Data Processing Addendum

Effective date: 1 January 2026

(Previous version of the Data Processing Agreement available via the archive at https://www.cusmato.app/en/docs)

This Data Processing Agreement ("DPA") forms part of the Cusmato Master Subscription Agreement ("MSA"), the Cusmato Terms and Conditions, or any other written or electronic agreement between the parties (the "Agreement").

This DPA applies as soon as Customer uses Cusmato's Services and describes the terms under which Cusmato processes Customer Personal Data on behalf of Customer. The purpose of this DPA is to ensure that such processing is carried out in accordance with applicable legislation and with appropriate protection of the rights and freedoms of the data subjects whose personal data is processed.

1. Definitions

Any capitalised term used in this DPA but not defined herein has the meaning given to it in the Agreement.

i. "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
ii. "Agreement" or "MSA": the Cusmato Master Subscription Agreement (Terms and Conditions), including all annexes, as published at https://www.cusmato.app/en/docs. This MSA is the "Main Agreement" referred to in this document.
iii. "Personal Data": any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
iv. "Customer Personal Data": the personal data of Customer's end customers that Cusmato processes on behalf of Customer through the Services, as further specified in Appendix A.
v. "Processing": any operation or set of operations performed on personal data, as defined in Article 4(2) GDPR.
vi. "Controller": Customer, who determines the purposes and means of the processing of Customer Personal Data.
vii. "Processor": Cusmato V.O.F., which processes Customer Personal Data exclusively on behalf of and for the benefit of Customer.
viii. "Sub-processor": any third party engaged by Cusmato in the processing of Customer Personal Data. The current sub-processor list is available at https://www.cusmato.app/en/security-privacy.
ix. "Personal Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, as defined in Article 4(12) GDPR.
x. "Standard Contractual Clauses" (SCCs): the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.
xi. "TOMs": the technical and organisational measures as set out in Appendix B.
xii. "Services": the SaaS services offered by Cusmato, including the AI-driven helpdesk, AI Studio, Team Chat, Invoice Processing and Product Management, as described in the MSA and at https://www.cusmato.app/en/docs.
xiii. "Cusmato AI System": the entirety of Cusmato's internal AI architecture, consisting of two functionally distinct layers: (i) the LLM layer, which analyses customer queries and formulates draft responses, and (ii) the Policy Engine, a deterministic rule layer that decides on the action to be taken. Both layers are further described in Article 14.
xiv. "LLM Layer": the internally developed language modelling component of Cusmato that processes customer queries, classifies intent and formulates a draft response. The LLM layer runs exclusively on Cusmato's own infrastructure; Customer Personal Data is not transferred to external LLM providers.
xv. "Policy Engine": the deterministic, rule-based decision layer that, after intent classification by the LLM layer, applies Customer-configured business rules to determine which action is taken. The Policy Engine does not use machine learning.
xvi. "Confidence Gate": the mechanism that directs further handling based on the LLM layer's confidence score: (a) ≥ 90%: auto-resolution; (b) 70–89%: Agent review required; (c) < 70%: escalation with priority marking.
xvii. "Draft Mode": the operational mode in which the LLM layer prepares a complete draft response and associated action for each incoming ticket, and the Agent reviews and approves this draft before sending it to the end customer. This is the default operation of the Cusmato AI System.
xviii. "Auto-resolution Mode": the operational mode, activatable per query type after proven stability, in which the Policy Engine executes the response and action directly without Agent intervention, solely when the Confidence Gate threshold of ≥ 90% is consistently achieved. "Proven stability" means: a consecutive period of at least fourteen (14) Working Days in which the Confidence Gate threshold of ≥ 90% is consistently achieved, as recorded in the AI Logs.
xix. "Agent": the employee designated by Customer with an Agent Seat or higher in the Cusmato platform, who reviews draft responses, amends them if necessary and approves them before sending.
xx. "AI Log": the audit-trail record of each AI decision, including intent classification score, applied policy rule, action taken and any human override.
xxi. "Confidential Information": has the meaning as defined in Article 1.10 of the MSA. In the context of this DPA, Confidential Information includes at least all Customer Personal Data and AI model parameters.
xxii. "Customer AI Workspace": the environment configured by Customer within Cusmato's AI Studio, including knowledge bases and instruction sets entered by Customer.

