Product

Solutions

Pricing

resources

book a demo

Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

  1. Roles of the Parties

  1. Subject Matter and Duration

  1. Nature and Purpose of Processing

  1. Categories of Data and Data Subjects

  1. Instructions

6. Confidentiality

  1. Security Measures

  1. Subprocessors

  1. International Transfers

  1. Assistance

  1. Personal Data Breaches

  1. Deletion or Return of Data

  1. Audits

  1. Governing Law

Last Updated: February 18, 2026

This Data Processing Addendum (“DPA”) forms part of the Enterprise Terms of Service and any applicable Order Form between:

Curiosity GmbH
Baaderstr. 19
80469 Munich
Germany
and the Customer.

This DPA applies where and to the extent Curiosity processes personal data on behalf of Customer in connection with the Services.

Roles of the Parties

Customer acts as the controller of personal data processed under this DPA.

Curiosity acts as the processor and processes personal data solely on behalf of Customer and in accordance with documented instructions.

Subject Matter and Duration

This DPA governs the processing of personal data in connection with the provision of Cloud Workspace or Enterprise Services.

Processing takes place for the duration of the Services as defined in the applicable Order Form.

Nature and Purpose of Processing

Curiosity processes personal data for the purpose of:

  • Hosting and operating the Services

  • Providing access and authentication

  • Storing, indexing, and enabling search of Customer Data

  • Enabling optional AI features when activated by Customer or workspace administrators

  • Providing support and maintenance

Processing activities may include storage, retrieval, analysis, transmission (where required for AI features), and deletion.

Categories of Data and Data Subjects

Categories of data may include:

  • Account data (name, email address, role)

  • Workspace content (documents, files, emails, structured data)

  • Log and usage data

  • Chat content where AI features are used

Data subjects may include:

  • Customer employees

  • Contractors

  • End users

  • Business partners

  • Other individuals whose data is included in Customer Data

Customer determines the specific categories of data processed through its use of the Services.

Instructions

Curiosity processes personal data only on documented instructions from Customer, including those set out in the Enterprise Terms and Order Form.

If Curiosity believes that an instruction violates applicable data protection law, it will inform Customer without undue delay.

Confidentiality

Curiosity ensures that persons authorized to process personal data are bound by confidentiality obligations.

Security Measures

Curiosity implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

An overview of current technical and organizational measures is provided in the Trust Center and may be updated from time to time.

Subprocessors

Customer authorizes Curiosity to engage subprocessors to support the provision of the Services.

Subprocessors may include:

  • Hosting and infrastructure providers

  • AI model providers (where AI features are activated)

  • Other service providers necessary to operate the Services

Curiosity ensures that subprocessors are bound by contractual obligations that provide data protection safeguards equivalent to those set out in this DPA.

Curiosity remains responsible for the performance of its subprocessors in accordance with applicable law.

International Transfers

Where personal data is transferred outside the EU/EEA, Curiosity ensures that appropriate safeguards are in place, such as Standard Contractual Clauses or reliance on adequacy decisions.

Assistance

Taking into account the nature of the processing, Curiosity shall assist Customer by appropriate technical and organizational measures, insofar as possible, to:

  • Respond to requests from data subjects

  • Comply with obligations relating to data security

  • Notify and manage personal data breaches

  • Conduct data protection impact assessments where required

Personal Data Breaches

Curiosity shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.

Deletion or Return of Data

Upon termination of the Services, Curiosity shall delete or return personal data in accordance with Customer’s instructions and the Enterprise Terms, unless retention is required by law.

Audits

Customer may request reasonable information necessary to demonstrate compliance with this DPA. Audits shall be conducted during normal business hours and in a manner that does not unreasonably disrupt Curiosity’s operations.

Governing Law

This DPA is governed by the laws of Germany. Jurisdiction is determined in accordance with the Enterprise Terms.