data processing addendum.
last updated: may 29, 2026.
This Data Processing Addendum (“DPA”) forms part of our terms of service between you (“Customer”, the controller) and Nxera LLC operating as cuehq (“cuehq”, the processor). It applies where cuehq processes personal data on Customer’s behalf and where data protection law (including the EU and UK GDPR and the CCPA) applies.
1. roles and scope.
For personal data Customer submits or authorizes cuehq to gather to provide the service (the “Customer Personal Data”), Customer is the controller (or business) and cuehq is the processor (or service provider). cuehq processes Customer Personal Data only to provide and support the service, on Customer’s documented instructions (including as set out in the terms and privacy policy), and not for any other purpose. As a service provider under the CCPA, cuehq does not sell or share Customer Personal Data and does not retain, use, or disclose it outside the direct business relationship.
2. nature of processing.
- Subject matter: provision of social-listening, scoring, and reply-drafting services.
- Duration: the term of Customer’s subscription, plus the retention described in the privacy policy.
- Categories of data subjects: Customer’s personnel and authors of public social content surfaced for Customer.
- Categories of data: account and contact details, brand knowledge-base content, public social content, generated drafts, and usage data.
3. cuehq obligations.
cuehq will: (a) process only on documented instructions; (b) ensure persons authorized to process are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist Customer, taking into account the nature of processing, with data subject requests and with security, breach, and impact-assessment obligations; and (e) make available information reasonably necessary to demonstrate compliance.
4. sub-processors.
Customer authorizes cuehq to use sub-processors to provide the service. Current sub-processors:
| sub-processor | purpose |
|---|---|
| Supabase | database, authentication, file storage |
| Anthropic | AI processing (voice profiles, scoring, drafts) |
| Apify | social data provider |
| TwitterAPI.io | social data provider (X) |
| Resend | email delivery |
| Stripe | payment processing |
| Vercel | application hosting |
| Cloudflare | security and bot protection |
| authentication (sign-in) |
cuehq imposes data protection obligations on each sub-processor that are no less protective than this DPA, and remains responsible for their performance. cuehq will give notice of intended changes to sub-processors and a chance to object on reasonable data-protection grounds.
5. data subject requests.
cuehq will, where legally permitted, promptly inform Customer of requests from data subjects and will assist Customer in responding, including by providing the means to access, correct, or delete Customer Personal Data within the service.
6. security incidents.
cuehq will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its notification obligations.
7. international transfers.
Where cuehq transfers Customer Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree the European Commission’s Standard Contractual Clauses (and the UK Addendum, where applicable) are incorporated by reference and apply to that transfer.
8. deletion and return.
On termination, and on Customer’s request, cuehq will delete or return Customer Personal Data within a reasonable period, except where retention is required by law, and may retain de-identified, aggregated data.
9. audits.
cuehq will make available information needed to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted on reasonable notice, subject to confidentiality and to limits that protect other customers and our systems.
10. liability.
Each party’s liability under this DPA is subject to the limitations and exclusions in the terms of service.
To request a countersigned copy of this DPA, email privacy@cuehq.social.