2. Scope and role allocation

2.1 Applicability

This Data Processing Agreement applies to all processing of Customer Personal Data that takes place in the context of the Services. The Agreement does not apply to processing that Customer performs outside the Cusmato platform.

2.2 Role allocation

Customer acts as Controller within the meaning of the GDPR. Cusmato acts as Processor and processes exclusively on the basis of documented instructions from Customer. Cusmato never processes Customer Personal Data as an independent controller and never for its own commercial purposes, profiling or product development, unless Customer expressly and in writing grants permission to do so. To the extent that Cusmato processes Account Data — being registration and billing data of Customer itself (including name, email address and payment details of the contracting party) necessary for the performance of the MSA — Cusmato acts as an independent Controller in accordance with the Cusmato Privacy Policy (available at https://www.cusmato.app/en/docs). This DPA does not apply to such processing.

2.3 Customer obligations

Customer guarantees that: (a) the processing of Customer Personal Data through the Services is based on a lawful basis as referred to in Article 6 GDPR; (b) data subjects have been adequately informed about the processing, including the use of AI-driven customer service; (c) the Customer AI Workspace is populated exclusively with data for which the necessary processing basis exists.

3. Processing instructions

3.1 Instruction requirement

Cusmato processes Customer Personal Data exclusively on the basis of documented instructions from Customer. The MSA (Cusmato Master Subscription Agreement), this Agreement and the annexes constitute the primary processing instruction. Additional instructions must be provided in writing.

3.2 Conflict with applicable law

If an instruction from Customer is, in Cusmato's opinion, in conflict with the GDPR or any other applicable data protection legislation, Cusmato shall promptly inform Customer thereof in writing and suspend execution of that instruction until Customer provides an amended, lawful instruction. If the instruction is, in Cusmato's opinion, manifestly unlawful — in particular where execution would constitute a criminal offence or a serious violation of the rights of data subjects — Cusmato is entitled to refuse the instruction, in accordance with Article 28(3)(h) GDPR. If Customer does not provide a lawful replacement instruction within ten (10) Working Days, Cusmato is entitled to cease the relevant processing activity and, in the event of continued non-compliance, terminate the MSA with immediate effect without liability for damages.

3.3 Audit trail

Cusmato maintains an audit trail of all documented processing instructions and changes thereto, available to Customer on request within five working days.

4. Confidentiality and personnel

4.1 Confidentiality obligation

Cusmato ensures that all employees, contractors and other persons who have access to Customer Personal Data are bound by an enforceable confidentiality obligation, either contractually or by law.

4.2 Access control

Access to Customer Personal Data is restricted on the basis of the need-to-know principle via Role-Based Access Control (RBAC). Access by Cusmato employees takes place exclusively for (i) providing support to Customer, (ii) maintenance and security of the Services, or (iii) incident investigation, and is logged.

4.3 Training

Cusmato ensures that all employees with access to Customer Personal Data receive annual awareness training on data protection and information security.

5. Technical and organisational measures

5.1 Security standard

Cusmato implements and maintains appropriate technical and organisational measures to secure Customer Personal Data in accordance with Article 32 GDPR. The full specification is set out in Appendix B and available at https://www.cusmato.app/en/security-privacy.

5.2 Minimum requirements

The TOMs include at least: (a) AES-256 encryption for data at rest; TLS 1.3 for data in transit; (b) multi-factor authentication mandatory for all internal access to production systems; (c) annual penetration tests by an independent certified third party; (d) logical tenant isolation at database level; (e) separate production and test environments; (f) backups multiple times per day with an RTO of maximum 24 hours and an RPO of maximum 4 hours.

5.3 Updates

Cusmato evaluates and updates the TOMs at least annually. Material reductions in the security level are communicated to Customer in writing in advance.

6. Personal data breaches

6.1 Initial notification

Cusmato shall notify Customer without undue delay and, where reasonably practicable, in principle within 48 hours of becoming aware of a (suspected) Personal Data Breach in writing. Contact: privacy@cusmato.app. The initial notification contains at least: the nature of the breach; the categories and estimated number of data subjects concerned; the contact details of the responsible contact point at Cusmato; the likely consequences; and the measures already taken or proposed.

