Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between KYC Genie FZC LLC ("KYC Genie", "Processor", "we", "us") and the entity that has agreed to the KYC Genie Terms of Service or otherwise engaged KYC Genie's services ("Controller", "Client", "you").

This DPA is incorporated into and subject to the Terms of Service or other written agreement between the parties (the "Principal Agreement"). In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of personal data, this DPA shall prevail.

By using KYC Genie's services, you agree to the terms of this DPA. If you require a signed, individually negotiated version of this DPA, please contact [email protected].

1. DEFINITIONS

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in applicable Data Protection Law.

"Controller" means the entity that determines the purposes and means of the processing of Personal Data — in this context, the Client.
"Data Protection Law" means, as applicable: (a) the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK GDPR as defined in the UK Data Protection Act 2018 ("UK GDPR"); (c) the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its implementing regulations; and (d) any other applicable data protection or privacy legislation in force from time to time.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person processed by KYC Genie on behalf of the Controller under this DPA.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Processing" (and "Process", "Processes", "Processed") means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, restriction, deletion, or destruction.
"Processor" means KYC Genie FZC LLC, which processes Personal Data on behalf of the Controller.
"Services" means the KYC Genie platform and associated services provided under the Principal Agreement.
"Sub-processor" means any third party engaged by KYC Genie to process Personal Data in connection with the Services.
"Supervisory Authority" means the competent data protection regulatory authority under applicable Data Protection Law.

2. SCOPE AND DETAILS OF PROCESSING

KYC Genie processes Personal Data on behalf of the Controller solely for the purpose of providing the Services as described in Schedule 1 and as configured and instructed by the Controller through its use of the platform.

The Controller's use of the Services — including configuring questionnaires, initiating AML screening, uploading documents, and triggering identity verification checks — constitutes the Controller's documented instructions to KYC Genie to process Personal Data for the purposes described in Schedule 1. KYC Genie shall not process Personal Data for any other purpose unless required by applicable law, in which case clause 3.1 applies.

3. OBLIGATIONS OF THE PROCESSOR

KYC Genie shall, in respect of all Personal Data processed under this DPA:

3.1 Lawful Processing on Instructions

Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. Where KYC Genie is required by law to process Personal Data other than in accordance with the Controller's instructions, KYC Genie shall notify the Controller of that requirement before processing, unless the applicable law prohibits such notification.

If KYC Genie reasonably believes that an instruction from the Controller infringes applicable Data Protection Law, KYC Genie shall promptly notify the Controller. KYC Genie shall not be obliged to follow such an instruction unless the Controller has confirmed it in writing and KYC Genie is reasonably satisfied it is lawful.

3.2 Confidentiality

Ensure that all personnel authorised to process Personal Data are subject to appropriate obligations of confidentiality and have received adequate training in data protection.

3.3 Security

Implement and maintain appropriate technical and organisational measures to protect Personal Data as described in clause 6 of this DPA.

3.4 Sub-processors

Not engage any Sub-processor to process Personal Data without the Controller's prior authorisation, except as set out in clause 5 of this DPA.

3.5 Data Subject Rights

Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law, as further described in clause 7.

3.6 Compliance Assistance

Assist the Controller in ensuring compliance with its obligations under applicable Data Protection Law relating to security of processing, breach notification, data protection impact assessments, and prior consultation with a Supervisory Authority, having regard to the nature of processing and the information available to KYC Genie.

3.7 Information and Audit

Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits as described in clause 9.

3.8 Deletion and Return

At the Controller's election, delete or return all Personal Data upon termination of the Services, and delete existing copies, except where retention is required by applicable law, as described in clause 10.

3.9 Notification of Legal Disclosure Requests

Promptly notify the Controller if KYC Genie receives a legally binding request for disclosure of Personal Data from a law enforcement authority or court, unless prohibited by law from doing so.

4. OBLIGATIONS OF THE CONTROLLER

The Controller represents, warrants, and undertakes that:

All instructions to KYC Genie to process Personal Data comply with applicable Data Protection Law, including that a valid legal basis exists for all processing instructed.
Data Subjects whose Personal Data is submitted to the platform have been provided with appropriate privacy notices as required by applicable Data Protection Law.
The Personal Data submitted to the platform is accurate, adequate, and relevant for the purposes of the KYC processes being conducted.
The Controller has established the legal bases required for KYC Genie to carry out any international transfers of Personal Data in connection with the Services.
The Controller will not submit to the platform any Personal Data that it is not legally authorised to process and transfer for KYC purposes.
The Controller is responsible for making and documenting its own determination that the processing activities described in this DPA meet its obligations as data controller under applicable law.

