Data Processing Agreement (DPA)

1. Definitions

• "Controller" means the Customer, who determines the purposes and means of processing personal data.
• "Processor" means Genpire, who processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the services.
• "Processing" has the meaning given under applicable data protection law.
• "Sub-processor" means any third party engaged by Genpire to process personal data in connection with the services.
• "Data Protection Law" means all applicable laws relating to the processing of personal data, including GDPR, UK GDPR, and any equivalent national legislation.

2. Scope & Purpose of Processing

2.1 Genpire processes personal data solely to provide the services described in the Principal Agreement, including platform access, AI-generated output, collaboration features, and customer support.

2.2 The categories of personal data processed may include:

• User account data (name, email address, role)
• Usage and activity data (login records, feature interactions)
• Project and product data uploaded or created by users on the platform
• Communication records (support interactions)

2.3 The categories of data subjects include the Customer's employees, contractors, buyers, and designers who access the platform.

2.4 Processing shall continue for the duration of the Principal Agreement, unless otherwise agreed in writing.

3. Obligations of the Processor (Genpire)

Genpire shall:

• 3.1 Process personal data only on documented instructions from the Controller, including as set out in this DPA and the Principal Agreement, unless required by applicable law.
• 3.2 Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
• 3.3 Implement appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, including:
  • Encryption of personal data in transit and at rest
  • Access controls and role-based permissions
  • Regular security monitoring and audit logging
  • Incident response procedures
• 3.4 Not use personal data — including inputs, designs, uploads, or outputs — to train AI models, whether operated by Genpire or its subprocessors, without the Controller's explicit written consent.
• 3.5 Assist the Controller in responding to requests from data subjects exercising their rights under applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
• 3.6 Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting the Controller's data.
• 3.7 Provide the Controller with all information necessary to demonstrate compliance with this DPA, and cooperate with audits or inspections conducted by the Controller or a mandated third party, subject to reasonable notice and confidentiality protections.
• 3.8 At the termination of the Principal Agreement, delete or return all personal data to the Controller, and delete existing copies unless retention is required by applicable law.

4. Sub-processors

4.1 The Controller provides general authorisation for Genpire to engage sub-processors. Genpire's current sub-processors include:

4.2 Genpire shall notify the Controller of any intended changes to sub-processors (additions or replacements) with reasonable advance notice, giving the Controller the opportunity to object on reasonable grounds.

4.3 Genpire shall ensure all sub-processors are bound by data protection obligations equivalent to those set out in this DPA.

5. International Data Transfers

5.1 Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, Genpire shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or the UK International Data Transfer Addendum as applicable.

5.2 The Customer may request a copy of applicable transfer mechanisms by contacting support@genpire.com.

6. Data Subject Rights

Genpire shall assist the Controller in fulfilling obligations to respond to data subject requests within the timelines required by applicable Data Protection Law. Where data subjects contact Genpire directly, Genpire shall promptly forward such requests to the Controller.

7. Data Retention & Deletion

7.1 Genpire retains personal data for the duration of the Principal Agreement and for a period of up to 90 days thereafter, to allow for data retrieval and offboarding.

7.2 Upon written request, Genpire shall delete personal data within 30 days and confirm deletion in writing.

7.3 Genpire may retain anonymised or aggregated data that does not constitute personal data for platform improvement purposes.

8. Confidentiality

Both parties agree to treat the contents of this DPA as confidential and not to disclose it to third parties without the prior written consent of the other party, except as required by law or to enforce its terms.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Principal Agreement. Nothing in this DPA limits either party's liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be excluded by law.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable under the Principal Agreement. For customers in the EEA or UK, this DPA shall additionally be interpreted in a manner consistent with applicable Data Protection Law.

11. Contact & Execution

This DPA is incorporated into and forms part of the Principal Agreement. It takes effect upon the Customer's execution of a Genpire service or enterprise agreement.