Last Updated: January 25, 2025

Data Processing Agreement

GDPR Article 28 compliant data processing terms for B2B customers and enterprise clients.

1.Definitions
2.Scope and Applicability
3.Processor Obligations
4.Processing Details
5.Sub-Processors
6.Data Subject Rights
7.Security Measures
8.Data Breaches and Incidents
9.Audit Rights and Compliance
10.Data Transfers
11.Data Deletion and Return
12.Term and Termination
13.Limitation of Liability
14.Contact Information

1. Definitions

Customer: The entity that determines the purposes and means of processing personal data.

Processor: Origin8.AI, which processes personal data on behalf of the Customer.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, such as collection, recording, use, storage, or transmission.

Data Subject: The individual to whom personal data relates.

Confidential Information: All information disclosed by Customer to Processor during the DPA.

GDPR: The General Data Protection Regulation (EU) 2016/679 and applicable national data protection laws.

2. Scope and Applicability

2.1 General Applicability

This Data Processing Agreement applies when Origin8.AI acts as a data processor on behalf of a Customer and processes personal data subject to GDPR or similar data protection regulations.

2.2 Integration with Service Agreement

This DPA is integrated into and forms an integral part of the Master Service Agreement or other applicable service agreement between Customer and Origin8.AI.

3. Processor Obligations

3.1 Processing Instructions

Origin8.AI shall only process personal data:

•On documented instructions from Customer
•For the specific purposes stated in the Service Agreement
•In compliance with this DPA and applicable law

3.2 Personnel Confidentiality

Origin8.AI ensures that persons authorized to process personal data are committed to confidentiality or under an appropriate legal obligation of confidentiality.

3.3 Processor as Controller

When Origin8.AI determines independently the purposes and means of processing (beyond Customer's instructions), it acts as a data controller and remains liable as such.

4. Processing Details

4.1 Subject Matter and Duration

•Subject Matter: Processing of personal data as described in the Service Agreement
•Duration: For the term of the Service Agreement or until Customer instructs deletion
•Nature and Purpose: To provide AI services, analytics, and support as specified in Service Agreement
•Categories of Data Subjects: As specified by Customer in their usage
•Categories of Personal Data: As provided by Customer to our Services

4.2 Processing Locations

Origin8.AI may process personal data in Singapore, the European Union, the United States, or other jurisdictions as necessary for service delivery. Customer will be notified of any changes to processing locations.

5. Sub-Processors

5.1 Processor Discretion

Origin8.AI may engage sub-processors to process personal data on behalf of Customer. Such sub-processors include:

•Cloud infrastructure providers
•Analytics and monitoring services
•Payment processors
•Support and ticketing systems

5.2 Sub-Processor Requirements

All sub-processors are subject to data protection obligations that provide substantially the same level of data protection as this DPA through written contract or EU adequacy decisions.

5.3 Objections to Sub-Processors

Customer may object to the addition of new sub-processors within 30 days of notice. Origin8.AI will work to address reasonable objections.

6. Data Subject Rights

6.1 Assisting Customer

Origin8.AI shall assist Customer in fulfilling data subject requests regarding:

•Right of access to personal data
•Right to rectification or amendment
•Right to erasure (right to be forgotten)
•Right to restrict processing
•Right to data portability
•Right to object to processing

6.2 Response Timeframe

Origin8.AI shall respond to data subject requests within 10 business days of notification by Customer, or as required by law.

7. Security Measures

7.1 Technical and Organizational Measures

Origin8.AI implements appropriate technical and organizational measures, including:

•Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
•Access controls and role-based access management
•Multi-factor authentication for administrative access
•Regular security assessments and penetration testing
•Network segmentation and firewalls
•Intrusion detection and prevention systems
•Employee training and security awareness

7.2 Security Updates

Origin8.AI shall update Customer upon request regarding security measures and conduct regular security assessments.

8. Data Breaches and Incidents

8.1 Breach Notification

Origin8.AI shall notify Customer without undue delay, and in no case later than 24 hours after becoming aware of any personal data breach.

8.2 Information to Provide

Notification shall include, to the extent practicable:

•Nature and scope of the breach
•Categories and approximate number of data subjects affected
•Likely consequences of the breach
•Measures taken or proposed to address the breach
•Contact point for further information

8.3 Investigation and Cooperation

Origin8.AI shall fully investigate the breach and cooperate with Customer in addressing it and in fulfilling Customer's obligations to authorities and data subjects.

9. Audit Rights and Compliance

9.1 Right to Audit

Customer has the right to audit Origin8.AI's compliance with this DPA, upon reasonable notice and no more than once per year, unless required by law.

9.2 Certification and Documentation

Origin8.AI maintains certifications and documentation evidencing compliance with GDPR and this DPA, including SOC 2 Type II reports and other relevant certifications.

9.3 Third-Party Audits

Customer may request independent third-party audits of Origin8.AI's processing facilities and practices at Customer's expense.

10. Data Transfers

10.1 International Transfers

If personal data is transferred outside the EEA, Origin8.AI ensures adequate safeguards are in place, including Standard Contractual Clauses or other mechanisms approved by relevant authorities.

10.2 Third-Country Transfers

Origin8.AI shall not transfer personal data to a third country without Customer's prior written authorization or legal obligation.

11. Data Deletion and Return

11.1 Upon Termination

Upon termination or expiry of the Service Agreement, Origin8.AI shall, at Customer's choice, delete or return all personal data and existing copies unless law requires storage.

11.2 Deletion Timeline

Personal data shall be deleted within 30 days of termination request, with exceptions for backup systems which shall be deleted within 90 days.

11.3 Certification of Deletion

Origin8.AI shall provide a certification of deletion within 15 days of completion.

12. Term and Termination

12.1 Duration

This DPA shall remain in effect for as long as Origin8.AI acts as a processor of personal data on behalf of Customer.

12.2 Termination Effects

Termination of the Service Agreement automatically terminates this DPA, subject to data deletion or return obligations above.

13. Limitation of Liability

13.1 Liability Cap

Origin8.AI's liability under this DPA shall not exceed the fees paid by Customer in the 12 months preceding the claim.

13.2 Exceptions

This limitation shall not apply to data protection violations or indemnification obligations arising from breaches of this DPA.

14. Contact Information

For questions or concerns regarding this Data Processing Agreement:

Email: legal@origin8ai.co

Address: Origin8.AI, Singapore