Kuinbee Logo
Data Processing Addendum

Data Processing Addendum

GDPR, DPDP, CCPA-ready data processing terms — including SCCs, HIPAA BAA, and AI Training annexes for enterprise compliance.

Last Updated

March 2026

Document Type

DPA + Annexes

Coverage

GDPR · DPDP · CCPA · HIPAA

DPA Overview

Enterprise

This Data Processing Addendum forms part of the Terms and Conditions and any applicable Marketplace Agreement between Kuinbee Information Services Private Limited ("Processor") and the entity accessing or using Kuinbee's platform services ("Controller").

⚠️ Scope: This DPA applies where Kuinbee processes Personal Data on behalf of the Customer. Enterprise customers may request execution of this DPA at legal@kuinbee.com.

Quick Navigation

20
1
Overview

Definitions

"Applicable Data Protection Laws"

All laws applicable to the processing of Personal Data, including but not limited to:

  • Digital Personal Data Protection Act, India (DPDP)
  • General Data Protection Regulation (GDPR)
  • UK GDPR
  • CCPA/CPRA (where applicable)
  • "Personal Data" — Any information relating to an identified or identifiable natural person.
  • "Processing" — Any operation performed on Personal Data.
  • "Sub-Processor" — Any third party engaged by Kuinbee to process Personal Data.
2
Structure

Role of Parties

Where Kuinbee processes Customer Personal Data in connection with platform services, Kuinbee acts as a Data Processor. Customer acts as the Data Controller, determining the purpose and means of processing.

  • Kuinbee does not act as a Controller for third-party Datasets uploaded by independent Suppliers unless explicitly agreed in writing.
  • For Kuinbee's own corporate operations (billing, user accounts), Kuinbee acts as an independent Controller.
3
Scope

Subject Matter & Duration

Subject Matter: Processing necessary to provide marketplace and data infrastructure services.

Duration: For the term of the Agreement and until deletion or return of Personal Data.

Nature of Processing:

  • Hosting & storage
  • Transmission
  • Technical validation
  • Platform-based analytics
  • API-based data handling

Categories of Data Subjects

Customer users · Business representatives · End-users (if applicable)

Categories of Personal Data

Account information · Business contact data · Uploaded structured datasets (if containing personal data)

4
Obligations

Processor Obligations

Kuinbee shall:

  • Process Personal Data only on documented instructions from Customer
  • Ensure authorized persons are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Customer in fulfilling data subject rights requests
  • Notify Customer without undue delay upon becoming aware of a Personal Data breach
  • Delete or return Personal Data upon termination, unless retention is required by law
5
Security

Technical & Organizational Measures (TOMs)

Kuinbee implements commercially reasonable safeguards including:

  • Encryption in transit (TLS)
  • Access control mechanisms
  • Role-based permissions
  • Secure cloud hosting
  • Monitoring and logging
  • Incident response planning
  • Infrastructure redundancy

Security measures are periodically reviewed and updated.

6
Governance

Sub-Processors

  • Customer authorizes Kuinbee to engage Sub-Processors
  • Sub-Processors are bound by data protection obligations no less protective than this DPA
  • A list of key Sub-Processors may be made available upon request
  • Kuinbee remains responsible for Sub-Processor compliance with this DPA
7
Compliance

International Data Transfers

Where Personal Data is transferred outside the originating jurisdiction, Kuinbee shall ensure lawful transfer mechanisms:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Other legally recognized safeguards

Customer acknowledges that cross-border hosting may occur where infrastructure is globally distributed.

8
Rights

Data Subject Rights

Kuinbee shall assist Customer, where technically feasible, in responding to:

  • Access requests
  • Rectification requests
  • Erasure requests
  • Restriction requests
  • Objection requests

If Kuinbee receives a data subject request directly, it shall forward the request to Customer unless legally prohibited.

9
Security

Personal Data Breach

Kuinbee shall notify Customer without undue delay after becoming aware of a breach affecting Customer-controlled data.

Notification shall include, where available:

  • Nature of the breach
  • Categories of data affected
  • Likely consequences
  • Mitigation measures taken

Kuinbee shall cooperate in investigation and mitigation.

10
Governance

Audit Rights

Upon reasonable notice, Customer may request information demonstrating compliance. Kuinbee may satisfy audit requirements through:

  • Certifications
  • Security documentation
  • Third-party audit reports
  • Written compliance confirmations

Physical audits shall be subject to confidentiality safeguards and reasonable scheduling.