6.2 Full report within 72 hours

Cusmato shall provide Customer with a full incident report no later than 72 hours after the initial notification. If complete information is not available in time, the initial notification will be supplemented in phases.

6.3 Forensic investigation right

In the event of a confirmed Personal Data Breach affecting Customer Personal Data, Customer has the right to conduct (or have conducted) its own forensic investigation, based on an agreed scope and schedule in advance.

6.4 Notification to authorities

The notification of Personal Data Breaches to the competent supervisory authority in accordance with Articles 33 and 34 GDPR is the responsibility of Customer as Controller. Cusmato provides all reasonable assistance.

7. Sub-processors

7.1 Authorisation and register

Customer hereby grants Cusmato general authorisation to engage sub-processors. The current, legally binding sub-processor list is available at all times at https://www.cusmato.app/en/security-privacy.

7.2 No external LLM providers

Cusmato does not engage external Large Language Model providers — including but not limited to OpenAI, Anthropic and Google DeepMind — as sub-processors for the processing of Customer Personal Data. The LLM layer runs exclusively on Cusmato's own infrastructure at Hetzner Online GmbH (Germany, EU).

7.3 Notice of changes

Cusmato shall notify Customer in writing by email and via update of the list at https://www.cusmato.app/en/security-privacy at least 30 calendar days before the intended engagement of a new sub-processor.

7.4 Objection procedure

Customer has the right to object on substantiated grounds within 30 calendar days of notification. If the parties do not reach agreement, Customer has the right to terminate the MSA free of charge with respect to the affected Service(s).

7.5 Flow-down of obligations

Cusmato imposes contractual obligations on all sub-processors that are at least equivalent to the obligations under this Agreement. Cusmato is liable to Customer for the acts or omissions of sub-processors.

7.6 Data residency

Customer Personal Data is stored on servers located in the European Economic Area, primarily at Hetzner Online GmbH in Germany.

8. Data subject rights

8.1 Assistance obligation

Cusmato provides Customer with all reasonable technical and organisational assistance in complying with its obligations under Articles 12 to 23 GDPR.

8.2 Forwarding of requests

If a data subject submits a request directly to Cusmato, Cusmato shall forward it to Customer within 48 hours.

8.3 Technical tools

Cusmato provides automated export and deletion functions within the platform to support data subject rights.

9. Audit and inspection rights

9.1 Level 1 — Documentary audit

Upon written request, Cusmato shall make available its most recent compliance documentation, including available certification or audit reports. Cusmato responds to a maximum of one written questionnaire per year within 20 working days. If Cusmato holds a current ISO 27001 certificate or a SOC 2 Type II report covering the relevant processing, the provision thereof shall be deemed sufficient fulfilment of a Level 1 request for the relevant audit year.

9.2 Level 2 — Remote interview

In the event of reasonable suspicion of material non-compliance, Customer has the right to conduct (or have conducted) a remote audit, with 14 calendar days' prior notice.

9.3 Level 3 — On-site audit

Only permitted in the case of: (a) confirmed material Personal Data Breach; (b) requirement of the supervisory authority; or (c) demonstrably insufficient result of Level 1 and 2. Prior notice: 21 calendar days. Costs at Customer's expense, unless material non-compliance is established.

9.4 Frequency

Audits at Level 2 and 3 are conducted no more than once per calendar year, unless a confirmed Personal Data Breach gives rise to an additional request.

10. International data transfers

10.1 Data residency EU/EEA

Customer Personal Data is stored by default on servers located in the EEA, primarily at Hetzner Online GmbH in Germany. Cusmato does not transfer Customer Personal Data outside the EEA without applying an appropriate transfer mechanism.

10.2 Transfer mechanisms

To the extent that a sub-processor is established outside the EEA in a country without a valid adequacy decision, Cusmato applies the SCCs in accordance with Implementing Decision (EU) 2021/914, Module 3. For transfers to the United Kingdom, the UK International Data Transfer Addendum is applied.

11. Data retention and deletion

11.1 Retention periods

The retention periods per category of Customer Personal Data are set out in Appendix A.

