Skip to main content
Cube5
Trust Center

Data Processing Agreement

Controller/processor obligations for GDPR-compliant Cube5 Cortex deployments.
← Back to Trust Center

This Data Processing Agreement (“DPA”) forms part of the agreement between Cube5 SAS (France) (“Cube5” or “Processor”) and the customer identified in the applicable order form / SOW / subscription agreement (“Customer” or “Controller”) for access to Cube5 Cortex (the “Service”). This DPA applies where Cube5 processes Personal Data on behalf of Customer in the course of providing the Service.

1) Definitions

  • “Data Protection Laws” means applicable data protection laws, including the EU GDPR (Regulation (EU) 2016/679) and, where applicable, the UK GDPR.
  • “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor” have the meanings given in the GDPR.
  • “Customer Personal Data” means Personal Data contained in Customer Content or otherwise processed by Cube5 on behalf of Customer under this DPA.
  • “Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
  • “Terms of Service” means the Cube5 Cortex Terms of Service.
  • “SCCs” means the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).

2) Roles and scope

2.1 Customer as Controller; Cube5 as Processor

Where Customer provides the Service to its personnel, end users, or other individuals and uploads Customer Content for Customer's business purposes, Customer acts as Controller and Cube5 acts as Processor on Customer's behalf.

2.2 Cube5 as Controller for its own purposes

This DPA does not apply to Personal Data processed by Cube5 as a Controller for its own purposes (corporate administration, billing, and marketing), which is described in the Privacy Policy.

3) Processing details

The subject matter, nature, purpose, and duration of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 below.

4) Processor obligations

Cube5 will:

  1. Process Customer Personal Data only on documented instructions from Customer (including as necessary to provide the Service under the Terms of Service), unless required by applicable law.
  2. Ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
  3. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2.
  4. Not disclose Customer Personal Data to a third party except as permitted under this DPA or as required by law.
  5. Upon Customer's request, provide information reasonably necessary to demonstrate compliance with this DPA.

5) Customer obligations

Customer will:

  1. Ensure it has a valid legal basis to collect, use, and provide Customer Personal Data to Cube5 for Processing.
  2. Provide any required notices to, and obtain any required consents from, Data Subjects.
  3. Ensure its instructions comply with Data Protection Laws.
  4. Use the Service's controls (e.g., RBAC and tenant configuration) to limit access to Customer Personal Data to Authorized Users.

6) Sub-processing

6.1 Authorization

Customer provides a general authorization for Cube5 to engage Sub-processors to process Customer Personal Data for the purpose of providing the Service.

6.2 Current Sub-processors

Cube5's current Sub-processors for Cortex are listed at Sub-processors.

6.3 Changes to Sub-processors; notice and objection

Cube5 will update the Sub-processor list when adding or replacing Sub-processors. Cube5 will provide at least thirty (30) days' notice for material changes. Customer may object in writing within fourteen (14) days on reasonable grounds related to data protection. If the objection cannot be resolved, Customer may terminate the affected Order and Cube5 will refund prepaid, unused fees.

6.4 Sub-processor obligations

Cube5 will enter into a written agreement with each Sub-processor imposing data protection obligations that are no less protective than those in this DPA.

7) International transfers

Where Customer Personal Data is transferred outside the EEA/UK, Cube5 will ensure an appropriate transfer mechanism is in place. Where SCCs are required, the parties agree that Module Two (Controller to Processor) SCCs are incorporated by reference.

8) Assistance with data subject rights

Taking into account the nature of Processing, Cube5 will provide reasonable assistance to Customer to enable Customer to respond to Data Subject requests under Data Protection Laws (e.g., access, rectification, erasure, restriction, objection, portability), to the extent Customer cannot do so independently through the Service.

10) Security; Security Incidents

10.1 Security measures

Cube5 will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data, as described in Annex 2.

10.2 Security Incident notification

Cube5 will notify Customer without undue delay after becoming aware of a Security Incident and, in any event, within seventy-two (72) hours after confirming that a Security Incident has occurred.

12) Return and deletion of Customer Personal Data

Upon termination or expiration, Cube5 will delete Customer Personal Data from active production systems within thirty (30) days. Customer Personal Data may remain in backups for up to ninety (90) days and will be deleted in accordance with Cube5's backup rotation practices.

15–17. Liability, order of precedence, governing law

Liability arising out of this DPA is subject to the limitations of liability in the Terms of Service. In the event of a conflict, the following order of precedence applies: (1) the applicable Order, (2) this DPA, (3) the Terms of Service. This DPA is governed by the law specified in the Terms of Service (France).

Annex 1. Details of Processing

A. Subject matter

Provision of the Cube5 Cortex platform including authentication, access control, document ingestion, storage, search, AI processing, workflow execution, logging, and customer support.

B. Duration

For the duration of the subscription / Order term, plus any additional period required for return/deletion and as otherwise required by applicable law.

C. Categories of Data Subjects

  • Customer's employees, contractors, and other personnel
  • Customer's end users
  • Individuals referenced in documents uploaded by Customer

D. Types of Personal Data

  • Account and identity data (email address, name)
  • Technical and usage data (device/browser info, timestamps, feature usage, error logs, IP address)
  • Content submitted to the Service and generated outputs
  • Support communications

Annex 2. Technical and Organizational Measures (TOMs)

A. Access control and authentication

  • Authentication via Firebase / Google Identity Platform.
  • Role-based access control (RBAC) and tenant isolation.

B. Storage and transmission security

  • Secure storage and access controls for uploaded files (e.g., signed URLs).
  • Industry-standard encryption in transit; encryption at rest via cloud infrastructure.

C. Logging and monitoring

  • Security and usage logging to detect abuse, incidents, and reliability issues.
  • Monitoring and alerting through cloud and observability tooling.

D. Secure development and operations

  • Controlled CI/CD processes and secret management (Google Cloud Build / Artifact Registry / Secret Manager).

E. Incident response

  • Processes to detect, respond to, and remediate Security Incidents, including customer notification.

Annex 3. Sub-processors: The list of Sub-processors applicable to Cube5 Cortex is maintained at Sub-processors.