Data Processing Agreement

Last updated: Dec 7, 2025

This Data Processing Addendum ("DPA") forms part of the Cloud Service Agreement ("Agreement") between UAB “Autonominiai pardavimai” (trading as Cust) ("Provider") and the Customer identified in the Agreement ("Customer").

This DPA applies to the extent that Provider processes Personal Data on behalf of Customer in the course of providing the Cloud Services.

1. Definitions

  • "Controller" means the entity which determines the purposes and means of the processing of Personal Data.
  • "Processor" means the entity which processes Personal Data on behalf of the Controller.
  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including but not limited to the EU General Data Protection Regulation 2016/679 ("GDPR") and the California Consumer Privacy Act ("CCPA") as amended by the CPRA.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") processed by Provider on behalf of Customer.
  • "Sub-processor" means any third-party processor engaged by Provider to assist in fulfilling its obligations with respect to providing the Services.

2. Roles and Scope

2.1 Roles. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Provider is the Processor.

2.2 Nature of Processing. Provider shall process Personal Data only for the purpose of providing the Services (including AI-driven insights, workflow automation, and customer success management) and in accordance with Customer’s documented instructions.

3. Provider Responsibilities

3.1 Data Subject Rights. To the extent legally permitted, Provider shall promptly notify Customer if it receives a request from a Data Subject to exercise their rights (e.g., right of access, rectification, erasure). Provider shall not respond to such request without Customer’s prior written consent, except to confirm that the request relates to Customer. Provider shall provide reasonable assistance to Customer to fulfill these rights.

3.2 Confidentiality. Provider shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the data and have received appropriate training on their responsibilities.

3.3 Security. Provider shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be consistent with the Provider’s SOC 2 compliance standards.

4. Sub-processing

4.1 Authorized Sub-processors. Customer grants a general authorization to Provider to engage Sub-processors to provide the Services. A current list of Sub-processors is available at our Privacy Policy page.

4.2 Changes to Sub-processors. Provider will notify Customer (via email or in-app notification) of any intended changes concerning the addition or replacement of Sub-processors. Customer may object to such changes on reasonable data protection grounds within ten (10) days of such notice.

4.3 Liability. Provider remains fully liable to Customer for the performance of the Sub-processor’s data protection obligations.

5. International Data Transfers

5.1 Hosting Location. Customer can choose data hosting residency between US and Europe.

5.2 Transfer Mechanisms. To the extent that the processing of Personal Data involves an international transfer of data from the European Economic Area (EEA), Switzerland, or the UK to a country that does not ensure an adequate level of protection, the parties agree to rely on the EU Standard Contractual Clauses (SCCs), which are hereby incorporated by reference.

6. Data Breaches

6.1 Notification. Provider shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a confirmed Personal Data Breach affecting Customer’s data.

6.2 Assistance. Provider shall provide reasonable assistance to Customer in complying with its obligations to notify supervisory authorities or Data Subjects.

7. Audits

7.1 Security Reports. Upon written request, Provider shall supply Customer with its most recent SOC 2 audit report to demonstrate compliance with this DPA.

7.2 Inspections. Due to the security risks of allowing third-party access to production environments, the parties agree that the provision of the audit reports in Section 7.1 satisfies Customer’s audit rights under Data Protection Laws, unless a formal audit is strictly required by a Supervisory Authority.

8. CCPA/CPRA

8.1 Service Provider Status. For the purposes of the CCPA, Provider acts as a "Service Provider."

8.2 Restrictions. Provider certifies that it shall not:

  • (a) Sell or Share Customer’s Personal Data.
  • (b) Retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services.
  • (c) Combine Personal Data with personal data it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, except as permitted by the CCPA.

9. Return or Deletion

Upon termination or expiration of the Agreement, Provider shall delete all Personal Data in accordance with the timelines specified in the Agreement within 5 working days, unless applicable law requires storage of the Personal Data.

Annex 1: Details of Processing

A. Subject Matter and Duration of the Processing

The subject matter of the processing is the provision of the AI Customer Success Platform ("Cust"). The duration is the term of the Agreement.

B. Nature and Purpose of the Processing

Processing includes collection, storage, retrieval, consultation, and use of data to provide customer success insights, generate AI summaries, automated workflows, and reporting.

C. Categories of Data Subjects

  • Customer’s employees (users of the platform).
  • Customer’s clients/customers (whose data is synced via CRM, email, and other connected platforms).

D. Categories of Personal Data

  • Contact Information: Names, email addresses, phone numbers, job titles.
  • Communication Data: Email contents, calendar invites, call transcripts, ticketing system records.
  • System Usage Data: Log data regarding the use of the Cust platform.

Annex 2: Technical and Organizational Measures

Provider currently maintains the following minimum security measures:

  • Encryption Everywhere: All data is encrypted in transit using TLS 1.2+ and at rest with AES-256, safeguarding your information at all times.
  • Access Control: We enforce strict access controls and the principle of least privilege, ensuring only authorized personnel have access to systems.
  • Continuous Monitoring: We continuously monitor our systems for vulnerabilities and suspicious activity to proactively identify and mitigate threats.

Learn more about our security practises ->

Cust logo white
AI for Customer Retention
Copyright © 2026 Cust