Data Processing Agreement

The DPA applies to all processing of personal data that 38Hub performs on behalf of the customer ("Data Controller") in connection with the provision of the 38Hub platform and related services. It supplements and forms part of your agreement with 38Hub (the Terms of Service).

The DPA covers personal data submitted to, stored on, or processed through the 38Hub platform, including account information, content data, usage data, and any personal data processed by our AI features or third-party sub-processors.

The DPA specifies the following data processing details:

• •Subject matter: Provision of the 38Hub content creation platform
• •Duration: For the term of your 38Hub subscription, plus any retention period required by law
• •Nature and purpose: Storage, processing, and AI-assisted analysis of content and account data to provide platform features
• •Types of personal data: Name, email, profile information, content data, usage data, payment information
• •Categories of data subjects: Platform users (individual creators, team members, organization accounts)

38Hub implements and maintains appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• PostgreSQL Row-Level Security (RLS) ensuring per-user data isolation
• Regular security assessments and vulnerability testing
• Access controls with principle of least privilege
• Automated backups with encrypted storage
• Incident response procedures with defined notification timelines
• Employee security training and confidentiality obligations

38Hub engages a limited number of sub-processors to deliver the platform. A complete list of current sub-processors, including their purpose and location, is maintained on our Sub-Processors page.

We will provide at least 30 days advance notice before adding any new sub-processor. You may object to the appointment of a new sub-processor within 14 days of notification. All sub-processors are bound by contractual obligations equivalent to those in the DPA.

38Hub will assist you in responding to requests from data subjects exercising their rights under applicable data protection law, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. Where technically feasible, we provide self-serve tools within the platform for users to exercise these rights directly. For requests that cannot be fulfilled through the platform, we will provide reasonable assistance within the timelines required by applicable law.

Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred to a country that does not have an adequacy decision from the European Commission, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (2021/914)
• Supplementary measures where required, including encryption and access controls
• Transfer impact assessments for each sub-processor and destination country

The DPA provides you with the right to audit our compliance with the data processing obligations set out in the agreement. We may satisfy audit requests by providing relevant certifications, audit reports, or documentation from independent third-party auditors. Where additional auditing is required, we will work with you to arrange a reasonable audit process, subject to confidentiality obligations and reasonable advance notice.

The DPA remains in effect for the duration of your use of the 38Hub platform. Upon termination, 38Hub will delete or return all personal data processed under the DPA, unless retention is required by applicable law. We will complete the deletion of personal data within 90 days of termination, and will provide written confirmation of deletion upon request.