Data Processing Agreement

Last updated 18 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between KYC Genie FZC LLC ("KYC Genie", "Processor", "we", "us") and the entity that has agreed to the KYC Genie Terms of Service or otherwise engaged KYC Genie's services ("Controller", "Client", "you").

This DPA is incorporated into and subject to the Terms of Service or other written agreement between the parties (the "Principal Agreement"). In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of personal data, this DPA shall prevail.

By using KYC Genie's services, you agree to the terms of this DPA. If you require a signed, individually negotiated version of this DPA, please contact privacy@kycgenie.com.

The Parties

Processor: KYC Genie FZC LLC, Amber Gem Tower, Al Rashidiya 3, Ajman, United Arab Emirates

Data Protection Officer / Contact: privacy@kycgenie.com

Controller: The entity named in the KYC Genie account registration or Principal Agreement.

TABLE OF CONTENTS

  1. Definitions
  2. Scope and Details of Processing
  3. Obligations of the Processor
  4. Obligations of the Controller
  5. Sub-processors
  6. Security
  7. Data Subject Rights
  8. Personal Data Breach
  9. Audit and Information Rights
  10. Retention, Return and Deletion
  11. International Transfers
  12. Liability
  13. Term and Termination
  14. General
  15. Schedule 1 - Details of Processing
  16. Schedule 2 - Authorised Sub-processors
  17. Schedule 3 - International Transfer Mechanisms

1. DEFINITIONS

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in applicable Data Protection Law.

2. SCOPE AND DETAILS OF PROCESSING

KYC Genie processes Personal Data on behalf of the Controller solely for the purpose of providing the Services as described in Schedule 1 and as configured and instructed by the Controller through its use of the platform.

The Controller's use of the Services - including configuring questionnaires, initiating AML screening, uploading documents, and triggering identity verification checks - constitutes the Controller's documented instructions to KYC Genie to process Personal Data for the purposes described in Schedule 1. KYC Genie shall not process Personal Data for any other purpose unless required by applicable law, in which case clause 3.1 applies.

KYC Genie does not process Personal Data for its own purposes. In particular, KYC Genie does not process Personal Data to satisfy any regulatory compliance, record-keeping, or anti-money-laundering obligation of its own, and does not act as a controller in respect of the Personal Data processed on the Controller's behalf under this DPA.

Notwithstanding the foregoing, KYC Genie may process aggregated, de-identified, or anonymised data derived from use of the Services as an independent controller for the limited purposes of securing and operating the platform, detecting and preventing fraud and misuse, and developing and improving the Services, provided that such processing does not identify, and is not used to re-identify, any individual Data Subject.

The Services include a test mode environment that provides a logically isolated environment for non-production use. All technical and organisational security measures described in this DPA apply equally to Personal Data processed in test mode. Controllers are encouraged to use synthetic or anonymised data in test mode; where real Personal Data is used in test mode, it is subject to the same protections as live data.

3. OBLIGATIONS OF THE PROCESSOR

KYC Genie shall, in respect of all Personal Data processed under this DPA:

3.1 Lawful Processing on Instructions

Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. Where KYC Genie is required by law to process Personal Data other than in accordance with the Controller's instructions, KYC Genie shall notify the Controller of that requirement before processing, unless the applicable law prohibits such notification.

If KYC Genie reasonably believes that an instruction from the Controller infringes applicable Data Protection Law, KYC Genie shall promptly notify the Controller. KYC Genie may decline to follow such an instruction until the Controller has confirmed it in writing. KYC Genie may continue to decline if, in its reasonable opinion, following the instruction would cause KYC Genie to breach applicable Data Protection Law.

3.2 Confidentiality

Ensure that all personnel authorised to process Personal Data are subject to appropriate obligations of confidentiality and have received adequate training in data protection.

3.3 Security

Implement and maintain appropriate technical and organisational measures to protect Personal Data as described in clause 6 of this DPA.

3.4 Sub-processors

Not engage any Sub-processor to process Personal Data without the Controller's prior authorisation, except as set out in clause 5 of this DPA.

3.5 Data Subject Rights

Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law, as further described in clause 7.

3.6 Compliance Assistance

Assist the Controller in ensuring compliance with its obligations under applicable Data Protection Law relating to security of processing, breach notification, data protection impact assessments, and prior consultation with a Supervisory Authority, having regard to the nature of processing and the information available to KYC Genie.

