA or to exercise data protection rights:

Email: [email protected]

Legal: [email protected]