11.2 Deletion and export after termination

After termination of the MSA, Cusmato shall delete all Customer Personal Data from production environments no later than 30 calendar days after the end date. Customer has the right to export its data in machine-readable format (CSV/JSON) during this period. Upon request, Cusmato shall provide a certificate of deletion. Backup copies that exist as of the end date are not actively overwritten but expire in accordance with Cusmato's regular backup retention policy, with a maximum additional retention period of sixty (60) calendar days after the end date, after which backup copies are also demonstrably erased. Cusmato does not take new backups of Customer Personal Data after the confirmed end date.

11.3 AI Logs

AI Logs are retained for the duration of the MSA and for a maximum of 90 days after termination, unless otherwise agreed in writing or a longer retention period is necessary for legal obligations.

12. DPIA assistance

12.1 Assistance

Upon written request from Customer, Cusmato shall provide assistance in conducting a DPIA as referred to in Article 35 GDPR, by making available: (i) a description of the processing activities; (ii) an overview of the TOMs; (iii) information on the relevant system architecture; and (iv) a concise AI system overview.

13. CCPA/CPRA service provider certification

13.1 Applicability

To the extent that Customer Personal Data includes personal information of residents of California (USA) within the meaning of the CCPA/CPRA, Cusmato expressly declares that Customer Personal Data is received exclusively for the performance of the Services as described in the MSA and this Agreement; that Cusmato does not sell, share or disclose Customer Personal Data for commercial purposes outside the described services; and that Cusmato provides assistance in handling opt-out and deletion requests from California consumers.

14. AI processing and model use

14.1 No external LLM transfer

Cusmato does not engage external generative AI/LLM providers for the processing of Customer Personal Data. AI inference takes place on Cusmato's own infrastructure within the EU/EEA.

14.2 No training on Customer Personal Data

Cusmato does not use Customer Personal Data for training, fine-tuning or evaluating its AI models, unless Customer expressly gives written consent for this in a separate agreement (opt-in).

14.3 Human oversight

The Service is designed for support and (where activated by Customer) controlled automation. Customer retains responsibility for configuration and may apply human intervention/override, in accordance with Article 4 of the MSA.

14.4 EU AI Act

Cusmato ensures that the transparency obligations under Article 52 of Regulation (EU) 2024/1689 (EU AI Act) are complied with to the extent applicable to the Services. Customer is responsible for compliance with any additional transparency obligations towards its end customers under the EU AI Act. Cusmato confirms that the Cusmato AI System is not currently classified as a 'high-risk AI system' within the meaning of Article 6 and Annex III of the EU AI Act. Should a future extension of the Services result in a different risk classification, Cusmato shall inform Customer thereof in writing in accordance with Article 16.1. As the user (deployer) of the Cusmato AI System within the meaning of Article 26 EU AI Act, Customer is responsible for: (a) ensuring human oversight in accordance with the Concept Mode provided by Cusmato; (b) informing its own data subjects about the use of AI in customer service in accordance with Article 50 EU AI Act; and (c) maintaining its own usage logs insofar as required under Article 26(6) EU AI Act.

15. Liability and indemnification

15.1 Limitation of liability

Cusmato's liability for damage arising from a breach of this Agreement is limited to the total amount that Customer has paid to Cusmato in the six (6) months preceding the cause of damage, unless the breach is the result of intent or gross negligence on the part of Cusmato. Article 82 GDPR remains applicable.

15.2 Indemnification by Customer

Customer indemnifies Cusmato against claims from third parties to the extent that such claims result from: (a) unlawful processing instructions from Customer; (b) the absence of a lawful basis for the processing; (c) breach by Customer of its obligations as Controller; (d) unlawful instructions or data in the Customer AI Workspace.

16. Amendment, versioning and term

16.1 Amendments

Cusmato reserves the right to amend this Agreement to comply with changes in applicable laws and regulations or material changes in architecture or services. Amendments are communicated to Customer in writing at least 30 calendar days before they take effect.

16.2 Objection

If an amendment is materially adverse to Customer from a data protection perspective, Customer has the right to terminate the MSA free of charge with a notice period of 30 calendar days, provided that the objection is submitted in writing and substantiated within 15 working days of the amendment notification.

16.3 Versioning

All versions of the Data Processing Agreement are archived and available at https://www.cusmato.app/en/docs.