3.7 Information and Audit

Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits as described in clause 9.

3.8 Deletion and Return

At the Controller's election, delete or return all Personal Data upon termination of the Services, and delete existing copies, except where data is retained under the Regulatory Retention Service described in clause 10.3 or as otherwise required by applicable law, as further described in clause 10.

3.9 Notification of Legal Disclosure Requests

Promptly notify the Controller if KYC Genie receives a legally binding request for disclosure of Personal Data from a law enforcement authority or court, unless prohibited by law from doing so.

3.10 AI Processing - No Model Training

Where AI features are used in the Services (including document analysis, questionnaire autofill, and answer quality checking), such processing is performed through enterprise-grade AI services provided by KYC Genie's cloud infrastructure provider under enterprise data processing terms. Personal Data processed through AI features is not used - and KYC Genie shall obtain contractual commitments from Sub-processors that Personal Data is not used - to train, fine-tune, or improve any AI or machine learning model beyond the immediate task for which it was submitted. KYC Genie does not control, and this clause does not apply to, any temporary retention by an AI Sub-processor required under that Sub-processor's mandatory safety monitoring or abuse prevention obligations, as disclosed in that Sub-processor's published data processing terms.

3.11 Regulatory Outsourcing Support

The parties acknowledge that, where the Controller is a regulated entity, its use of the Services may constitute an outsourced or third-party arrangement under applicable financial services regulatory frameworks. KYC Genie shall provide the Controller with reasonable assistance, consistent with the information and audit rights set out in clause 9, to support the Controller in meeting its applicable outsourcing, supervisory, and oversight requirements in respect of the Services.

4. OBLIGATIONS OF THE CONTROLLER

The Controller represents, warrants, and undertakes that:

4.1 Controller Indemnity

The Controller shall defend, indemnify, and hold harmless KYC Genie, its affiliates, and their respective officers, directors, employees, and agents against all claims, losses, damages, fines, liabilities, costs, and expenses (including reasonable legal costs) arising out of or in connection with:

The liability cap in clause 12.2 applies to claims brought by the Controller against KYC Genie. It does not apply to the Controller's indemnification obligations under this clause, which are uncapped in respect of claims brought by KYC Genie against the Controller.

5. SUB-PROCESSORS

5.1 General Authorisation

The Controller grants KYC Genie general authorisation to engage the Sub-processors listed in Schedule 2. KYC Genie shall ensure that each Sub-processor is bound by data protection obligations no less protective than those imposed on KYC Genie under this DPA.

5.2 Changes to Sub-processors

KYC Genie shall provide at least 30 days' prior written notice of any intended addition or replacement of Sub-processors, including by updating the Sub-processor list referenced in Schedule 2 or by notification through the platform. Notice is not required for changes that do not involve the processing of new categories of Personal Data or that do not materially increase the risk to Data Subjects.

5.3 Right to Object

The Controller may object to a new Sub-processor on reasonable data protection grounds by notifying KYC Genie in writing within the notice period. KYC Genie shall consider the objection and may, at its reasonable discretion, take appropriate measures to address it. If KYC Genie cannot reasonably accommodate the objection, the Controller may terminate the affected Services on written notice, subject to the terms of the Principal Agreement. Continued use of the Services after the notice period without objection constitutes acceptance of the new Sub-processor.

5.4 Sub-processor Liability

KYC Genie remains fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA to the extent that KYC Genie would itself be liable, subject always to the limitations of liability in clause 12.

6. SECURITY

6.1 Technical and Organisational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects, KYC Genie implements and maintains appropriate technical and organisational security measures including:

6.2 Review and Improvement

KYC Genie shall regularly review its security measures and incorporate improvements to address identified risks. Results of the most recent independent penetration test or security assessment are available to Controllers on reasonable written request, subject to appropriate redaction and NDA. KYC Genie may notify Controllers when relevant security certifications are obtained.

