Data Processing Agreement
Governs the processing of Personal Data between Kuration AI and the Client, including controller-to-controller and controller-to-processor relationships, and the Standard Contractual Clauses.
Version 5.0 · Last updated 17 April 2026
Legal review notice. This Data Processing Agreement has been prepared for review and should be validated by qualified legal counsel before use. It is not legal advice.
Version: 5.0 Effective Date: 17 April 2026 Last Updated: 17 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement for services ("Principal Agreement") between:
Kuration AI Limited, a company registered in Hong Kong (CR No. 76420894), with its registered office at Unit 2A, 17/F., Glenealy Tower, No. 1 Glenealy, Central, Hong Kong ("Kuration AI"),
and
The entity identified in the Principal Agreement ("Client")
(each a "Party" and together the "Parties").
For the purposes of this DPA, "Principal Agreement" means: (i) for enterprise customers, the written agreement or Order Form executed between the Parties; or (ii) for all other customers, the Terms of Service available at https://kurationai.com/terms, which the Client accepts by registering for or using the Services.
Recitals
A. Kuration AI independently collects and compiles business contact data from publicly available sources, including government registries, event directories, institutional listings, professional networks, and proprietary human research networks. With respect to this independently sourced data, Kuration AI acts as an independent Data Controller.
B. Where the Client submits Personal Data to Kuration AI for processing (for example, for enrichment, cleansing, or matching against Kuration AI's databases), Kuration AI acts as a Data Processor on behalf of the Client.
C. All data independently sourced by Kuration AI is obtained through lawful means, including Open Source Intelligence (OSINT) methodologies, publicly available information, and proprietary human research networks. Kuration AI does not engage in unauthorised access to computer systems or databases, and respects robots.txt directives and other technical access controls when employing automated data collection.
D. This DPA sets out the rights and obligations of the Parties with respect to the processing of Personal Data under both the Controller-to-Controller and Controller-to-Processor relationships described herein.
1. Definitions
1.1 "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
1.2 "Data Protection Laws" means all applicable data protection and privacy legislation, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA) and other U.S. state privacy laws, the Singapore Personal Data Protection Act (PDPA), the Saudi Arabia Personal Data Protection Law (KSA PDPL), and any other applicable data protection legislation.
1.3 "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
1.4 "Sub-processor" means any third party appointed by Kuration AI to process Personal Data on behalf of the Client in the Processor Capacity.
1.5 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
1.6 "Kuration AI Platform Data" means Personal Data independently collected, compiled, and controlled by Kuration AI from publicly available sources and proprietary research networks, which is licensed to the Client under the Principal Agreement.
1.7 "Client-Submitted Data" means Personal Data provided by the Client to Kuration AI for the purpose of enrichment, cleansing, matching, or other processing services.
1.8 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as set out in Appendix 1 to this DPA.
2. Roles and responsibilities
Controller-to-Controller relationship (Kuration AI Platform Data)
2.1 With respect to Kuration AI Platform Data, Kuration AI acts as an independent Data Controller. Kuration AI determines the purposes and means of collecting, compiling, and maintaining this data independently of the Client.
2.2 The Client, upon receiving Kuration AI Platform Data, becomes an independent Data Controller with respect to its use of that data. The Client shall process Kuration AI Platform Data in accordance with its own obligations under applicable Data Protection Laws.
2.3 Neither Party acts as a joint controller with the other. Each Party is independently responsible for its own compliance with Data Protection Laws as they relate to its respective processing activities.
2.4 Kuration AI's lawful basis for collecting and processing Kuration AI Platform Data is legitimate interest in providing B2B data intelligence services, specifically the compilation and licensing of publicly available business contact information.
Controller-to-Processor relationship (Client-Submitted Data)
2.5 Where the Client submits Personal Data to Kuration AI for processing, Kuration AI acts as a Data Processor and shall process Client-Submitted Data only on documented instructions from the Client, unless required to do so by applicable law.
2.6 The details of the processing of Client-Submitted Data are as follows:
- Subject matter: Data enrichment, cleansing, matching, and normalisation of business contact and company information submitted by the Client.
