Data Processing Agreement

1. Parties and Definitions

"Processor" means HubSecure Holding LLC, a Wyoming limited liability company (Entity Filing ID: 2024-001468048), whose registered address is 30 N Gould St Ste 5991, Sheridan, WY 82801, USA.

"Controller" means the customer entity or individual who subscribes to HubSecure's Services under the Terms of Service and who determines the purposes and means of processing Personal Data through the platform.

"Personal Data", "Data Subject", "Processing", "Supervisory Authority" have the meanings given in GDPR Article 4.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

"SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to European Commission Implementing Decision 2021/914 of 4 June 2021.

This DPA forms part of the subscription agreement between the parties and governs all processing of Personal Data by the Processor on behalf of the Controller. In the event of conflict, this DPA takes precedence over the Terms of Service with respect to data protection matters.

2. Subject Matter and Nature of Processing

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the HubSecure platform services as described in the Controller's active subscription, including: hosting and storing data entered by the Controller; providing CRM, document management, AML/KYC, communication, and AI automation features; and providing customer support related to those features.

The Processor shall not process Personal Data for any purpose other than as instructed by the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller before such processing, unless legally prohibited from doing so.

Full processing details are set out in Annex I.

3. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service;
• Ensure that persons authorised to process Personal Data have committed to confidentiality;
• Implement appropriate technical and organisational security measures as described in Annex II;
• Respect the conditions for engaging sub-processors set out in Section 5;
• Assist the Controller to ensure compliance with its obligations regarding data subject rights under Articles 12–22 GDPR;
• Assist the Controller with obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
• Delete or return all Personal Data on termination as set out in Section 11;
• Provide all information necessary to demonstrate compliance with this DPA and contribute to audits under Section 10;
• Notify the Controller promptly if, in the Processor's opinion, any instruction from the Controller infringes GDPR or applicable data protection law.

4. Controller Obligations

The Controller warrants that:

• It has a lawful basis for all Personal Data provided to the Processor for processing;
• Its privacy notices accurately describe the processing activities performed through the HubSecure platform;
• It will not instruct the Processor to process Personal Data in a manner that would violate applicable law;
• It will promptly notify the Processor of any changes to its processing purposes that would affect the Processor's obligations under this DPA.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall:

• Maintain a current list of sub-processors at hubsecure.ai/security;
• Provide at least 30 days' written notice before adding or replacing a sub-processor;
• Impose data protection obligations on each sub-processor equivalent to those in this DPA;
• Remain fully liable for the acts and omissions of its sub-processors.

The Controller may object to a new sub-processor within 14 days of notice. If the objection cannot be resolved, the Controller may terminate the subscription without penalty on 30 days' notice.

6. International Transfers and Standard Contractual Clauses

The Processor is incorporated in the United States and currently operates infrastructure in Singapore. Processing of Personal Data from EU/EEA data subjects therefore constitutes an international transfer to a third country without an EU adequacy decision.

Transfer mechanism: This DPA incorporates the Standard Contractual Clauses — Module 2 (Controller to Processor) — as adopted by European Commission Implementing Decision 2021/914. The SCCs apply to all transfers of EU/EEA Personal Data to the Processor. Where required, the Controller is the data exporter and the Processor is the data importer.

Supplementary measures: In addition to the SCCs, the Processor implements the following supplementary measures:

• AES-256-GCM encryption at rest, ensuring data is not intelligible to infrastructure providers or government agencies with physical access to storage;
• End-to-end encryption for communications data (ML-KEM-768 post-quantum encryption for relevant modules);
• Contractual obligations on sub-processors to notify the Processor of government access requests and to challenge requests that are not lawfully made;
• Data minimisation: only the minimum Personal Data required for the requested service is processed.

Transfer Impact Assessment: The Processor has conducted a Transfer Impact Assessment (TIA) assessing the legal framework in Singapore relevant to government access to personal data. A summary of this TIA is available to Controllers on request at [email protected].

EU infrastructure: The Processor plans to provision EU infrastructure (Frankfurt, Germany) by Q3 2026. Upon completion, EU/EEA tenant data will be migrated to EU infrastructure and the SCCs will continue to apply to any residual US-company processing. Controllers will be notified in advance of any migration affecting their data location.

7. Security Measures

The Processor shall implement and maintain the technical and organisational measures described in Annex II. The Processor may update security measures over time, provided that updates do not materially reduce the overall level of protection.