7. DATA SUBJECT RIGHTS

7.1 Assistance

KYC Genie shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Forwarding Requests

If KYC Genie receives a request directly from a Data Subject in relation to Personal Data processed on behalf of the Controller, KYC Genie shall:

7.3 Regulatory Retention Limitation

Where Personal Data is being retained under the Regulatory Retention Service described in clause 10.3 (to assist the Controller in meeting its own AML and KYC record-keeping obligations), KYC Genie shall inform the Controller of the applicable retention period and legal basis when responding to erasure or restriction requests, to assist the Controller in responding to the Data Subject.

8. PERSONAL DATA BREACH

8.1 Notification to Controller

In the event of a Personal Data Breach affecting Personal Data processed under this DPA, KYC Genie shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. This timeline is designed to assist the Controller in meeting its own notification obligations to the relevant Supervisory Authority under GDPR Article 33 and equivalent provisions.

8.2 Content of Notification

The breach notification shall, to the extent then available, include:

Where all information is not available at the time of initial notification, KYC Genie shall provide further information in phases as it becomes available.

8.3 Cooperation

KYC Genie shall cooperate fully with the Controller in investigating the breach, mitigating its effects, and fulfilling any notification obligations to Supervisory Authorities or Data Subjects.

8.4 No Acknowledgement of Fault

Notification of a breach by KYC Genie under this clause does not constitute an acknowledgement of fault or liability in respect of that breach.

9. AUDIT AND INFORMATION RIGHTS

9.1 Information

KYC Genie shall make available to the Controller, on reasonable written request, all information reasonably necessary to demonstrate compliance with the obligations in this DPA, including its data protection policies, sub-processor list, and relevant security documentation.

9.2 Audit

The Controller may request an audit of KYC Genie's processing under this DPA. KYC Genie shall facilitate such audits by:

Where the Controller's own regulatory obligations require an on-site audit of KYC Genie's processing facilities, such audits may be arranged by prior written agreement, subject to: (i) reasonable prior written notice; (ii) reasonable scheduling constraints agreed in advance; (iii) the audit being conducted at the Controller's cost; and (iv) execution of an appropriate NDA prior to commencement. Independent third-party technical audits may similarly be arranged by mutual written agreement at the Controller's reasonable cost.

9.3 Frequency

Audit requests shall be made no more than once per calendar year, unless there are reasonable grounds to suspect a material breach of this DPA or as required by a Supervisory Authority.

10. RETENTION, RETURN AND DELETION

10.1 End of Services

Upon termination or expiry of the Services, or on the Controller's written request during the term, KYC Genie shall, at the Controller's election:

If the Controller does not make an election within 30 days of termination, KYC Genie shall proceed with deletion.

10.2 Backup Systems

Notwithstanding clause 10.1, KYC Genie may retain Personal Data in encrypted backup systems for up to 45 days following deletion for business continuity purposes. Such data shall be isolated from active processing and permanently deleted when the relevant backup cycle completes.

10.3 Regulatory Retention Service

KYC Genie is a technology processor and is not itself an obliged entity under anti-money-laundering legislation. KYC Genie is not legally required to retain Personal Data after termination, does not do so for its own regulatory or record-keeping purposes, and does not determine the retention periods that apply to the Controller. Retention is controlled by the Controller.

Because the Controller - as the obliged entity conducting KYC/AML due diligence - is typically required under applicable anti-money-laundering and financial-crime laws to retain KYC records for a number of years (commonly five to seven) following the end of the relevant business relationship, KYC Genie provides a retention feature to support the Controller in meeting that obligation. By default, and reflecting the most common regulatory requirement, KYC Genie retains the following categories of KYC records for 7 years following the end of the relevant business relationship:

The Controller controls this retention. The Controller may set a different retention period, disable post-termination retention, or - at or following termination - instead elect under clause 10.1 to receive a full data export and request deletion, in which case no post-termination retention will apply. The 7-year default exists solely as a convenience and reflects the Controller's documented decision to use the Services for regulated KYC/AML purposes; KYC Genie applies it on the Controller's instruction and does not independently determine that any particular retention period is required. Where a deletion request cannot be fulfilled in full because of a retention setting the Controller has enabled, KYC Genie shall notify the Controller and confirm the applicable retention period.

11. INTERNATIONAL TRANSFERS

11.1 KYC Genie's Establishment and Processing Locations

KYC Genie is established in the United Arab Emirates. KYC Genie and its Sub-processors may process Personal Data in any country in which they or their infrastructure providers maintain operations, subject to the appropriate transfer mechanisms set out in Schedule 3 and applicable Data Protection Law. Where a Controller requires Personal Data to be processed within a specific jurisdiction, this may be agreed in writing between the parties.