5. SUB-PROCESSORS

5.1 General Authorisation

The Controller grants KYC Genie general authorisation to engage the Sub-processors listed in Schedule 2. KYC Genie shall ensure that each Sub-processor is bound by data protection obligations no less protective than those imposed on KYC Genie under this DPA.

5.2 Changes to Sub-processors

KYC Genie shall notify the Controller of any intended addition or replacement of Sub-processors by updating Schedule 2 and providing at least 14 days' prior written notice to the Controller (by email to the account's registered address) before the change takes effect.

5.3 Right to Object

The Controller may object to a new Sub-processor on reasonable data protection grounds by notifying KYC Genie in writing within the 14-day notice period. If KYC Genie cannot reasonably accommodate the objection, the Controller may terminate the affected Services on written notice, subject to the terms of the Principal Agreement. Continued use of the Services after the 14-day period without objection constitutes acceptance of the new Sub-processor.

5.4 Sub-processor Liability

KYC Genie remains fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA to the extent that KYC Genie would itself be liable.

6. SECURITY

6.1 Technical and Organisational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects, KYC Genie implements and maintains appropriate technical and organisational security measures including:

Encryption of Personal Data at rest and in transit using industry-standard protocols
Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
Role-based access controls limiting access to Personal Data to authorised personnel only
Logical multi-tenant data isolation ensuring each Controller's data is separated from other Controllers' data
Audit logging of access to and material operations on Personal Data
Regular internal review and testing of security controls
Information security policies, and training for personnel with access to Personal Data

6.2 Review and Improvement

KYC Genie shall regularly review its security measures and incorporate improvements to address identified risks. KYC Genie is currently pursuing ISO 27001 certification and will notify the Controller when certification is achieved.

7. DATA SUBJECT RIGHTS

7.1 Assistance

KYC Genie shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Forwarding Requests

If KYC Genie receives a request directly from a Data Subject in relation to Personal Data processed on behalf of the Controller, KYC Genie shall:

Notify the Controller of the request without undue delay (ordinarily within 5 business days); and
Not respond to the Data Subject on the Controller's behalf without the Controller's prior written authorisation, except to acknowledge receipt of the request.

7.3 Regulatory Retention Limitation

Where Personal Data is subject to mandatory regulatory retention under applicable AML or KYC legislation (see clause 10.3), KYC Genie shall inform the Controller of the applicable retention period and legal basis when responding to erasure or restriction requests, to assist the Controller in responding to the Data Subject.

8. PERSONAL DATA BREACH

8.1 Notification to Controller

In the event of a Personal Data Breach affecting Personal Data processed under this DPA, KYC Genie shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach. This timeline is designed to allow the Controller to meet its own 72-hour notification obligation to the relevant Supervisory Authority under GDPR Article 33 and equivalent provisions.

8.2 Content of Notification

The breach notification shall, to the extent then available, include:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
The name and contact details of KYC Genie's data protection contact
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its effects

Where all information is not available at the time of initial notification, KYC Genie shall provide further information in phases as it becomes available.

8.3 Cooperation

KYC Genie shall cooperate fully with the Controller in investigating the breach, mitigating its effects, and fulfilling any notification obligations to Supervisory Authorities or Data Subjects.

8.4 No Acknowledgement of Fault

Notification of a breach by KYC Genie under this clause does not constitute an acknowledgement of fault or liability in respect of that breach.

9. AUDIT AND INFORMATION RIGHTS

9.1 Information

KYC Genie shall make available to the Controller, on reasonable written request, all information reasonably necessary to demonstrate compliance with the obligations in this DPA, including its data protection policies, sub-processor list, and relevant security documentation.

9.2 Audit

The Controller may request an audit of KYC Genie's processing under this DPA. KYC Genie shall facilitate such audits by:

Completing reasonable information security questionnaires or vendor assessment forms
Sharing results of third-party penetration tests or security assessments (subject to redaction of commercially sensitive information and any applicable NDA)
Providing relevant security certifications including ISO 27001 when obtained

Physical on-site audits of KYC Genie's facilities are not permitted. Where the Controller requires an independent third-party technical audit beyond the above, this may be arranged by mutual written agreement, at the Controller's reasonable cost, and subject to scheduling constraints.

