Effective Date: 1 December 2025
Version: 2.0
Issuing Entities:
- Strategic Global Holdings Pty Ltd (ACN 693 256 503)
- Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app
Governance Oversight: Group CEO, Strategic Global Holdings Pty Ltd
Review Cycle: Annual or earlier if required by law or operational change
1. Introduction
This Data Processing Agreement (DPA) supplements the Terms of Use, Privacy Policy, Cross-Border Transfer Notice, and other agreements between Customer and Superspeed.ai Pty Ltd (Cushi.ai / Cushi.app). It governs the processing of Personal Data in compliance with GDPR, UK GDPR, the Australian Privacy Act (APPs), CPRA, PIPL, LATAM privacy laws, and global data-protection standards.
2. Definitions
Customer: The organisation licensing the Services.
Customer Data: Personal Data uploaded or provided by Customer.
Cushi Data: Operational analytics, logs, metadata, and platform-generated data controlled by Cushi.
Personal Data: Information relating to an identifiable individual under applicable law.
Processing: Any operation performed on Personal Data.
Controller: Entity determining purpose and means of Processing.
Processor: Entity processing data on behalf of a Controller.
Subprocessor: Third party engaged by Cushi to support processing activities.
3. Roles and Responsibilities (Hybrid Model)
Cushi may act as Processor for Customer Data (training data, workflows, uploaded content) and as Controller for account data, billing information, operational analytics, and security data.
4. Subject Matter and Duration of Processing
Processing continues for the duration of the Customer agreement and terminates upon deletion or return of Customer Data.
5. Customer Instructions
Cushi processes Customer Data only on Customer instructions or where legally required. Cushi will not sell or misuse Customer Data.
6. Security of Processing
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256-equivalent)
- RBAC and least-privilege access
- Secure SDLC and code reviews
- Network security and segmentation
- Vulnerability scanning and patch management
- Logging, monitoring, and alerting
- Incident response and disaster recovery alignment with ISO 27001 and 22301
7. Confidentiality
All authorised personnel are bound by confidentiality obligations and receive mandatory training.
8. Subprocessors
Cushi imposes GDPR-equivalent requirements on all Subprocessors, remains accountable for their actions, and maintains an up-to-date Subprocessor Register.
9. International Data Transfers
Transfers outside the EEA/UK rely on SCCs, UK Addendum, adequacy decisions, or additional safeguards. Cross-border safeguards are described in the Cross-Border Transfer Notice.
10. Assistance to Customer
- Supporting Data Subject Requests
- Assisting with DPIAs
- Cooperating with regulators where required
11. Data Subject Rights
Cushi notifies Customer of relevant Data Subject Requests and assists as required.
12. Personal Data Breach Notification
- Notify Customer without undue delay
- Provide breach details for assessment
- Support regulatory notifications and remediation
13. Customer Responsibilities
- Ensuring lawful basis for Customer Data
- Providing appropriate notices and consents
- Configuring Services lawfully
- Securing Customer systems and credentials
14. Audits and Compliance
Cushi maintains documentation demonstrating compliance. Customer may request information, and audits may be permitted under reasonable notice without compromising security.
15. Data Retention and Deletion
Customer Data is deleted or returned upon termination. Backups delete upon automated lifecycle expiry.
16. Liability
Liability aligns with the main agreement. Cushi is responsible for Processor obligations and Controller misuse; Customer remains responsible for instructions issued.
17. Term and Survival
This DPA remains effective while Cushi processes Customer Data. Confidentiality, liability, and deletion obligations survive termination.
18. Governing Law
Governing law follows the main agreement. For Australian Customers, Queensland law applies.
19. Contact
privacy@cushi.ai
Superspeed.ai Pty Ltd
Brisbane, Australia
Annex A – Definitions
Customer: The organisation licensing the Services.
Customer Data: Personal Data uploaded or provided by Customer.
Cushi Data: Operational analytics, logs, metadata, and platform-generated data controlled by Cushi.
Personal Data: Information relating to an identifiable individual under applicable law.
Processing: Any operation performed on Personal Data.
Controller: Entity determining purpose and means of Processing.
Processor: Entity processing data on behalf of a Controller.
Subprocessor: Third party engaged by Cushi to support processing activities.
Version Control, Review & Governance
Version: 2.0 – Ultra Final
Effective Date: 1 January 2025
Review Cycle: Annual or earlier.
Approval: Chief Executive Officer, Superspeed.ai Pty Ltd
Change Summary: Added SCC/UK Addendum alignment, TOMs uplift, hybrid roles clarification, enhanced audit controls, cross-border safeguards, and fully updated global compliance references.
ANNEX B – Data Categories and Processing Purposes
Data Subjects:
- Administrators
- End users/learners
- HR/enterprise personnel
- Support contacts
Data Categories:
- Identifiers (name, email)
- Account details
- Usage logs and metadata
- Uploaded content
- Support communications
Processing Purposes:
- Service delivery
- Authentication
- Security monitoring
- Analytics
- Support and troubleshooting
ANNEX C – Technical and Organisational Measures (TOMs)
Access Control:
- RBAC, MFA, least-privilege
Encryption:
- TLS 1.2+ in transit
- AES-256 at rest
Monitoring & Logging:
- Centralised logging
- SIEM alerting
Business Continuity:
- ISO 22301-aligned DR
- Daily backups
Incident Response:
- 24/7 monitoring
- Regulatory notification workflows
Version Control, Review & Governance
© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app.
Part of the Strategic Global Holdings Pty Ltd Group (ACN 693 256 503). All rights reserved.
Privacy: privacy@cushi.ai | Security: security@cushi.ai | Support: support@cushi.ai