- Duration: For the term of the Principal Agreement plus thirty (30) days for deletion.
- Nature and purpose: Enrichment and normalisation of Client-provided business data against Kuration AI's proprietary databases and third-party sources.
- Categories of data subjects: Business contacts, company officers, event attendees, and other professional individuals as submitted by the Client.
- Types of Personal Data: Names, job titles, business email addresses, business phone numbers, company information, and professional social media profiles.
3. Controller obligations
3.1 Each Party shall, in its capacity as a Data Controller, comply with all obligations imposed on controllers under applicable Data Protection Laws, including but not limited to:
- Maintaining a lawful basis for processing Personal Data;
- Providing appropriate privacy notices to data subjects;
- Responding to data subject rights requests within statutory timeframes;
- Implementing appropriate technical and organisational security measures; and
- Maintaining records of processing activities.
3.2 The Client shall ensure that its use of Kuration AI Platform Data complies with all applicable laws, including anti-spam legislation (CAN-SPAM, PECR, CASL, TCPA), data protection laws, and industry-specific regulations.
3.3 Kuration AI shall maintain appropriate privacy notices and opt-out mechanisms for data subjects whose data is contained within the Kuration AI Platform Data, and shall honour data subject requests received directly, including through its Data Removal Request form and at `privacy@kuration.ai`.
4. Processor obligations (Client-Submitted Data)
4.1 When acting as a Processor, Kuration AI shall ensure that persons authorised to process Client-Submitted Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Kuration AI shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256);
- Logical access controls and role-based permissions;
- Regular testing and evaluation of security measures; and
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
4.3 Kuration AI shall not engage another processor (Sub-processor) without prior general written authorisation from the Client. The Client hereby provides general authorisation for Kuration AI to engage Sub-processors, subject to Kuration AI informing the Client of any intended changes and providing the Client a reasonable opportunity to object.
4.4 Where Kuration AI engages a Sub-processor, it shall impose on the Sub-processor equivalent data protection obligations by way of a written contract.
5. Data subject rights
Kuration AI Platform Data (Controller-to-Controller)
5.1 Each Party shall independently handle data subject requests relating to Personal Data for which it is a Controller. If Kuration AI receives a data subject request that relates to the Client's use of Kuration AI Platform Data, Kuration AI shall promptly inform the Client where reasonably practicable.
5.2 If the Client receives a data subject request (including opt-out, deletion, or access requests) relating to data originally sourced from Kuration AI, the Client shall notify Kuration AI at `privacy@kuration.ai` so that Kuration AI may apply appropriate suppression or correction to its own databases.
Client-Submitted Data (Controller-to-Processor)
5.3 Kuration AI shall assist the Client in responding to data subject rights requests relating to Client-Submitted Data, including rights of access, rectification, erasure, restriction, portability, and objection.
5.4 Kuration AI shall promptly notify the Client if it receives a request directly from a data subject concerning Client-Submitted Data, and shall not respond to such request without the Client's prior written authorisation, unless required by law.
6. Data breach notification
6.1 Each Party shall notify the other Party without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a Data Breach affecting Personal Data processed under this DPA.
6.2 The notification shall include:
- A description of the nature of the Data Breach;
- The categories and approximate number of data subjects and records concerned;
- A description of the likely consequences; and
- A description of measures taken or proposed to address the breach.
6.3 Each Party shall cooperate with the other and take such reasonable commercial steps as are directed to assist in the investigation, mitigation, and remediation of any Data Breach. Data breach notifications to Kuration AI should be sent to `security@kuration.ai` with a copy to `privacy@kuration.ai`.
7. International data transfers
7.1 Kuration AI is established in Hong Kong but uses cloud infrastructure, sub-processors, and AI service providers that may be located in the European Union, the United Kingdom, the United States, and other jurisdictions. A current list of sub-processors and their locations is maintained in Annex III and updated as set out in Section 10.
7.2 Where the transfer of Personal Data from the European Economic Area (EEA) or the United Kingdom to Kuration AI in Hong Kong (or any other country not subject to an adequacy decision) is required, the Parties agree that such transfers shall be governed by the Standard Contractual Clauses (SCCs) as set out in Appendix 1 to this DPA.
