Data Processing Agreement

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
• “Controller” means the customer who determines the purposes and means of processing Personal Data via CueAPI.
• “Processor” means Vector Apps Inc., which processes Personal Data on behalf of the Controller.
• “Sub-Processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Supervisory Authority” means an independent public authority established by an EU/EEA member state pursuant to GDPR Article 51.

2. Subject Matter and Duration

The Processor processes Personal Data for the purpose of providing the CueAPI scheduling service to the Controller. Processing begins when the Controller creates an account and continues until account deletion is complete. After account deletion, all Personal Data is permanently removed within 30 days, except for one-way SHA-256 audit hashes retained for legal compliance.

3. Nature and Purpose of Processing

CueAPI processes Personal Data to:

• Authenticate API requests and manage account access
• Schedule, execute, and deliver webhook callbacks (cues)
• Deliver transactional emails (account verification, alerts, billing receipts)
• Process payments and manage billing
• Provide customer support
• Monitor service health and prevent abuse

The Processor does not process Personal Data for any purpose other than providing the service as instructed by the Controller.

4. Categories of Data Subjects

Data subjects include the Controller's authorized users who interact with CueAPI — specifically, individuals who register accounts, manage cues, or receive webhook deliveries.

5. Types of Personal Data

• Account data: email address, hashed API keys, webhook secrets
• Billing data: Stripe customer ID, plan type, payment events (card details are handled exclusively by Stripe and never touch CueAPI servers)
• Usage data: cue configurations, execution logs, webhook delivery metadata, IP addresses
• Support data: support ticket content, email correspondence
• Webhook payloads: any data the Controller includes in cue payloads — the Controller is responsible for the content of payloads

6. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational security measures (see Section 10)
• Not engage another processor without prior written authorization from the Controller (see Section 7)
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with GDPR Articles 32–36
• Delete or return all Personal Data after the end of the provision of services (see Section 13)
• Make available all information necessary to demonstrate compliance and allow for audits (see Section 11)

7. Sub-Processors

The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is published at cueapi.ai/sub-processors.

7.1 Notification of Changes

The Processor will notify the Controller via email at least 30 days before adding any new sub-processor. The notification will include the sub-processor's name, purpose, and the categories of data to be processed.

7.2 Right to Object

If the Controller objects to a new sub-processor, the Controller may notify the Processor within 14 days of receiving the notification. The parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the service by providing written notice.

7.3 Sub-Processor Agreements

The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this agreement.

8. Data Subject Rights

The Processor provides API endpoints for the Controller to fulfill Data Subject requests:

• Access: GET /v1/auth/me/processing
• Portability: GET /v1/auth/me/export (JSON format)
• Rectification: PATCH /v1/auth/me
• Erasure: DELETE /v1/auth/me (24-hour grace period, then permanent deletion)

The Processor will assist the Controller in responding to any Data Subject request that the Controller cannot fulfill through these self-service endpoints. Contact [email protected] for assistance.

9. Controller Obligations

The Controller shall:

• Ensure it has a lawful basis for processing Personal Data through CueAPI
• Provide all necessary notices and obtain all necessary consents from Data Subjects
• Not include special categories of data (GDPR Article 9) in webhook payloads unless it has obtained explicit consent and notified the Processor in advance
• Comply with applicable data protection laws in its use of the service

10. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

• Encryption in transit: all API traffic requires HTTPS (TLS 1.2+)
• API key security: keys are hashed with SHA-256 before storage; plaintext shown once at creation
• Webhook signing: HMAC-SHA256 per-account signatures with replay protection
• SSRF protection: callback URLs validated against 11 blocked IP ranges at delivery time
• Access control: all resources scoped by authenticated user; no cross-tenant data access
• Rate limiting: sliding window per API key to prevent abuse
• Infrastructure isolation: separate staging and production environments; private networking between services
• Dependency security: pinned versions; GitHub Actions pinned to commit SHAs

Full security details are available at cueapi.ai/security. All security code is open source and auditable.

11. Breach Notification

In the event of a Personal Data breach, the Processor will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
• Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach
• Document all breaches, including facts, effects, and remedial actions taken

12. Audit Rights

The Controller may audit the Processor's compliance with this agreement by:

• Reviewing the open source codebase at github.com/cueapi/cueapi-core
• Requesting documentation of security measures and processing activities
• Conducting or commissioning a third-party audit with reasonable notice (at least 30 days) and during normal business hours

The Processor will cooperate with reasonable audit requests. Audits shall not unreasonably disrupt the Processor's operations. The Controller bears the cost of any third-party audit. Audit scope is limited to processing activities relevant to the Controller's data.

13. International Transfers

CueAPI infrastructure is hosted in the United States via Railway. For transfers of Personal Data from the EEA, UK, or Switzerland to the US, the following safeguards apply:

• Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914, incorporated by reference
• UK International Data Transfer Addendum
• Swiss Federal Act on Data Protection (FADP) addendum

Sub-processor transfer mechanisms are documented on our Sub-Processor Disclosure Page. Each sub-processor maintains its own SCC or Data Privacy Framework certification as applicable.

14. Return and Deletion of Data

Upon termination of the service or at the Controller's request:

• Data export: the Controller may export all data via GET /v1/auth/me/export at any time
• Deletion: account deletion initiates a 24-hour grace period; after the grace period, all Personal Data is permanently deleted within 30 days
• Audit records: one-way SHA-256 hashes are retained for legal compliance; no reversible Personal Data is retained

The Processor will confirm deletion in writing upon request.

15. Liability

Each party's liability under this agreement is subject to the limitations set out in the Terms of Service. The Processor is liable for damage caused by processing that violates GDPR obligations specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

16. Governing Law

This agreement is governed by the laws of the State of California, USA. Disputes shall be resolved in the courts of Santa Clara County, California. For Data Subjects in the EEA, this does not affect any mandatory rights under GDPR or the laws of the Data Subject's country of residence.