16.4 Term

This Agreement enters into force as soon as Customer (i) accepts the MSA/Terms and Conditions or (ii) uses the Services, whichever occurs first, and ends automatically upon termination of the MSA, subject to obligations that by their nature continue after termination.

17. Applicable law and competent court

17.1 Applicable law

This Agreement is governed exclusively by Dutch law.

17.2 Competent court

All disputes arising from or in connection with this Agreement shall be submitted to the competent court in Amsterdam in the first instance, without prejudice to the right of either party to seek urgent interim relief.

Acceptance and applicability (no signature required): This Data Processing Agreement forms part of the Cusmato Master Subscription Agreement (MSA) and applies as soon as Customer (i) accepts the MSA/Terms and Conditions or (ii) uses the Services, whichever occurs first. By accepting/using, Customer accepts this DPA without a separate signature being required. Cusmato archives previous versions and keeps the current version publicly available at https://www.cusmato.app/en/docs.

Appendix A — Processing details (Article 28(3) GDPR)

A.1 Categories of data subjects

Customer's end customers: persons who have placed an order with or contact the customer service of Customer via channels connected to Cusmato.
Customer employees (Agents): employees of Customer who use the Cusmato platform for ticket handling and management.

A.2 Categories of personal data and retention periods

Category	Content	Retention period
Contact details	Name, email address, phone number of end customers	MSA term + 30 days
Order and transaction data	Order number, order content, order status, delivery address, payment reference	MSA term + 30 days
Communication data	Content of customer service correspondence (tickets, emails)	MSA term + 30 days
AI Logs	Intent classification score, Confidence Gate level, applied policy rule, decision, action, model version, human override	MSA term + 90 days
Agent platform usage data	Login data and actions of Agents in the platform (pseudonymised)	MSA term + 90 days

A.3 Purposes of processing

Automatic classification and response of customer service tickets on behalf of Customer;
Execution of Customer-configured actions via the Policy Engine;
Internal communication and task management for Customer's support team;
Invoice processing and product management on behalf of Customer;
Performance analysis and reporting for Customer;
Technical monitoring of the Services based on anonymised or aggregated data.

Appendix B — Technical and organisational measures

Current specification available at https://www.cusmato.app/en/security-privacy.

Measure	Specification
Encryption	AES-256 at rest \| TLS 1.3 in transit \| Encrypted backups
Access control	RBAC \| MFA mandatory for production system access \| Least privilege \| Access logging
Infrastructure & Hosting	Hetzner Online GmbH, Germany (EU) \| Firewall & DDoS protection \| Network segmentation
Monitoring	24/7 system and security monitoring \| Audit logging of all data mutations \| Anomaly alerting
Vulnerability management	Annual penetration tests (certified third party) \| Patch management \| Responsible Disclosure Policy
Business continuity	Backups multiple times per day \| RTO max. 24 hours \| RPO max. 4 hours \| Documented DR plan
Tenant isolation	Logical separation at database level \| No cross-tenant data access
AI-specific	Tenant isolation inference environment \| No customer data in training sets (unless opt-in) \| Model versioning and rollback \| AI Logs immutable after creation \| Inference exclusively on own infrastructure
Organisational	Annual security awareness training \| Formal incident response plan \| Confidentiality obligations for all employees \| Screening procedure for new employees

Appendix C — Sub-processor list

The current and legally binding sub-processor list is maintained at all times at https://www.cusmato.app/en/security-privacy

Name	Category	Location	Processing purpose
Hetzner Online GmbH	Hosting & Infrastructure	Germany (EU)	Hosting, storage and processing of all production data. Primary data location EEA.
Mollie B.V.	Payment processing	Netherlands (EU)	Processing of payment transactions and payment references. PCI DSS certified. Data location EU/EEA.

No external AI or LLM provider is included as a sub-processor. Cusmato's AI inference stack runs exclusively on the Hetzner infrastructure in Germany (EU).

The current and legally binding sub-processor list is maintained at all times at https://www.cusmato.app/en/security-privacy.

— End of Cusmato Data Processing Agreement v2.1 —

cusmato.app · privacy@cusmato.app · https://www.cusmato.app/en/docs