7.3 For transfers of Kuration AI Platform Data (Controller-to-Controller), Module 1 of the SCCs shall apply. For transfers of Client-Submitted Data (Controller-to-Processor), Module 2 of the SCCs shall apply.
7.4 Each Party shall implement supplementary measures as necessary to ensure an adequate level of protection for transferred Personal Data, taking into account the circumstances of the transfer and the legal framework of the receiving country.
8. Audit rights
8.1 With respect to Client-Submitted Data, Kuration AI shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Client or an auditor mandated by the Client.
8.2 Audits shall be conducted with reasonable notice (minimum thirty (30) days) during normal business hours, no more than once per year, unless required by a supervisory authority or in the event of a Data Breach.
8.3 The Client shall bear its own costs in connection with any audit. Kuration AI may charge reasonable fees for staff time and resources expended in connection with audits beyond the first annual audit.
9. Data deletion and return
9.1 Upon termination of the Principal Agreement, Kuration AI shall, at the Client's election, return or delete all Client-Submitted Data within thirty (30) days of written request, unless applicable law requires continued storage.
9.2 Kuration AI shall provide written confirmation of deletion upon request.
9.3 This obligation applies to Client-Submitted Data and Client-specific deliverables. It does not extend to Kuration AI Platform Data, which is independently compiled and controlled by Kuration AI and maintained as part of its proprietary databases.
9.4 For the avoidance of doubt, termination of the Principal Agreement does not require Kuration AI to delete or modify any data within its independently maintained databases, except where required by a valid data subject request under applicable Data Protection Laws.
10. Sub-processors
10.1 Kuration AI maintains a current, publicly accessible list of the Sub-processors used to deliver the Services. The list, including each Sub-processor's purpose and location, is published at https://kurationai.com/sub-processors and is reproduced in Annex III for convenience. The list may include providers of application hosting and compute, database hosting, authentication and session management, transactional email, payment processing, large-language-model ("LLM") APIs used for enrichment and automation, and Kuration AI's proprietary human research network (Brainsfeed).
10.2 Kuration AI shall notify the Client of any intended changes to Sub-processors and provide the Client with a reasonable opportunity — minimum thirty (30) days — to object.
10.3 If the Client objects to a new Sub-processor on reasonable grounds, the Parties shall discuss the concern in good faith. If no resolution is reached, the Client may terminate the affected services upon written notice.
11. General provisions
11.1 This DPA shall be governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region of the People's Republic of China, without regard to its conflict-of-laws principles. Where the SCCs apply, the governing-law provisions of the SCCs shall prevail with respect to the matters covered therein.
11.2 Any dispute, controversy, difference, or claim arising out of or relating to this DPA, including the existence, validity, interpretation, performance, breach, or termination thereof, or any dispute regarding non-contractual obligations arising out of or relating to it, shall be referred to and finally resolved by arbitration administered by the Hong Kong International Arbitration Centre ("HKIAC") under the HKIAC Administered Arbitration Rules in force when the Notice of Arbitration is submitted. The seat of arbitration shall be Hong Kong, the number of arbitrators shall be one, and the arbitration proceedings shall be conducted in English. Where the SCCs govern a particular transfer, the SCCs' governing-law and forum provisions apply to the subject matter covered by those SCCs.
11.3 In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Personal Data.
11.4 This DPA shall remain in effect for the duration of the Principal Agreement and for so long as either Party processes Personal Data in connection with the Principal Agreement.
11.5 If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.
Signatures
Where this DPA is executed as a standalone document (rather than incorporated into an Order Form or accepted through click-through), the Parties may sign below.
For and on behalf of Kuration AI Limited:
Name: ________________________ Title: ________________________ Signature: ________________________ Date: ________________________
For and on behalf of the Client:
Name: ________________________ Title: ________________________ Signature: ________________________ Date: ________________________
Appendix 1 — Standard Contractual Clauses (International Data Transfer Addendum)
This Appendix incorporates by reference the Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs"), as supplemented by this Appendix.
