Skip to content
Cuan
Legal

Data Processing Agreement

A summary of the DPA executed with every agency at onboarding. The signed DPA is the binding document.

Last updated June 2026

Roles

The agency (or OMC) is the controller; Cuan is the processor, acting only on documented instructions.

Subject matter & duration

Processing covers the operation of the Cuan platform for the duration of the subscription, plus statutory retention windows for financial records.

Subprocessors

Cuan uses a short list of EU-based subprocessors for hosting, email, SMS and AI. The current list is maintained and made available to controllers, with advance notice of changes.

Security measures

  • Row-level security mirroring the role-based permission model.
  • Encryption in transit and at rest.
  • MFA and SSO for staff; magic-link with rate-limiting for owners.
  • Immutable audit logging retained for at least seven years.
  • Bannered, logged support impersonation.

International transfers

EU-only hosting and subprocessors; no routine transfer outside the EEA.

Assistance

Cuan provides tooling to help controllers meet data-subject requests (access, export, erasure within statutory limits) and to support breach notification obligations.

See also Privacy and Security & GDPR.

This page is a plain-language summary published during Cuan's founding build. The definitive agreement is the signed contract and Data Processing Agreement provided during onboarding. Questions? Email hello@cuan.ie.