9.3 Frequency

Audit requests shall be made no more than once per calendar year, unless there are reasonable grounds to suspect a material breach of this DPA or as required by a Supervisory Authority.

10. RETENTION, RETURN AND DELETION

10.1 End of Services

Upon termination or expiry of the Services, or on the Controller's written request during the term, KYC Genie shall, at the Controller's election:

Export: Provide the Controller with an export of its Personal Data in a structured, commonly used, machine-readable format within 30 days of the request or termination date; or
Delete: Securely delete or destroy all Personal Data (and all copies) within 30 days, other than data subject to clause 10.3 below, and confirm deletion in writing.

If the Controller does not make an election within 30 days of termination, KYC Genie shall proceed with deletion.

10.2 Backup Systems

Notwithstanding clause 10.1, KYC Genie may retain Personal Data in encrypted backup systems for up to 90 days following deletion for business continuity purposes. Such data shall be isolated from active processing and permanently deleted when the relevant backup cycle completes.

10.3 Mandatory Regulatory Retention

Notwithstanding clauses 10.1 and 10.2, KYC Genie is required by applicable AML and financial services legislation to retain the following categories of KYC records for 7 years from the end of the relevant business relationship:

KYC questionnaire responses and all associated answers
Uploaded identity and corporate documents and document files
AML, sanctions, and PEP screening results and decisions
Identity verification outcomes (excluding biometric data, which is retained solely by ComplyCube)
Audit logs of KYC processing decisions, reviews, and approvals
Core entity (subject company and individual) identity records used in KYC processing

This retention period satisfies the minimum 5-year requirement under EU AML legislation (5AMLD) and UK Money Laundering Regulations 2017, and aligns with the 7-year commercial record retention requirement under UAE law. KYC Genie shall notify the Controller if a deletion request cannot be fulfilled in full due to mandatory retention obligations, and shall confirm the applicable retention period and legal basis.

11. INTERNATIONAL TRANSFERS

11.1 KYC Genie's Establishment

KYC Genie is established in the United Arab Emirates. Processing of Personal Data takes place primarily within the European Economic Area (using Microsoft Azure infrastructure) and may also take place in other regions where KYC Genie's Sub-processors operate, as specified in Schedule 2.

11.2 EEA Controllers

Where the Controller is established in the European Economic Area, the transfer of Personal Data from the Controller to KYC Genie constitutes a restricted transfer under GDPR. Such transfers are made on the basis of the European Commission Standard Contractual Clauses (Module 2: Controller to Processor), incorporated into this DPA as Schedule 3.

11.3 UK Controllers

Where the Controller is established in the United Kingdom, transfers of Personal Data to KYC Genie are made pursuant to the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs under section 119A of the UK Data Protection Act 2018, as incorporated in Schedule 3.

11.4 UAE Controllers

For Controllers established in the UAE, KYC Genie processes Personal Data in compliance with the UAE PDPL. No restricted transfer mechanism is required for intra-UAE processing.

11.5 Sub-processor Transfers

KYC Genie ensures that transfers of Personal Data to Sub-processors located outside the EEA are made on the basis of appropriate safeguards, as specified in Schedule 2.

12. LIABILITY

12.1 Relationship to Principal Agreement

Each party's liability to the other under this DPA is subject to the limitations and exclusions in the Principal Agreement. Where the Principal Agreement does not specifically address liability for data protection matters, clauses 12.2 to 12.5 apply.

12.2 Liability Cap

Subject to clause 12.3, each party's total aggregate liability to the other under or in connection with this DPA (whether in contract, tort including negligence, or otherwise) shall not exceed the total fees paid or payable by the Controller to KYC Genie in the 12 months immediately preceding the event giving rise to the claim.

12.3 Unlimited Liability

The cap in clause 12.2 shall not apply to, and nothing in this DPA limits either party's liability for:

Death or personal injury caused by negligence
Fraud or fraudulent misrepresentation
Any matter that cannot lawfully be limited or excluded under applicable law

The liability cap shall also not apply to Personal Data Breaches directly caused by KYC Genie's wilful misconduct or gross negligence.