11.2 EEA Controllers

Where the Controller is established in the European Economic Area, the transfer of Personal Data from the Controller to KYC Genie constitutes a restricted transfer under GDPR. Such transfers are made on the basis of the European Commission Standard Contractual Clauses (Module 2: Controller to Processor), incorporated into this DPA as Schedule 3.

11.3 UK Controllers

Where the Controller is established in the United Kingdom, transfers of Personal Data to KYC Genie are made pursuant to the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs under section 119A of the UK Data Protection Act 2018, as incorporated in Schedule 3.

11.4 UAE Controllers

For Controllers established in the United Arab Emirates, KYC Genie processes Personal Data in compliance with applicable UAE Data Protection Law. As KYC Genie is itself established in the UAE, no restricted cross-border transfer mechanism is required for the Controller's transfer of Personal Data to KYC Genie. Onward transfers from KYC Genie to its Sub-processors are made on the basis of appropriate safeguards as specified in Schedule 2.

11.5 Sub-processor Transfers

KYC Genie ensures that transfers of Personal Data to Sub-processors located outside the EEA are made on the basis of appropriate safeguards, as specified in Schedule 2.

11.6 Other Jurisdictions

For Controllers established outside the EEA, United Kingdom, and United Arab Emirates, the legal basis for the transfer of Personal Data from the Controller to KYC Genie is the Controller's responsibility, as set out in clause 4. KYC Genie's onward transfers of Personal Data to its Sub-processors are made on the basis of appropriate safeguards as specified in Schedule 2 and each Sub-processor's published data processing terms.

12. LIABILITY

12.1 Relationship to Principal Agreement

Each party's liability to the other under this DPA is subject to the limitations and exclusions in the Principal Agreement. Where the Principal Agreement does not specifically address liability for data protection matters, clauses 12.2 to 12.5 apply.

12.2 Liability Cap

Subject to clause 12.3, each party's total aggregate liability to the other under or in connection with this DPA (whether in contract, tort including negligence, or otherwise) shall not exceed the total fees paid or payable by the Controller to KYC Genie in the 12 months immediately preceding the event giving rise to the claim.

12.3 Unlimited Liability

The cap in clause 12.2 shall not apply to, and nothing in this DPA limits either party's liability for:

The liability cap shall also not apply to Personal Data Breaches directly caused by KYC Genie's wilful misconduct or fraud.

12.4 Third-Party and Regulatory Claims

Where a Data Subject or Supervisory Authority brings a claim or imposes a fine in respect of a breach caused primarily by one party, that party shall indemnify the other against reasonable costs, damages, and fines directly attributable to its fault, subject always to the liability cap in clause 12.2 and the exclusions in clause 12.3.

12.5 Contribution

Where both parties have contributed to a breach, any resulting financial liability - including regulatory fines and Data Subject compensation - shall be apportioned in proportion to each party's degree of responsibility, as required by GDPR Article 82 and equivalent provisions.

13. TERM AND TERMINATION

This DPA takes effect on the date the Controller first uses the Services or executes a signed DPA with KYC Genie (whichever is earlier) and continues until the termination or expiry of the Principal Agreement.

The obligations in clause 10.3 (Regulatory Retention Service) survive termination of this DPA for as long as KYC Genie retains any Personal Data processed under it. The liability provisions in clause 12 survive termination and continue to apply to any claims arising under this DPA, for the duration of the applicable limitation period under governing law. The Controller's indemnity obligations in clause 4.1 survive termination and continue to apply to any claims arising from the Controller's use of the Services, for the duration of the applicable limitation period under governing law.

14. GENERAL

14.1 Governing Law

This DPA is governed by English law. Although KYC Genie FZC LLC is incorporated in the United Arab Emirates, English law has been selected as the governing law for this DPA as a well-developed, internationally recognised legal framework appropriate for cross-border data processing relationships, widely accepted by Controllers established across the EEA, UK, UAE, and internationally. Each party irrevocably submits to the non-exclusive jurisdiction of the English courts in relation to any dispute arising from or in connection with this DPA. Nothing in this clause limits the right of either party to seek urgent interim relief in any competent jurisdiction.

