cuehq:

data processing addendum.

last updated: 2026-05-31.

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Nxera Digital LLC d/b/a CueHQ (“CueHQ,” “Processor”) and the Customer (“Controller”) and applies where CueHQ processes personal data on the Customer’s behalf. On data-protection matters, this DPA controls over a conflict in the Terms.

1. Definitions. “Applicable Data Protection Law” means data-protection laws applicable to the processing, including the GDPR, UK GDPR, and U.S. state privacy laws such as the CCPA/CPRA. “Personal Data,” “Processing,” “Controller,” “Processor,” “Subprocessor,” and “Data Subject” have the meanings in Applicable Data Protection Law. “Customer Personal Data” means personal data within Customer Content processed by CueHQ on the Customer’s behalf. “SCCs” means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

2. Roles and instructions. The Customer is the Controller (or a processor acting for another controller) and CueHQ is the Processor. CueHQ will process Customer Personal Data only to provide and support the Service, as documented in the Terms and this DPA and on the Customer’s documented instructions, unless required by law (in which case CueHQ will inform the Customer unless legally prohibited). Each party will comply with its obligations under Applicable Data Protection Law.

3. Details of processing. Subject matter: provision of the Service. Duration: the term plus applicable retention. Nature and purpose: social listening, voice modeling, and reply-draft generation. Categories of data subjects: the Customer’s personnel and contacts, and, for public Platform content the Customer directs CueHQ to process, the authors of that content. Categories of data: account and contact data, brand and usage data, and public Platform content that may include identifiers and user-generated text.

4. Confidentiality and personnel. CueHQ ensures personnel authorized to process Customer Personal Data are bound by confidentiality and are trained as appropriate.

5. Security. CueHQ maintains the technical and organizational measures in Annex 2, designed to protect Customer Personal Data appropriate to the risk.

6. Subprocessors. The Customer provides general authorization for CueHQ to engage Subprocessors. The current list is in Annex 1. CueHQ will impose data-protection terms on Subprocessors no less protective than this DPA, remains responsible for their performance, will give at least 30 days’ notice of intended additions or changes, and will allow the Customer to object on reasonable data-protection grounds; if an objection cannot be resolved, the Customer may terminate the affected Service.

7. Data subject requests. Taking into account the nature of the processing, CueHQ will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests. If CueHQ receives a request directly, it will, where permitted, direct the Data Subject to the Customer.

8. Breach notification. CueHQ will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and will provide information reasonably available to help the Customer meet its obligations.

9. Assistance. CueHQ will provide reasonable assistance with data-protection impact assessments and prior consultations, taking into account the information available to it.

10. Return and deletion. On termination, CueHQ will delete or return Customer Personal Data within 30 days, except to the extent retention is required by law or for limited backup, security, or dispute-resolution purposes, in which case the data remains subject to this DPA until deleted.

11. International transfers. For transfers of Customer Personal Data from the EEA, the SCCs (Module Two, Controller to Processor) are incorporated and completed consistent with this DPA: general authorization for subprocessors with the 30-day notice in Section 6; annexes populated by Section 3 and Annexes 1 and 2. The UK Addendum applies for UK transfers and the Swiss amendments for Swiss transfers. Where another valid mechanism applies, the parties will use it.

12. Audits. CueHQ will make available information reasonably necessary to demonstrate compliance and will allow audits no more than once per year (unless required by a supervisory authority or after a breach), on reasonable notice, during business hours, subject to confidentiality and without unreasonable disruption. CueHQ may satisfy audits through third-party reports where available. Liability under this DPA is subject to the limitation of liability in the Terms.

13. CCPA service-provider terms. To the extent CueHQ processes personal information as a “service provider” under the CCPA/CPRA, it will not sell or share it, will not retain, use, or disclose it except to perform the Service or as permitted by law, will not combine it with data from other sources except as permitted, and certifies it understands and will comply with these restrictions.

Annex 1 - Subprocessors. Supabase (database, authentication, serverless functions); Vercel (hosting); Stripe (payment processing); Resend (transactional and marketing email delivery); Anthropic (AI generation); Apify (Reddit, YouTube, and TikTok data); TwitterAPI.io (X data); Cloudflare (security and bot prevention). Official Platform APIs may be used as fallback data sources.

Annex 2 - Technical and organizational measures. Access control with least-privilege administration and unique credentials; multi-factor authentication for administrative access; encryption of data in transit; tenant isolation through row-level access controls; network and platform security provided by our hosting and database providers; logging and monitoring; secret management outside source control; regular dependency and configuration review; backups with rolling purge; and incident-response procedures. Measures may be updated provided protection is not materially reduced.