12.4 Third-Party and Regulatory Claims

Where a Data Subject or Supervisory Authority brings a claim or imposes a fine in respect of a breach caused primarily by one party, that party shall indemnify the other against reasonable costs, damages, and fines directly attributable to its fault.

12.5 Contribution

Where both parties have contributed to a breach, any resulting financial liability — including regulatory fines and Data Subject compensation — shall be apportioned in proportion to each party's degree of responsibility, as required by GDPR Article 82 and equivalent provisions.

13. TERM AND TERMINATION

This DPA takes effect on the date the Controller first uses the Services or executes a signed DPA with KYC Genie (whichever is earlier) and continues until the termination or expiry of the Principal Agreement.

The obligations in clause 10.3 (mandatory regulatory retention) and clause 12 (liability) survive termination of this DPA for as long as KYC Genie retains any Personal Data processed under it.

14. GENERAL

14.1 Governing Law

This DPA is governed by English law. Each party irrevocably submits to the non-exclusive jurisdiction of the English courts in relation to any dispute arising from or in connection with this DPA. Nothing in this clause limits the right of either party to seek urgent interim relief in any competent jurisdiction.

Where the Controller is a UAE-established entity, either party may elect in writing to resolve disputes under UAE law in the courts of the UAE, in lieu of the English courts.

14.2 UAE PDPL Compliance

In addition to GDPR compliance, KYC Genie complies with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations. Controllers established in the UAE may rely on KYC Genie's UAE PDPL compliance in conjunction with the provisions of this DPA.

14.3 Precedence

In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of Personal Data, this DPA shall prevail. The SCCs incorporated in Schedule 3 shall prevail over this DPA to the extent of any conflict relevant to transfers to which those clauses apply.

14.4 Updates

KYC Genie may update this DPA from time to time to reflect changes in applicable law or its processing activities. For material changes, KYC Genie shall provide the Controller with at least 30 days' written notice before the changes take effect. Continued use of the Services after the notice period constitutes acceptance of the updated DPA. Where a signed DPA is in place, material changes require mutual written agreement.

14.5 Severability

If any provision of this DPA is found by a competent court to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.6 Entire Agreement

This DPA, together with the Principal Agreement and the Schedules hereto, constitutes the entire agreement between the parties relating to the processing of Personal Data in connection with the Services, and supersedes all prior agreements, representations, or understandings on the same subject matter.

SCHEDULE 1 — DETAILS OF PROCESSING

This Schedule sets out the details of processing carried out by KYC Genie as Processor on behalf of the Controller, as required by GDPR Article 28(3) and equivalent provisions under applicable Data Protection Law.

Subject Matter

The provision of KYC Genie's Know Your Customer (KYC) and due diligence workflow platform, including questionnaire management, AML screening, identity verification, AI document analysis, and associated compliance reporting.

Duration

For the term of the Principal Agreement, plus any mandatory retention period specified in clause 10.3.

Nature of Processing

Collection, storage, structuring, retrieval, use, disclosure to Sub-processors, restriction, and deletion of Personal Data as part of the KYC due diligence process, specifically:

Receiving and storing KYC questionnaire responses, documents, and supporting materials submitted by or about Data Subjects on behalf of the Controller
Transmitting identity data to Sub-processors for AML, sanctions, PEP, and adverse media screening and ongoing monitoring
Facilitating identity document verification and biometric liveness checks via ComplyCube
Using AI to analyse documents and assist in completing and quality-checking due diligence questionnaires
Storing and enabling review, approval, annotation, and export of KYC records by authorised Controller personnel

Purpose of Processing

To enable the Controller to fulfil its regulatory KYC, AML, and customer due diligence obligations in respect of its business relationships with the Data Subjects, and to manage, review, and record those obligations through the Services.

