Data Processing Addendum

Data Processing Addendum (DPA)

Last Updated: August 2, 2025

This Data Processing Addendum ("DPA") forms part of the CEO Hub .App Terms of Service ("Agreement") between you, the Customer, and CEO Hub .App ("Company"). This DPA applies to the extent that Company processes Personal Data on behalf of Customer in the course of providing the Services.

1. Definitions

  • "Customer Personal Data" means any Personal Data Processed by Company on behalf of Customer pursuant to or in connection with the Agreement.
  • "Data Protection Laws" means all applicable laws and regulations relating to data protection and privacy including, without limitation, the GDPR and the CCPA.
  • "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • "Personal Data", "Processing", "Data Subject", "Processor", and "Controller" shall have the meanings given to them in the GDPR.
  • "Standard AI Services" refers to AI data processing via Google's standard Gemini API endpoints, which may be used for service improvement as per Google's Data Policy. This applies to our Free and Trial plans.
  • "Enterprise AI Services" refers to AI data processing via Google Cloud Vertex AI, which provides enterprise-grade privacy and where data is not used for training Google's models. This applies to our Pro and Business plans.

2. Processing of Customer Personal Data

Company shall only Process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable order forms; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

3. Roles of the Parties and AI Service Tiers

The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Company is the Processor. The specific AI sub-processor and data handling policy depends on the Customer's subscription plan:

  • For 'Free' and 'Trial' Plans: Customer acknowledges that AI-powered features are processed using Standard AI Services. By using these features, Customer instructs Company to process the necessary data via these services.
  • For 'Pro' and 'Business' Plans: AI-powered features are processed using Enterprise AI Services, which offer enhanced privacy and data handling guarantees. Customer data submitted to these services is not used to train or improve the underlying AI models.

4. Security Measures

Company shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from security incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with the security standards described in our Security Annex.

5. Sub-processors

Customer agrees that Company may engage third-party sub-processors, including Google for both Standard and Enterprise AI Services, and a designated SMTP provider for sending transactional emails. Company has entered into a written agreement with each sub-processor containing data protection obligations not less protective than those in this DPA. A current list of sub-processors is available upon request.

6. Data Subject Rights

Company shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws. Company shall provide Customer with reasonable cooperation and assistance in relation to the handling of a Data Subject's request.

7. Data Breach Notification

Company shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8. Deletion of Customer Data

Upon termination of the Agreement, Company shall delete all Customer Personal Data within a commercially reasonable timeframe, unless applicable law requires storage of the Personal Data.

IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their duly authorized representatives.

© 2025 CEO Hub .App. All rights reserved.