Data Processing Agreement

The Customer is the Controller (or “Data User” under the PDPO). Genplify is the Processor (or processes data on behalf of the Data User under the PDPO). The Customer determines the purposes and means of Processing; Genplify processes Personal Data only on behalf of and in accordance with the Customer’s documented instructions.

Categories of Data Subjects: Employees, contractors, and other individuals designated by the Customer as Authorised Users.

Categories of Personal Data: Full name; professional email address; job title and department (if provided); assessment responses and completion timestamps; individual proficiency scores and analytics; IP address and browser metadata (for security and platform functionality).

Purposes of Processing: Delivery of the assessment and training Service; generation of individual and organisational proficiency reports; production of Aggregated Data for benchmarking (as defined and permitted under the Agreement); platform security, fraud prevention, and technical support.

Duration of Processing: For the duration of the Subscription Term plus 30 days following termination (to allow data export), after which Personal Data shall be deleted unless retention is required by law.

No Sensitive Personal Data: The Service is not designed to collect sensitive personal data (as defined under the GDPR) or data relating to health, biometrics, political opinions, religious beliefs, or criminal records. The Customer shall not submit sensitive personal data to the Service.

Genplify shall process Personal Data only in accordance with the Customer’s documented instructions, unless required to do so by the laws of Hong Kong or applicable EU/UK law. If Genplify is required by law to process Personal Data other than in accordance with the Customer’s instructions, Genplify shall inform the Customer of that legal requirement before processing, unless prohibited from doing so.

Genplify shall ensure that all personnel authorised to process Personal Data are bound by obligations of confidentiality.

Genplify shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Such measures shall include, at a minimum: encryption of Personal Data at rest (AES-256 or equivalent) and in transit (TLS 1.3); access controls with role-based permissions and multi-factor authentication for administrative access; regular security testing, including vulnerability assessments; secure data centres with physical access controls; automated backup and disaster recovery procedures; security incident detection and logging.

Genplify may engage sub-processors to assist in providing the Service. A list of current sub-processors is available in the legal section of genplify.com. Genplify shall: (a) notify the Customer at least 14 days before engaging a new sub-processor; (b) impose data protection obligations on each sub-processor that are at least as protective as those in this DPA; and (c) remain fully liable for the acts and omissions of its sub-processors. If the Customer objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If the objection cannot be resolved within 30 days, the Customer may terminate the Agreement.

Genplify shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures in fulfilling the Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, correction, erasure, portability, and objection). If Genplify receives a request directly from a Data Subject, Genplify shall promptly redirect the request to the Customer unless legally prohibited from doing so.

Genplify shall notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. Such notification shall include: a description of the nature of the breach, including the categories and approximate number of Data Subjects affected; the likely consequences of the breach; the measures taken or proposed to be taken to address the breach and mitigate its effects; the identity and contact details of Genplify’s point of contact for further information (legal@genplify.com). Genplify shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

Genplify shall provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law, taking into account the nature of Processing and the information available to Genplify.

Upon reasonable written request (not more than once per year, unless required by a supervisory authority), Genplify shall make available to the Customer information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer, subject to reasonable confidentiality obligations and advance notice of at least 30 days.

The Customer acknowledges that Genplify is established in Hong Kong SAR and that Personal Data may be processed and stored in Hong Kong. Where the Customer’s Authorised Users are located in a jurisdiction that restricts cross-border transfers of Personal Data (including the EEA or UK), the parties agree that such transfers shall be subject to the appropriate transfer mechanism:

For EEA transfers: The Standard Contractual Clauses (“SCCs”) adopted by the European Commission (Decision 2021/914) are hereby incorporated by reference and shall apply. For the purposes of the SCCs: the Customer is the “data exporter”; Genplify is the “data importer”; Module Two (Controller to Processor) applies; the governing law is that of the EU Member State in which the data exporter is established; the competent supervisory authority is that of the EU Member State in which the data exporter is established. The completed Annexes to the SCCs shall be agreed between the parties at or prior to the commencement of any transfer of Personal Data from the EEA.

For UK transfers: The International Data Transfer Agreement (“IDTA”) or the UK Addendum to the EU SCCs issued by the Information Commissioner’s Office shall apply, as appropriate.

Genplify confirms that, to its knowledge, the laws of Hong Kong SAR do not prevent Genplify from fulfilling its obligations under this DPA or the applicable SCCs/IDTA. Hong Kong’s legal framework, including the PDPO and the independent judiciary, provides protections for personal data. Genplify shall promptly inform the Customer if it becomes aware of any change in law that would materially affect its ability to comply with this DPA.

Genplify shall retain Personal Data for the duration of the Subscription Term and shall not delete Personal Data during this period except upon the Customer’s instruction.

Following termination or expiry of the Agreement, Genplify shall: (a) upon the Customer’s written request within 30 days of termination, return all Personal Data to the Customer in a commonly used, machine-readable format (CSV or JSON); and (b) after the 30-day period (or immediately if the Customer confirms it does not require data return), securely delete all Personal Data from Genplify’s systems and those of its sub-processors, except where retention is required by applicable law. Genplify shall certify deletion in writing upon the Customer’s request. For the avoidance of doubt, deletion of Personal Data does not affect Genplify’s right to retain and use Aggregated Data as defined and permitted under the Agreement.