Applicable modules
The following modules of the EU SCCs apply to transfers under this DPA:
| Module | Applies to | Parties |
|---|---|---|
| Module 1 | Kuration AI Platform Data (independently sourced data licensed to Client) | Controller (Kuration AI) to Controller (Client) |
| Module 2 | Client-Submitted Data (data sent by Client for enrichment / processing) | Controller (Client) to Processor (Kuration AI) |
Annex I — Transfer details
A. List of Parties
Data Exporter (Client):
- Name: As identified in the Principal Agreement
- Address: As identified in the Principal Agreement
- Contact person: As identified in the Principal Agreement
- Role: Controller (Module 1 and Module 2)
Data Importer (Kuration AI):
- Name: Kuration AI Limited
- Address: Unit 2A, 17/F., Glenealy Tower, No. 1 Glenealy, Central, Hong Kong
- Contact person: Data Protection Contact — `privacy@kuration.ai`
- Role: Controller (Module 1) / Processor (Module 2)
B. Description of transfer
- Categories of data subjects: Business professionals, company officers, event attendees, and other individuals whose data is publicly available in a professional context.
- Categories of personal data: Names, job titles, business email addresses, business phone numbers, company names and details, professional social media profiles, and publicly available business information.
- Sensitive data: None. Kuration AI does not process sensitive personal data.
- Frequency of transfer: Continuous for the duration of the Principal Agreement, subject to credit-based usage limits.
- Nature of processing: Collection, enrichment, normalisation, storage, matching, and delivery of B2B contact data.
- Purpose of transfer: Module 1 — Licensing of Kuration AI Platform Data to the Client for B2B sales and marketing purposes. Module 2 — Enrichment and processing of Client-Submitted Data.
- Retention period: For the duration of the Principal Agreement plus thirty (30) days. Kuration AI Platform Data is retained independently as part of Kuration AI's proprietary databases.
Annex II — Technical and organisational measures
The Data Importer has implemented the following technical and organisational security measures:
- Encryption in transit: TLS 1.2+ enforced on all connections.
- Encryption at rest: AES-256 across all storage systems.
- Access control: Role-based access control (RBAC) with principle of least privilege.
- Authentication: Multi-factor authentication (MFA) for all internal access; managed session handling for platform users.
- Network security: Firewall rules, network segmentation, and isolated environments.
- Monitoring: Continuous monitoring, logging, and alerting for security events.
- Personnel: Confidentiality obligations for all staff; access reviews upon role changes.
- Incident response: Documented incident response plan with defined escalation paths; notifications to `security@kuration.ai`.
- Backup: Automated daily backups with point-in-time recovery.
- Sub-processor oversight: Contractual data protection obligations imposed on all Sub-processors.
- Human research operations: Brainsfeed research network operates under confidentiality agreements with data handling protocols.
Annex III — List of sub-processors
This list is a snapshot; the live list is published at https://kurationai.com/sub-processors and controls in case of conflict.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, real-time data | Customer region (EU, US, or APAC as provisioned) |
| Vercel | Frontend and edge-function hosting | Global edge network |
| Koyeb | Application hosting and compute | Europe |
| Clerk | User authentication and session management | United States |
| Stripe | Payment processing | United States |
| Loops.so | Transactional and marketing email delivery | United States |
| OpenAI, Anthropic, Mistral AI, and other LLM providers | AI processing, enrichment, research automation | Primarily United States / European Union |
| Brainsfeed | Human research and data verification | Various (global network) |
| Third-party enrichment APIs | Data enrichment (as needed per workflow) | Various |
UK International Data Transfer Addendum
For UK transfers, the International Data Transfer Addendum ("IDTA") to the EU SCCs issued by the UK Information Commissioner's Office (ICO), as approved by Parliament and in force from 21 March 2022, shall apply in addition. The applicable version is the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses version B1.0." A copy is available from Kuration AI on request or at https://ico.org.uk.
The full text of the EU SCCs (Commission Implementing Decision (EU) 2021/914) is publicly available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. Copies of the applicable SCCs are available from Kuration AI on request.