Where the Controller is a UAE-established entity, either party may elect in writing to resolve disputes under UAE law in the courts of the UAE, in lieu of the English courts.

14.2 Compliance with Applicable Data Protection Law

KYC Genie complies with the Data Protection Law applicable to it as a Processor, including the data protection law of its place of establishment in the United Arab Emirates. This DPA is designed to apply consistently regardless of the Controller's jurisdiction; KYC Genie's obligations under this DPA apply in respect of whichever Data Protection Law governs the Controller's use of the Services.

14.3 Precedence

In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of Personal Data, this DPA shall prevail. The SCCs incorporated in Schedule 3 shall prevail over this DPA to the extent of any conflict relevant to transfers to which those clauses apply.

14.4 Updates

KYC Genie may update this DPA from time to time to reflect changes in applicable law or its processing activities. For material changes, KYC Genie shall provide the Controller with at least 30 days' notice before the changes take effect, given by updating the DPA on KYC Genie's website and notifying the Controller's account by email or in-platform notification. Continued use of the Services after the notice period constitutes acceptance of the updated DPA. Non-material updates (such as adding new Sub-processors in accordance with clause 5.2, correcting typographical errors, or clarifications that do not reduce the Controller's rights) take effect on publication without prior notice. Where a signed DPA is in place, only material changes require mutual written agreement; non-material updates take effect on the same basis as above.

14.5 Severability

If any provision of this DPA is found by a competent court to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

14.6 Change in Law

If a change in applicable Data Protection Law prevents either party from fulfilling all or part of its obligations under this DPA, the parties shall use reasonable efforts to bring the relevant processing into compliance within 60 days. If compliance cannot be achieved within that period, either party may terminate the affected Services on written notice. The parties agree that such termination is the sole remedy in these circumstances and neither party shall have any further liability to the other arising from the change in law.

14.7 Entire Agreement

This DPA, together with the Principal Agreement and the Schedules hereto, constitutes the entire agreement between the parties relating to the processing of Personal Data in connection with the Services, and supersedes all prior agreements, representations, or understandings on the same subject matter.


SCHEDULE 1 - DETAILS OF PROCESSING

This Schedule sets out the details of processing carried out by KYC Genie as Processor on behalf of the Controller, as required by GDPR Article 28(3) and equivalent provisions under applicable Data Protection Law.

Subject Matter

The provision of KYC Genie's Know Your Customer (KYC) and due diligence workflow platform, including questionnaire management, AML screening, identity verification, AI document analysis, and associated compliance reporting.

Duration

For the term of the Principal Agreement, plus any post-termination retention period under the Regulatory Retention Service specified in clause 10.3 (where applicable).

Nature of Processing

Collection, storage, structuring, retrieval, use, disclosure to Sub-processors, restriction, and deletion of Personal Data as part of the KYC due diligence process, specifically:

Purpose of Processing

To enable the Controller to fulfil its regulatory KYC, AML, and customer due diligence obligations in respect of its business relationships with the Data Subjects, and to manage, review, and record those obligations through the Services.

Types of Personal Data

Category Data fields
Individual identity data Full name (including former names), date of birth, nationality, gender, country of birth
Contact data Email address, telephone number, residential and correspondence address (street, city, postal code, country)
Identity document data Passport number, national ID number, driver's licence number, document expiry date, document images
Government identifiers Social Security Number, Social Insurance Number, Emirates ID, NRIC, tax identification number, or jurisdiction-equivalent identifier, as applicable
Corporate data Legal name, trading name, company registration number, jurisdiction and date of incorporation, registered address, principal place of business, beneficial ownership structure, UBO information
Corporate documents Certificates of incorporation, articles of association, shareholder registers, financial statements, business licences, proof of address documents
Biometric data Facial images and liveness video collected during identity verification checks. Processed and retained by the relevant Sub-processor providing identity verification services only - KYC Genie does not store biometric data on its own systems.
Screening and risk data AML, sanctions, and PEP screening results; adverse media findings; risk scores; KYC status and review history; identity verification outcomes
Questionnaire response data Responses to due diligence questionnaire questions and any supporting documents uploaded in connection with those responses
Platform user data Name, email address, role, and login activity of the Controller's employees who access the platform

Categories of Data Subjects

SCHEDULE 2 - AUTHORISED SUB-PROCESSORS

The following Sub-processors are authorised as at the effective date of this DPA. The categories of Personal Data each Sub-processor processes, and the appropriate safeguards applicable to any transfer, are as set out below. Each Sub-processor processes Personal Data across the locations in which it and its own infrastructure providers operate, as described in that Sub-processor's published documentation. KYC Genie will provide at least 30 days' prior written notice of any additions or replacements in accordance with clause 5.2. For the current list, contact privacy@kycgenie.com.