11
Lifecycle

Data Retention & Deletion

Upon termination of services, Kuinbee shall:

  • Delete Personal Data; or
  • Return Personal Data to Customer

unless retention is required by law. Backup deletion may occur in accordance with retention cycles.

12
Legal

Liability

Each Party's liability under this DPA shall be subject to the liability limitations set out in the main Agreement. Nothing in this DPA limits liability where such limitation is prohibited by Applicable Data Protection Laws.

13
Legal

Supplier Data Disclaimer

Where Datasets are uploaded by independent Suppliers:

  • Kuinbee does not determine lawful basis for collection
  • Supplier is responsible for consent and compliance
  • Customer assumes responsibility for downstream processing

This DPA applies only to data processed by Kuinbee as Processor.

14
Legal

Governing Law

This DPA shall be governed by the laws specified in the main Agreement.

15
Legal

Order of Precedence

In the event of conflict:

1. This DPA
2. The Marketplace Agreement
3. The Terms and Conditions

Annexes & Supplementary Frameworks

Supporting documents incorporated by reference into this DPA.

Annex

Annex I — Description of Processing (EU Format)

Data Exporter (Controller)

Enterprise Customer using Kuinbee services

Data Importer (Processor)

Kuinbee Information Services Pvt. Ltd., Pune, Maharashtra, India

Purpose of Processing:

  • Marketplace operations & data licensing facilitation
  • Dataset hosting, transmission, and API access
  • AI pipeline infrastructure (if enabled)
  • Dashboard, analytics, and platform functionality

Categories of Data Subjects:

Customer representatives · Business users · Dataset data subjects (if personal data included) · API users

Sensitive Data Handling:

Where special categories are processed: enhanced safeguards apply, encryption enforced, access strictly role-based, processing only under lawful basis.

Annex

Annex II — Technical & Organizational Measures

Access Control

Role-based restrictions
Multi-factor authentication
Least privilege principle
Periodic access review

Data Transmission

TLS encryption in transit
Secure API authentication
Encrypted data channels

Data Storage

Encrypted storage (where supported)
Segregated storage layers
Backup redundancy

Infrastructure

Secure cloud hosting
Firewall protections
Network segmentation
Monitoring and alerting

Incident Response

Escalation protocol
Breach notification procedure
Forensic investigation
Mitigation strategy

Personnel & Sub-Processors

Confidentiality agreements
Internal data protection training
Sub-processor due diligence
Ongoing oversight
Annex

Standard Contractual Clauses (SCC) Integration

Where GDPR applies and transfers occur outside the EEA, Kuinbee supports:

  • Controller-to-Processor module
  • Processor-to-Processor module

Upon request, Kuinbee may:

  • Execute EU Commission 2021 SCCs
  • Incorporate UK Addendum
  • Provide supplementary safeguards
  • Conduct Transfer Impact Assessments

SCCs may be incorporated by reference into the DPA.

Annex

HIPAA Business Associate Addendum (BAA)

⚠️ This section applies only where Customer uploads or processes Protected Health Information (PHI).

Kuinbee acts as a Business Associate solely for hosting or transmission functions, where applicable.

Kuinbee shall:

  • Use PHI only to provide services
  • Not disclose PHI except as permitted
  • Implement safeguards required under HIPAA Security Rule
  • Protect PHI confidentiality, limit access, encrypt transmissions
  • Notify Customer without unreasonable delay following discovery of a breach of unsecured PHI

Subcontractors handling PHI must agree to equivalent safeguards. If Kuinbee materially breaches HIPAA obligations and fails to cure, Customer may terminate.

Annex

AI Training Compliance Annex

This annex applies where Datasets are used for machine learning or AI training.

Lawful Basis Requirements:

  • Buyers must ensure lawful basis for training
  • Consent where required
  • Compliance with applicable AI regulation

Bias & Fairness Controls:

  • Conduct bias assessments
  • Maintain documentation
  • Avoid discriminatory outcomes

Prohibited AI Uses:

  • Unlawful biometric surveillance
  • Social scoring prohibited by law
  • Human rights violations
  • Autonomous weapon systems

Regulatory Alignment:

  • EU AI Act (where applicable)
  • DPDP requirements
  • Sectoral AI governance rules
  • National AI safety regulations

Request DPA Execution

Enterprise customers may request a signed copy of this DPA, SCC execution, or HIPAA BAA by contacting:

Legal

legal@kuinbee.com