Types of Personal Data

Category	Data fields
Individual identity data	Full name (including former names), date of birth, nationality, gender, country of birth
Contact data	Email address, telephone number, residential and correspondence address (street, city, postal code, country)
Identity document data	Passport number, national ID number, driver's licence number, document expiry date, document images
Government identifiers	Social Security Number, Social Insurance Number, Emirates ID, NRIC, tax identification number, or jurisdiction-equivalent identifier, as applicable
Corporate data	Legal name, trading name, company registration number, jurisdiction and date of incorporation, registered address, principal place of business, beneficial ownership structure, UBO information
Corporate documents	Certificates of incorporation, articles of association, shareholder registers, financial statements, business licences, proof of address documents
Biometric data	Facial images and liveness video collected during identity verification checks. Processed and retained by Sub-processor ComplyCube only — KYC Genie does not store biometric data on its own systems.
Screening and risk data	AML, sanctions, and PEP screening results; adverse media findings; risk scores; KYC status and review history; identity verification outcomes
Questionnaire response data	Responses to due diligence questionnaire questions and any supporting documents uploaded in connection with those responses
Platform user data	Name, email address, role, and login activity of the Controller's employees who access the platform

Categories of Data Subjects

Individual beneficial owners (UBOs) and directors of entities undergoing KYC
Authorised signatories and officers of entities undergoing KYC
Individuals submitting identity documents as part of a company or entity KYC process
The Controller's own employees and authorised platform users

SCHEDULE 2 — AUTHORISED SUB-PROCESSORS

The following Sub-processors are authorised as at the effective date of this DPA. KYC Genie will provide at least 14 days' prior written notice of any additions or replacements in accordance with clause 5.2. For the current live list, contact [email protected].

Sub-processor	Purpose	Data location	Transfer mechanism (for non-EEA)
Microsoft Azure (Blob Storage, Azure B2C, Azure OpenAI Service, Azure Cache for Redis)	Document and data storage, user authentication, AI processing, session management	EU (primary); additional Azure regions may be used for performance	Microsoft Data Processing Agreement incorporating EU SCCs
ComplyAdvantage	AML, sanctions, PEP, and adverse media screening; ongoing monitoring alerts	EU	EU SCCs
ComplyCube	Identity document verification, biometric liveness checks, multi-bureau database checks. Biometric data is retained solely on ComplyCube's systems and is not transferred to or stored by KYC Genie.	UK / EU	UK IDTA / EU SCCs
SendGrid (Twilio Inc.)	Transactional email delivery (notifications, verification links). No KYC document content or subject Personal Data is transmitted.	United States	EU SCCs / UK IDTA Addendum
HubSpot Inc.	CRM and sales lead management. Receives website visitor data (IP address, company identification) only. No KYC subject Personal Data is shared with HubSpot.	United States	EU SCCs / UK IDTA Addendum

SCHEDULE 3 — INTERNATIONAL TRANSFER MECHANISMS

A. EU Standard Contractual Clauses (Module 2 — Controller to Processor)

Where the Controller is established in the European Economic Area, the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, Module 2 (Controller to Processor), as adopted by the European Commission Decision of 4 June 2021 (C(2021) 3972), are incorporated into this DPA by reference and apply to transfers of Personal Data from the Controller to KYC Genie.

For the purposes of the SCCs, the following options and details apply:

SCC Clause	Selection / Detail
Clause 7 — Docking clause	The optional docking clause is included.
Clause 9 — Sub-processors	Option 2 (general written authorisation). Sub-processor list is Schedule 2 of this DPA. Notice period: 14 days.
Clause 11 — Redress	The optional independent resolution body clause is not included.
Clause 13 — Supervisory authority	The supervisory authority of the EU Member State in which the Controller is established.
Clause 17 — Governing law of SCCs	Irish law.
Clause 18 — Jurisdiction	Courts of Ireland.
Annex I.A — List of parties	Data exporter: Controller as identified in the Principal Agreement. Data importer: KYC Genie FZC LLC, Amber Gem Tower, Al Rashidiya 3, Ajman, United Arab Emirates.
Annex I.B — Description of transfer	As set out in Schedule 1 of this DPA.
Annex I.C — Competent supervisory authority	As per Clause 13 above.
Annex II — Technical and organisational measures	As described in clause 6 of this DPA.

The full text of the EU SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

B. UK International Data Transfer Agreement (IDTA)

Where the Controller is established in the United Kingdom, transfers of Personal Data from the Controller to KYC Genie are made pursuant to the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office (version B1.0, March 2022), or the Addendum to the EU SCCs approved under section 119A of the UK Data Protection Act 2018, as applicable. The details of the restricted transfer are as set out in Schedule 1 of this DPA.

C. UAE PDPL

For Controllers established in the UAE, KYC Genie processes Personal Data in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and its implementing regulations. No restricted transfer mechanism is required for processing that takes place within the UAE.