1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: Your organization (the customer using Hubeu services)
Data Processor: Hexer Network Oy (trading as Hubeu), Business ID FI34666919, Helsinki, Finland
Scope: Processing of personal data through Hubeu's European cloud deployment platform
Effective Date: Upon execution of Hubeu Terms of Service or custom enterprise agreement

2. Data Processing Details

Categories of Data Subjects

Customer employees, contractors, and authorized users
End users of customer-deployed applications
Customer contacts and business representatives

Categories of Personal Data

Contact information (names, email addresses, phone numbers)
Account credentials and authentication data
Usage data, application logs, and deployment history
Technical data (IP addresses, browser information, timestamps)
Application content and user-generated data within deployed services

Processing Activities

Hosting and serving web applications on EU infrastructure
Account management, authentication, and authorization
Technical support, troubleshooting, and incident resolution
System monitoring, analytics, and performance optimization
Data backup, disaster recovery, and business continuity

3. Data Processing Locations

All personal data processing occurs exclusively within European Union member states:

Primary Infrastructure

Germany: Hetzner data centers (primary hosting and compute)
France: Scaleway data centers (secondary hosting and redundancy)
Finland: Self-hosted Supabase EU (database and authentication services)

Edge & Distribution

Slovenia: BunnyCDN (content delivery network)
Netherlands: Edge caching nodes
Ireland: Backup infrastructure and redundancy

4. Sub-processors

We maintain a limited, transparent list of sub-processors. All are EU-based and bound by equivalent data protection obligations:

Sub-processor	Location	Purpose	DPA Status
Hetzner Online GmbH	Germany	Infrastructure hosting & compute	Active
Scaleway SAS	France	Infrastructure hosting & redundancy	Active
BunnyWay d.o.o.	Slovenia	CDN & edge caching	Active

Sub-processor Network Infrastructure

BunnyCDN utilizes proprietary network infrastructure classified as confidential business information. However, BunnyCDN contractually guarantees that when EU-only routing is enabled, all data processing occurs exclusively within EU Points of Presence.

Hubeu maintains EU-only routing configuration and conducts quarterly verification to ensure compliance. Similar configuration verification is maintained for Hetzner (Germany-only regions) and Scaleway (EU-only by default).

Important: Customers will be notified 30 days in advance of any sub-processor additions or changes as required by GDPR Article 28(2). Current sub-processor DPAs are being executed and will be marked "Active" upon completion.

5. Technical and Organizational Measures

Operational Security Measures

The following technical security measures are currently operational and protect all customer data:

Encryption in Transit: TLS 1.2+ for all web traffic and API communications
Encryption at Rest: AES-256 encryption via Supabase for all database content
Access Control: JWT-based authentication with role-based access controls
Network Security: HTTPS-only connections, secure Docker container isolation
Data Residency: EU-only infrastructure configuration actively maintained
Backup & Recovery: Automated daily backups within EU data centers
Configuration Verification: Quarterly audits of EU-only routing settings
Incident Detection: Basic monitoring and alerting for security events

Enhanced Measures Roadmap (2026)

Additional organizational and compliance measures planned for implementation:

Staff Training: Formal GDPR and information security certification programs
Background Screening: Security vetting protocols for personnel with data access
Incident Response: ISO 27035-compliant breach response procedures
Third-Party Audits: Independent security assessments and penetration testing
Compliance Certifications: ISO 27001 and SOC 2 Type 2 certification
Advanced Monitoring: SIEM implementation and 24/7 security operations

6. Data Subject Rights

We assist customers in fulfilling data subject rights under GDPR Articles 15-22:

Currently Available

Right to Access: Manual data exports via support within 72 hours
Right to Rectification: Account settings updates through dashboard
Right to Erasure: Account deletion via support request

Planned (Q1-Q2 2026)

Right to Portability: Self-service data export in machine-readable format
Right to Restriction: Granular processing controls
Right to Object: Automated opt-out mechanisms

7. Data Breach Notification

In accordance with GDPR Article 33, we commit to the following breach notification procedures:

Notify affected customers within 24 hours of becoming aware of a personal data breach
Provide detailed information about the nature, scope, and potential consequences
Assist with regulatory notifications to supervisory authorities within 72 hours
Implement immediate containment, investigation, and remediation measures
Conduct thorough post-incident analysis with written report
Maintain 24/7 emergency contact channel for breach notifications

8. Data Retention and Deletion

Data retention periods comply with customer requirements and legal obligations:

Active Account Data: Retained while customer account remains active and services are used
Deleted Account Data: Purged within 30 days of deletion request from production systems
Backup Data: Removed from all backup systems within 90 days of primary deletion
Security Logs: Retained for 12 months for security monitoring and compliance verification
Billing Records: Retained for 6 years as required by Finnish accounting legislation (Kirjanpitolaki)

9. Audits and Compliance Verification

Enterprise customers have comprehensive audit rights under GDPR Article 28(3)(h):

Request and receive current compliance documentation and security certifications
Conduct on-site or remote audits with 30 days advance written notice
Review security policies, procedures, and technical implementation measures
Access third-party security assessment reports (subject to confidentiality agreements)
Receive annual compliance status updates and security posture reports

10. Liability and Transparency

As an early-stage platform committed to transparent compliance implementation:

Core GDPR requirements (EU data residency, encryption, access controls, breach notification) are operational now
Enhanced organizational measures and certifications targeted for 2026 per published roadmap
Current customers benefit from foundational security measures meeting GDPR Article 32 requirements
Liability limited to amounts paid during 12 months preceding any claim (except for willful misconduct)
Transparent roadmap publicly available showing progression from current state to full compliance
No processing of special category data (Article 9) without explicit agreement and enhanced measures

11. Term and Termination

This DPA remains in effect for the duration of the Hubeu Terms of Service or custom enterprise agreement. Upon termination, all customer data will be deleted or returned according to customer instructions within 30 days, except where retention is required by applicable law.

Contact Information

Data Protection Contact

Hexer Network Oy
(trading as Hubeu)
Business ID: FI34666919
PL 13
00561 Helsinki, Finland

Contact Channels

Email: privacy@hubeu.com
Support: support@hubeu.com
Emergency: 24/7 breach notification
PGP Key: Available on request