Early adopter pricing — locked for life. Only 4 spots available. Claim yours now before spots run out →
DataKubo logoDataKubo
Open Dashboard

Legal

Data Processing Agreement

Last updated: March 2026

This DPA forms part of the Terms of Service between DataKubo and the reseller (“Controller”).

1. Definitions

  • “Controller” — the reseller who determines the purposes and means of processing personal data of their end users.
  • “Processor” — DataKubo, which processes personal data on behalf of the Controller.
  • “Data Subject” — any identified or identifiable natural person whose personal data is processed (e.g., end users, residents, tenants).
  • “Personal Data” — any information relating to an identified or identifiable natural person.
  • “Processing” — any operation performed on personal data (collection, storage, retrieval, use, disclosure, deletion).
  • “GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • “Sub-processor” — any third party engaged by DataKubo to process personal data.

2. Scope and Purpose

This DPA applies to all personal data processed by DataKubo on behalf of the Controller through the DataKubo platform. The subject matter, nature, and purpose of processing are:

  • Subject matter: IoT device data and end-user account information
  • Nature: Collection, storage, retrieval, and deletion of personal data
  • Purpose: Providing the DataKubo platform services as described in the Terms of Service
  • Duration: For the term of the reseller's subscription plus 30 days
  • Categories of data: Names, email addresses, device identifiers, consumption readings, timestamps
  • Categories of data subjects: End users (residents, tenants, members) of the Controller's customers

3. Controller Obligations

The Controller agrees to:

  • Ensure a lawful basis exists for processing personal data before submitting it to DataKubo
  • Provide data subjects with appropriate privacy notices about the processing
  • Ensure personal data submitted is accurate and limited to what is necessary
  • Comply with all applicable data protection laws in their jurisdiction
  • Notify DataKubo promptly of any data subject requests that require Processor action

4. Processor Obligations

DataKubo agrees to:

  • Process personal data only on documented instructions from the Controller (i.e., to provide the platform services)
  • Ensure persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 6)
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance with this DPA
  • Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach

5. Sub-processors

The Controller grants DataKubo general authorization to engage the following sub-processors. DataKubo will notify the Controller of any intended changes at least 30 days in advance.

Sub-processorPurposeLocation
Cloud database providerDatabase hosting, authenticationEU
Cloud hosting providersFrontend and backend infrastructureEU
Stripe Inc.Payment processing (billing data only)EU

DataKubo ensures each sub-processor is bound by data protection obligations equivalent to those in this DPA.

6. Security Measures

DataKubo implements the following technical and organizational measures:

Technical measures:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row Level Security (RLS) enforcing multi-tenant data isolation at the database level
  • API keys hashed with bcrypt (never stored in plain text)
  • JWT-based authentication with short-lived tokens
  • Regular automated backups with point-in-time recovery

Organizational measures:

  • Access to production systems limited to authorized personnel only
  • Confidentiality obligations for all staff with data access
  • Incident response procedure with 72-hour breach notification
  • Regular review of access controls and security practices

7. Data Subject Rights

The Controller is responsible for handling data subject requests (access, rectification, erasure, portability, objection). DataKubo will assist the Controller by:

  • Providing data export functionality in the platform dashboard
  • Deleting specific end-user data upon written request from the Controller
  • Responding to Controller requests within 5 business days

8. Data Breach Notification

In the event of a personal data breach, DataKubo will notify the Controller without undue delay and within 72 hours of becoming aware. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. International Transfers

DataKubo stores data within the EU by default. Where sub-processors are located outside the EU/EEA, DataKubo ensures appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions) in accordance with GDPR Chapter V.

10. Audit Rights

The Controller may request an audit of DataKubo's data processing activities no more than once per year, with 30 days written notice. DataKubo may satisfy audit requests by providing relevant certifications, third-party audit reports, or written responses to reasonable questionnaires.

11. Deletion and Return of Data

The reseller is responsible for exporting their data before deleting their account. DataKubo provides a full data export in machine-readable format (CSV/JSON) from the platform dashboard for this purpose. Upon account deletion, DataKubo will permanently delete all associated personal data within 30 days. Backups are purged within 90 days of account deletion.

12. Governing Law

This DPA is governed by Spanish law and the GDPR. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Spain.

13. Contact

For DPA-related questions or to exercise rights under this agreement, contact our data protection team at info@datakubo.com.