This Data Protection Addendum describes how Cubeship Consolidation Company handles customer personal data in connection with its services, including processing obligations, security measures, sub-processing, transfers, and deletion practices. This page was structured using the section flow from the UNIS reference page and adapted for Cubeship.
Your Privacy, Our Priority
1. Definitions
For purposes of this Data Protection Addendum, "Customer Personal Data" means personal data processed by Cubeship Consolidation Company on behalf of a customer in connection with the services described in an applicable order form, statement of work, or other governing commercial agreement. "Applicable Data Protection Law" means the data protection and privacy laws that apply to the processing of Customer Personal Data under the relationship between the parties.
References to "controller", "processor", "business", "service provider", "sub-processor", and "personal data breach" should be interpreted in a manner consistent with Applicable Data Protection Law. Where the same concept is described using different legal terminology in different jurisdictions, the closest applicable term shall govern.
2. Processing of Customer Personal Data
Cubeship Consolidation Company will process Customer Personal Data only for the purpose of providing the services, administering the commercial relationship, supporting operational workflows, complying with documented customer instructions, and satisfying legal or regulatory obligations that apply to the services.
Cubeship Consolidation Company will not sell Customer Personal Data and will not retain, use, or disclose Customer Personal Data for purposes other than those permitted by the governing agreement, this addendum, or Applicable Data Protection Law. To the extent required by law, Cubeship Consolidation Company will notify the customer if an instruction appears to conflict with legal requirements.
3. Cubeship Consolidation Company Personnel
Access to Customer Personal Data shall be limited to personnel who require such access to perform their duties in support of the services. Cubeship Consolidation Company will take commercially reasonable steps to ensure that such personnel are subject to confidentiality obligations and receive appropriate training or policy guidance relating to data handling and security expectations.
Cubeship Consolidation Company will maintain internal access controls designed to reduce the risk of unauthorized review, use, modification, or disclosure of Customer Personal Data by personnel who do not have a legitimate business need.
4. Security
Cubeship Consolidation Company will maintain administrative, technical, and organizational safeguards appropriate to the nature of the Customer Personal Data processed and the services provided. These safeguards are intended to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access.
Without guaranteeing any particular control framework unless otherwise stated in writing, Cubeship Consolidation Company may implement measures such as role-based access restrictions, authentication controls, logging, vendor review, environment segregation, secure transmission methods, and response procedures aligned with operational risk.
5. Sub-Processing
Cubeship Consolidation Company may engage affiliates, vendors, hosting providers, infrastructure providers, communications providers, or other service providers to support delivery of the services. Where such providers may process Customer Personal Data, Cubeship Consolidation Company will use commercially reasonable efforts to require them to provide protections appropriate to the nature of the processing they perform.
Customers acknowledge that sub-processing may be necessary to provide digital tools, communications, infrastructure, analytics, storage, or operational support related to the services. Cubeship Consolidation Company remains responsible for managing its sub-processing relationships in a manner consistent with this addendum and the governing agreement.
6. Data Subject Requests
To the extent legally required and commercially reasonable, Cubeship Consolidation Company will provide appropriate assistance to the customer in responding to verified data subject requests relating to Customer Personal Data processed under this addendum.
Unless prohibited by law or contract, if Cubeship Consolidation Company receives a request directly from a data subject concerning Customer Personal Data for which the customer is the relevant controller or business, Cubeship Consolidation Company may direct the requester to the customer or notify the customer so that the request can be addressed through the proper channel.
7. Personal Data Breach
If Cubeship Consolidation Company becomes aware of a confirmed personal data breach affecting Customer Personal Data, Cubeship Consolidation Company will take commercially reasonable steps to contain, investigate, and mitigate the incident. Cubeship Consolidation Company will also provide notice to the customer within a reasonable period when such notice is required by law or by the governing agreement.
Any such notice may include, to the extent reasonably available at the time, a description of the nature of the incident, the categories of information affected, the likely consequences, and the remediation or mitigation steps taken or proposed.
8. Data Protection Impact Assessment and Prior Consultation
Where Applicable Data Protection Law requires the customer to conduct a data protection impact assessment or engage in prior consultation with a supervisory authority in connection with the services, Cubeship Consolidation Company will provide reasonable cooperation by making available information it can reasonably disclose about the relevant processing activities.
Any such cooperation will be limited to information within Cubeship Consolidation Company's possession or control and may remain subject to confidentiality, security, and legal restrictions.
