Data Processing Agreement
GDPR Article 28 compliant Data Processing Agreement for the Cursus platform. This DPA is incorporated by reference into the Master Service Agreement.
This document is provided for informational purposes. Legal review pending. Enterprise customers should contact legal@cursusapp.io to negotiate specific terms.
Table of Contents
1. Controller/Processor Roles
The Customer ("Controller") determines the purposes and means of processing personal data through the Cursus platform. Cursus Technologies, Inc. ("Processor") processes personal data solely on behalf of and in accordance with the documented instructions of the Controller.
The Processor shall not process personal data for any purpose other than providing the Service as described in the Master Service Agreement and this DPA, unless required by applicable law. In such cases, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
The Processor confirms that it has no reason to believe that applicable legislation prevents it from fulfilling its obligations under this DPA.
2. Purpose and Duration of Processing
The Processor processes personal data for the following purposes: (a) providing organizational intelligence and change management analytics; (b) computing aggregated readiness, capacity, and engagement scores; (c) operating the Lumen AI copilot; (d) delivering communications on behalf of the Controller; and (e) technical operations including authentication, access control, and audit logging.
Processing commences on the Effective Date of the MSA and continues for the duration of the Agreement. Upon termination, the Processor will delete or return all personal data within thirty (30) days, at the Controller's election, and certify deletion in writing.
The Processor will retain audit logs and anonymized aggregate statistics beyond the deletion period only where required for regulatory compliance or contractual obligations, and only in a form that cannot be re-identified to individuals.
3. Nature of Processing and Data Categories
The nature of processing includes: collection, storage, organization, structuring, retrieval, aggregation, anonymization, scoring, AI-assisted analysis, and deletion of personal data.
| Data Category | Examples | Processing Purpose |
|---|---|---|
| Identity & Account Data | Name, email address, job title, department, organizational role | Authentication, RBAC, hierarchy scoping |
| Organizational Metadata | Reporting lines, team membership, location, cost center | Stakeholder grouping, aggregation scoping, change load computation |
| Communication Metadata | Message timestamps, channel IDs, participant counts (no message content by default) | ONA network analysis, influence mapping, signal normalization |
| Survey Responses | Aggregated readiness scores, engagement ratings, open-text feedback | Calibration of behavioral signal models, sentiment analysis |
| Behavioral Signals | Calendar pattern metadata, application adoption telemetry, process mining events | Organizational intelligence indices, capacity scoring |
| AI Interaction Data | Lumen conversation logs, tool invocations, AI-generated outputs | Service delivery, audit trail, effectiveness measurement |
Data subjects include: employees, contractors, and other personnel of the Controller's organization who are represented in the Service as stakeholders, leaders, or practitioners.
The Processor architecturally enforces aggregation thresholds (minimum group sizes) before any metric is computed or surfaced. Individual-level behavioral data is never exposed in manager, leader, or executive views. This privacy-by-design guarantee is a material obligation of the Processor.
4. Sub-Processors
The Controller provides general authorization for the Processor to engage sub-processors, subject to the conditions in this section.
The current list of sub-processors is maintained at cursusapp.io/legal/sub-processors and is incorporated by reference into this DPA.
The Processor shall: (a) notify the Controller at least thirty (30) days before adding, replacing, or removing a sub-processor; (b) impose contractual obligations on each sub-processor that are no less protective than those in this DPA; and (c) remain fully liable for the acts and omissions of its sub-processors.
If the Controller objects to a new sub-processor within the 30-day notice period, the parties shall negotiate in good faith to resolve the concern. If resolution is not possible, the Controller may terminate the affected Service component without penalty.
5. Security Measures
The Processor implements and maintains the following technical and organizational measures to protect personal data:
- Encryption at rest (AES-256) and in transit (TLS 1.3) for all personal data
- Row-Level Security (RLS) enforcing multi-tenant data isolation at the database layer
- Role-based access control (RBAC) with five defined roles and principle of least privilege
- Immutable, append-only audit logging of all data mutations
- Aggregation threshold enforcement in all scoring and analytics functions
- Automated vulnerability scanning and dependency auditing in CI/CD pipeline
- Regular penetration testing by qualified third parties (at least annually)
- Employee security awareness training and background checks for personnel with data access
- Incident response plan with defined escalation procedures and notification timelines
- Business continuity and disaster recovery procedures with documented RTOs and RPOs
The Processor shall regularly review and update these measures to reflect the evolving threat landscape and industry best practices. The Processor shall not materially reduce the level of security without prior written notice to the Controller.
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject rights requests under GDPR Articles 15-22, including: access, rectification, erasure, restriction of processing, data portability, and objection.
Upon receiving a data subject request directly, the Processor shall promptly redirect the request to the Controller and shall not respond to the data subject without the Controller's instructions, unless required by law.
The Processor provides the following self-service capabilities within the platform: (a) a "What Cursus knows about me" view allowing individual data subjects to see their personal data and its sources; (b) an opt-out mechanism for specific data collection channels; and (c) a data export function in machine-readable format (JSON/CSV).
The Processor shall respond to Controller's assistance requests regarding data subject rights within five (5) business days.
7. Cross-Border Transfers
The Processor may transfer personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland only where adequate safeguards are in place.
For transfers to the United States, the parties rely on the EU-U.S. Data Privacy Framework and, as a fallback mechanism, the Standard Contractual Clauses (SCCs) adopted by the European Commission (Module 2: Controller to Processor).
The SCCs are incorporated by reference into this DPA. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail to the extent of the conflict.
The Processor conducts transfer impact assessments for each sub-processor located outside the EEA and implements supplementary measures where necessary, including encryption of data in transit and at rest, pseudonymization, and contractual commitments from sub-processors.
The Processor shall promptly inform the Controller if it becomes aware of any change in law or practice that would prevent it from complying with its obligations under the SCCs.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting Controller's data.
The notification shall include: (a) the nature of the breach, including the categories and approximate number of data subjects affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) the name and contact details of the Processor's data protection contact.
The Processor shall cooperate with the Controller in investigating the breach, mitigating its effects, and fulfilling the Controller's notification obligations to supervisory authorities and data subjects under GDPR Articles 33 and 34.
The Processor maintains an incident response plan that is tested at least annually through tabletop exercises.
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, either directly or through an independent third-party auditor, subject to reasonable notice (at least thirty (30) days) and confidentiality obligations.
The Processor shall make available all information necessary to demonstrate compliance and shall allow and contribute to audits, including inspections of facilities where personal data is processed.
The Processor shall provide the Controller, upon request, with: (a) copies of relevant third-party audit reports (SOC 2 Type II or equivalent); (b) results of penetration testing; (c) documentation of security measures; and (d) records of data processing activities.
Audits shall be conducted during normal business hours, no more than once per year (unless a specific incident warrants an additional audit), and shall be at the Controller's expense unless the audit reveals a material non-compliance, in which case costs shall be borne by the Processor.
The Processor shall promptly remediate any non-compliance identified during an audit and provide the Controller with evidence of remediation within thirty (30) days.
Last updated: April 5, 2026. Version 1.0 — Draft.