Data Processing Addendum

1. Roles and definitions

Where Customer Data contains Personal Data, the Customer is the Controller and CUI Labs is the Processor. CUI Labs may engage Sub-processors as listed in Schedule A. 'Personal Data', 'Processing', 'Data Subject', and 'Controller' have the meanings given in the GDPR.

2. Subject matter, duration, nature and purpose

• Subject matter: provision of the Bee service per the Terms.
• Duration: for the life of the subscription, plus a 30-day post-termination period for return / deletion.
• Nature and purpose: hosting, transmitting, storing, retrieving, executing inference on, and securing inputs and outputs.
• Categories of data subjects: end users authorised by the Controller (employees, contractors, customers).
• Categories of personal data: contact information, account credentials, content of prompts and outputs, document uploads, telemetry tied to user identifiers.

3. Customer instructions

We process Personal Data only on documented instructions from the Controller (these Terms, the Workspace, written instructions). If we cannot follow an instruction (e.g. it would breach law), we will inform the Controller without undue delay.

4. Sub-processors (Schedule A)

We use the following Sub-processors. Material changes are announced via the changelog and email to the account owner at least 14 days before taking effect, during which time Controllers may object on reasonable grounds. • HuggingFace — Model card hosting + adapter Hub sync (EU / US) • Amazon Web Services (AWS) — Compute, storage, networking (Singapore (primary)) • Vercel — Marketing site + workspace web hosting + edge (Global edge) • Supabase — Authentication, database (Postgres) (EU / US) • Stripe — Billing, payment processing, invoices (Global) • Sentry — Error monitoring (anonymised) (EU / US) • Namecheap Private Email — Transactional email (SMTP) (US) • IBM Quantum — Optional quantum reasoning backend (only when invoked) (US)

5. International transfers

• Where transfers of Personal Data leave the EEA, the UK, or another adequacy region, the EU Standard Contractual Clauses (Decision 2021/914) apply, supplemented by the UK Addendum where the data subject is in the UK.
• For transfers governed by the Singapore PDPA, we ensure a comparable standard of protection per the PDPC's transfer requirements.
• Hive-plan and above support a region-pinning option (EU only, US only, or Singapore only).

6. Confidentiality and personnel

Personnel authorised to process Personal Data are bound by written confidentiality. Access is just-in-time, audited, requires a signed reason, and is gated behind hardware-backed FIDO2.

7. Security measures (Annex II)

• Encryption in transit: TLS 1.3 minimum on the Bee API path by default.
• Encryption at rest: AES-256-GCM under per-tenant keys; customer-managed keys available on Hive+.
• Network: VPC isolation, private subnets, default-deny egress.
• Access: SSO via Supabase, MFA required, scoped to tenant.
• Logging: tamper-evident audit logs (Hive+).
• Secure SDLC: code review on every change, dependency scanning, SAST, secret-scanning in CI.

8. Data subject rights and assistance

We assist the Controller — taking into account the nature of processing — in fulfilling its obligation to respond to data-subject requests. Workspace admin tooling allows the Controller to export, delete, and rectify Personal Data for its tenant.

9. Personal data breaches

We notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach affecting Customer Data, with the information reasonably available at that time. We will provide reasonable cooperation with the Controller's notification obligations to supervisory authorities and data subjects.

10. Audits

We make available all information necessary to demonstrate compliance with this DPA and allow the Controller (or an appointed third-party auditor) to conduct audits no more than once per year, on at least 30 days' notice, during business hours, subject to reasonable confidentiality. Where we hold a current independent audit report (e.g. CSA STAR, ISO 27001 once attained) we will provide it in lieu, where the Controller agrees the report covers the request.

11. Return and deletion

Within 30 days of contract termination we will, at Controller's choice, return Personal Data and delete remaining copies, unless retention is required by law. Backups containing Personal Data expire on the standard 35-day rolling window.

12. Liability

Liability under this DPA is governed by, and is subject to, the limitations and exclusions in the Terms.