Data processing agreement

This Data Processing Agreement ("DPA") supplements the RUQA Terms of Service. It applies whenever RUQA processes personal data on behalf of a customer (the "Controller") subject to the GDPR or UK GDPR.

Customer is the Controller of personal data ingested into the workspace. RUQA (Curea Inc.) is the Processor.

RUQA may engage Subprocessors. The current list lives at /subprocessors. New subprocessors are notified 30 days in advance.

RUQA processes the following categories: workspace member identifiers, work signals (commits, AI sessions, message metadata), and outputs derived from those signals (standups, capability scores, triangulation flags).

Processing is limited to what is necessary to provide the service.

AES-256 at rest; TLS 1.3 in transit. Per-workspace encryption keys. Role-based access. SOC 2 Type II in progress (target Q4 2026).

Personnel are bound by confidentiality and complete annual security training. Production access requires hardware MFA.

RUQA assists the Controller in fulfilling data-subject requests within 30 days. Self-service tooling is available for access, export, and erasure.

Where required, transfers from the EEA, UK, or Switzerland rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK IDTA addendum.

Customers may request the latest audit reports (SOC 2 / penetration tests) annually. On-site audits are available for Enterprise customers under reasonable scope and notice.

This DPA terminates with the underlying agreement. On termination, customer data is exportable for 30 days, then hard-deleted within 90 days (including backups).

Enterprise customers can request a counter-signed DPA at legal@ruqa.ai. Self-serve workspaces are deemed to accept this DPA on enabling RUQA.