9. Audit Rights
To the extent the governing agreement grants audit, review, or assessment rights relating to the processing of Customer Personal Data, such rights shall be exercised in a manner that is reasonable, proportionate, and designed to avoid unnecessary operational disruption, security exposure, or access to information relating to other customers.
Cubeship Consolidation Company may satisfy reasonable audit requests through existing documentation, written responses, policies, certifications, summaries of controls, or other information that demonstrates compliance without requiring broad physical or systems access unless otherwise required by law or agreed in writing.
10. Data Transfers
Customer Personal Data may be processed in jurisdictions other than the jurisdiction in which it was originally collected when necessary to provide the services, support the customer's operations, or use infrastructure and service providers that support Cubeship Consolidation Company's environment.
Where cross-border transfer mechanisms are required under Applicable Data Protection Law, the parties intend that appropriate legal safeguards, contractual commitments, or recognized transfer tools will be used to support such transfers.
11. Retrieval and Deletion of Customer Personal Data
Following termination or expiration of the services, Cubeship Consolidation Company may, subject to the governing agreement, make Customer Personal Data available for retrieval for a reasonable period where commercially practical. Thereafter, Cubeship Consolidation Company may delete or render inaccessible Customer Personal Data unless continued retention is required for legal, regulatory, fraud prevention, security, backup integrity, dispute resolution, or legitimate business recordkeeping reasons.
Nothing in this section requires Cubeship Consolidation Company to remove Customer Personal Data from archival systems immediately where such removal would be disproportionate or technically impractical, provided that retained data remains protected in accordance with this addendum.
12. Liability
Except to the extent otherwise required by Applicable Data Protection Law, the liability of each party arising out of or relating to this Data Protection Addendum shall remain subject to the exclusions, limitations, and allocation of risk set out in the governing agreement between the parties.
This addendum does not create an independent basis for liability beyond what is otherwise provided in the governing agreement unless expressly required by law.
13. California-Specific Provisions
To the extent California privacy law applies to the processing of Customer Personal Data, Cubeship Consolidation Company will process such data in a manner consistent with its role under the governing agreement and will not retain, use, or disclose such data outside the direct business relationship except as permitted by law.
Where required, the parties intend this addendum to support the service-provider or contractor restrictions applicable under California law, including reasonable limitations on secondary use and appropriate cooperation regarding rights requests and compliance inquiries.
Standard Contractual Clauses
Module Two - Transfer Controller to Processor
Where a lawful transfer mechanism is required for controller-to-processor transfers of Customer Personal Data, the parties may rely on the relevant contractual module or another legally recognized mechanism appropriate to the service relationship and the jurisdictions involved.
The parties intend that any such mechanism be interpreted consistently with the governing agreement and this addendum, while preserving any mandatory legal terms required for a valid transfer.
Section I
Section I generally identifies the parties, the roles they perform, the scope of the transfer, and the relationship between the commercial agreement and the transfer terms. It may also identify contact details, signatures, and annex references where required.
Section II - Obligations of the Parties
Section II generally addresses the lawful basis for the transfer, the documented instructions governing the processing, confidentiality commitments, security obligations, sub-processing limitations, and obligations to support the exporting party where necessary.
Section III - Local Laws and Obligations in Case of Access by Public Authorities
Section III generally addresses the parties' expectations regarding local law, the handling of requests from public authorities, and the obligation to assess whether local legal requirements are likely to undermine the protections intended by the transfer mechanism.
Section IV - Final Provisions
Section IV generally covers effectiveness, interpretation, hierarchy with other contractual terms, governing execution mechanics, and the circumstances in which the transfer mechanism may be suspended, terminated, or supplemented.
Appendix
Annex I
Annex I generally identifies the exporting and importing parties, the categories of data subjects whose data may be processed, the categories of Customer Personal Data involved, the frequency and duration of the processing, and the general business purposes served by the processing activities.
Annex II
Annex II generally describes the technical and organizational security measures implemented by Cubeship Consolidation Company or relevant service providers. These may include access control practices, authentication standards, network protections, data handling safeguards, backup practices, internal policies, and incident response measures.
Annex III
Annex III generally identifies authorized sub-processors or categories of service providers that may support the services. Such providers may include infrastructure hosting, communications systems, analytics tooling, support systems, document workflow providers, and other operational vendors reasonably required to deliver the services.