Sub-processor Purpose Transfer safeguard
Microsoft Azure Cloud infrastructure hosting, including data and document storage, user authentication, AI processing, and caching Microsoft Data Processing Agreement incorporating EU SCCs and applicable transfer safeguards
ComplyAdvantage AML, sanctions, PEP, and adverse media screening; ongoing monitoring alerts ComplyAdvantage Data Processing Agreement incorporating EU SCCs / UK IDTA Addendum
ComplyCube Identity document verification, biometric liveness checks, multi-bureau database checks. Biometric data is processed and retained solely on the identity verification Sub-processor's systems in accordance with that Sub-processor's data retention policy, and is not transferred to or stored by KYC Genie. ComplyCube Data Processing Agreement incorporating UK IDTA / EU SCCs
SendGrid (Twilio Inc.) Transactional email delivery (workflow notifications, verification links, status alerts). Notification emails may include the name of the entity or individual to whom the notification relates and the name of the Controller's account. No KYC document content, identity document data, screening results, or government identifier data is transmitted to SendGrid. Twilio Data Processing Addendum incorporating EU SCCs / UK IDTA Addendum

SCHEDULE 3 - INTERNATIONAL TRANSFER MECHANISMS

A. EU Standard Contractual Clauses (Module 2 - Controller to Processor)

Where the Controller is established in the European Economic Area, the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, Module 2 (Controller to Processor), as adopted by the European Commission Decision of 4 June 2021 (C(2021) 3972), are incorporated into this DPA by reference and apply to transfers of Personal Data from the Controller to KYC Genie.

For the purposes of the SCCs, the following options and details apply:

SCC ClauseSelection / Detail
Clause 7 - Docking clause The optional docking clause is included.
Clause 9 - Sub-processors Option 2 (general written authorisation). The Sub-processor list is set out in Schedule 2 of this DPA. Notice period: 30 days, as per clause 5.2 of this DPA.
Clause 11 - Redress The optional independent resolution body clause is not included.
Clause 13 - Supervisory authority The supervisory authority of the EU Member State in which the Controller is established.
Clause 17 - Governing law of SCCs Irish law.
Clause 18 - Jurisdiction Courts of Ireland.
Annex I.A - List of parties Data exporter: Controller as identified in the Principal Agreement. Data importer: KYC Genie FZC LLC, Amber Gem Tower, Al Rashidiya 3, Ajman, United Arab Emirates; Data Protection Officer: privacy@kycgenie.com.
Annex I.B - Description of transfer As set out in Schedule 1 of this DPA.
Annex I.C - Competent supervisory authority As per Clause 13 above.
Annex II - Technical and organisational measures As described in clause 6 of this DPA.

Note on governing law: The EU SCCs are governed by Irish law (Clause 17 above) in accordance with the EU Commission's requirement that SCCs be governed by the law of an EU Member State. This applies only to the SCCs themselves and does not conflict with English law governing the remainder of this DPA under clause 14.1; Irish law governs the SCCs solely to satisfy the requirements of the EU standard clauses framework.

The full text of the EU SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

B. UK International Data Transfer Agreement (IDTA)

Where the Controller is established in the United Kingdom, transfers of Personal Data from the Controller to KYC Genie are made pursuant to the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office (version B1.0, March 2022), or the Addendum to the EU SCCs approved under section 119A of the UK Data Protection Act 2018, as applicable. The details of the restricted transfer are as set out in Schedule 1 of this DPA.

C. UAE Controllers

For Controllers established in the United Arab Emirates, KYC Genie processes Personal Data in compliance with applicable UAE Data Protection Law. As KYC Genie is established in the UAE, no restricted cross-border transfer mechanism is required for the Controller's transfer of Personal Data to KYC Genie.