Full security documentation is available at hubsecure.ai/security.

8. Data Subject Rights Assistance

The Processor shall provide the following technical capabilities to assist the Controller in responding to data subject requests:

• Access: Bulk export of all data associated with a data subject in standard formats (JSON, CSV)
• Erasure: Bulk deletion of all data associated with a data subject, including audit trail entries where legally permitted
• Portability: Data export in machine-readable formats
• Rectification: Data editing tools within the platform

Where the Processor receives a direct data subject request relating to Controller data, it shall promptly forward it to the Controller. The Processor shall not respond to data subject requests concerning Controller data without the Controller's authorisation, except as required by law.

9. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any case within 24 hours of becoming aware of a Personal Data Breach affecting Controller data.

Notification shall include, to the extent available: the nature of the breach; the categories and approximate number of data subjects and records affected; likely consequences; and measures taken or proposed to address the breach.

Security incidents should be reported to [email protected].

The Controller is responsible for notifying its relevant Supervisory Authority within the 72-hour GDPR deadline after receiving notification from the Processor.

10. Records and Audits

The Processor shall maintain records of processing activities carried out on behalf of the Controller, as required by GDPR Article 30(2).

The Processor shall provide all information reasonably necessary to demonstrate compliance with this DPA. Upon 30 days' written notice, the Processor shall permit an audit by the Controller or an auditor appointed by the Controller, subject to: execution of a confidentiality agreement; the audit being conducted during business hours; and reasonable limitation on audit scope to avoid disruption. The Controller bears audit costs unless the audit reveals a material breach of this DPA.

As an alternative to on-site audit, the Processor may satisfy audit requests by providing available security evidence, ISO 27001-ready control mapping, and SOC 2-ready documentation.

11. Return and Deletion of Data

Upon expiry or termination of the subscription, the Processor shall:

• Make available data export functionality for 30 days post-termination;
• Securely delete all Controller Personal Data within 60 days of termination (or of the export period ending, whichever is later);
• Provide written confirmation of deletion on request.

The Processor may retain Personal Data for longer if required by applicable law, in which case it shall notify the Controller of the retention obligation and its duration.

12. Term and Termination

This DPA takes effect on the date the Controller creates a HubSecure account or executes an order form and remains in force for as long as the Processor processes Personal Data on behalf of the Controller. The DPA terminates automatically upon final deletion of all Controller Personal Data per Section 11.

Annex I — Processing Details

Element	Details
Categories of data subjects	The Controller's clients, employees, prospects, and professional contacts whose data is entered into or generated through the platform
Categories of personal data	Names, contact details (email, phone, address), identification documents (passport, ID), financial information, corporate information, matter details, communication records, and any other personal data the Controller inputs into the platform
Special categories	Not processed by default. If the Controller inputs special category data (e.g. health data, criminal records for AML purposes), the Controller is responsible for establishing a legal basis under GDPR Article 9
Processing operations	Storage, retrieval, display, transmission, modification, deletion, AI-assisted processing (analysis, drafting, classification), and audit logging, as required to provide the platform Services
Processing frequency	Continuous, as triggered by Controller and authorised users
Duration	Duration of subscription plus 60 days post-termination
Infrastructure location	Singapore (Equinix SG3). EU (Frankfurt) from Q3 2026

Annex II — Technical and Organisational Security Measures

• Encryption at rest: AES-256-GCM for all stored data
• Encryption in transit: TLS 1.3 for all data in transit; ML-KEM-768 post-quantum encryption for ShieldChat and Secure Mail modules
• Access control: Role-based access control; principle of least privilege; MFA required for administrative access
• Audit logging: All data access, modifications, and AI-generated actions are logged with timestamp, user identity, and action detail. Logs are tamper-evident and retained for 12 months minimum
• Vulnerability management: Regular penetration testing; automated dependency scanning; responsible disclosure programme
• Backup and recovery: Encrypted daily backups; tested recovery procedures; target RTO 4 hours, RPO 24 hours
• Incident response: Documented incident response plan; 24-hour breach notification commitment to Controllers
• Staff training: Annual data protection and security training for all staff with access to production systems
• Physical security: Data centre physical security provided by Equinix (ISO 27001-ready controls facilities)
• Sub-processor due diligence: Security assessment of sub-processors prior to engagement; contractual security requirements imposed