Data Processing Agreement
Effective 2026-04-01. Plain-language summary below; the full policy follows.
Plain-language summary. This DPA forms part of the contract between you (the controller) and CubitRace (the processor) where CubitRace processes personal data on your behalf. We commit to GDPR-grade security measures, our sub-processor list is public, and we will notify you of any breach within 24 hours.
1. Definitions
"Personal Data", "Processing", "Controller", and "Processor" have the meanings given in the GDPR.
2. Scope of processing
CubitRace processes Personal Data solely to deliver the contracted services: hosting your sites, supporting your team, and billing. We do not process Personal Data for our own purposes or for third-party advertising.
3. Sub-processors
The current list of sub-processors is at /trust. We will notify you 30 days in advance of any addition; you may object.
4. Security measures
Annex II to this DPA describes our technical and organizational measures, including encryption at rest and in transit, access control, audit logging, and incident response.
5. Sub-processor breach notification
CubitRace will notify you within 24 hours of becoming aware of any Personal Data breach affecting your Personal Data, with all material information then known.
6. International transfers
Where data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses. The data flow map is available on request.
7. Audit rights
You may audit CubitRace's compliance with this DPA once per calendar year, subject to a confidentiality agreement, with 30 days' notice. Our SOC 2 / ISO 27001 reports (when available) will satisfy this clause.
Sign and counter-sign
To execute the DPA, email [email protected]. We will send a DocuSign envelope within one business day.