Data Processing Agreement

The Customer is the controller of personal data processed through the Genpire platform (or a processor acting for a third-party controller). Genpire is the processor. Where the Customer acts as a processor for an upstream controller, the Customer warrants that it has authority from that controller to enter into this DPA on its behalf.

Genpire processes Customer Personal Data only on the Customer's documented instructions — defined by the underlying agreement and by how the Customer configures and uses the platform. We don't make decisions about why the data is being processed; the Customer does.

For US Personal Data, the Customer is the "business" and Genpire is a "service provider" under the CCPA. We do not sell or share personal data, and we do not combine customer data with data from other sources for cross-contextual advertising.

The Customer is responsible for:

• Having a lawful basis for the personal data it provides to Genpire.
• The accuracy, quality, and legality of all Customer Content uploaded to the platform.
• Securing its own accounts, credentials, and devices.
• Configuring the platform appropriately for its own compliance obligations.
• Not uploading sensitive categories of data — including health, biometric, genetic, government-issued identifiers, financial account numbers, HIPAA-protected information, data of children under 16, criminal records, or other special categories under GDPR Article 9 — without a separately negotiated written agreement.

Genpire will:

• Process Customer Personal Data only to deliver, secure, maintain, and support the Services — on the Customer's documented instructions.
• Ensure personnel with access to personal data are bound by confidentiality obligations and trained on data protection.
• Limit personnel access to personal data to what is necessary, with role-based controls and logged access.
• Promptly forward to the Customer any data subject request received directly by Genpire.
• Assist the Customer, on reasonable request, with data subject requests and data protection impact assessments. Substantial assistance work may be billable.
• Inform the Customer if, in Genpire's view, a Customer instruction would violate data protection law.

This section reflects a core commitment of Genpire.

Genpire does not use Customer Personal Data or Customer Content — including inputs, prompts, designs, tech packs, comments, or outputs — to train, fine-tune, or improve Genpire's models, or any third-party general-purpose AI, without the Customer's prior, specific, written consent.

Where Genpire uses third-party AI model providers (including OpenAI, Google Gemini, and Perplexity) to deliver inference, those providers are engaged on API tiers that contractually prohibit the use of customer inputs for model training and operate under zero- or limited-retention configurations. Langfuse is used for prompt management and AI observability under equivalent contractual protections.

The Customer retains all rights to Customer Content and AI-generated outputs produced through the platform.

Genpire may use aggregated, anonymised, and de-identified usage data (Service Data — see Section 9) to operate and improve the platform. Such data cannot be re-identified to any individual or to Customer Content.

Genpire applies what we consider industry-standard practices for an early-stage SaaS company processing enterprise data:

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
• Role-based access controls and multi-factor authentication for all personnel access to production systems and Customer Content.
• Logging of administrative access to production systems containing Customer Content.
• Documented incident response and backup procedures.
• Regular security and data protection training for personnel, conducted at onboarding and at least annually thereafter.
• Background checks for personnel with production access, where permitted by applicable law.

On certifications. Genpire does not currently hold SOC 2, ISO 27001, or equivalent third-party certifications. We are actively working toward SOC 2 Type I, with targeted completion in Q2 2027, and operate our security program in alignment with the SOC 2 control framework. In the meantime, enterprise customers may negotiate enhanced commitments and independent assurance activities under Section 12.

Genpire engages sub-processors to deliver the platform. The current list is maintained at genpire.com/sub-processors and includes Infrastructure & storage: Google Cloud Platform (Cloud Run, Cloud Storage, Cloud Build, Cloud Scheduler, Secret Manager), Vercel, Supabase. AI inference & observability: OpenAI, Google Gemini, Perplexity, Langfuse. Payments: Polar, PayPal. Communications: Loops.so, Twilio. Product analytics & monitoring: Amplitude, LogRocket, Axiom.

Genpire will give the Customer at least thirty (30) days' notice before adding or replacing a sub-processor. The Customer may object on reasonable data protection grounds; if the parties cannot resolve the objection in good faith, the Customer's sole remedy is to terminate the affected services and receive a refund of any prepaid fees for the unused portion of the term.

Each sub-processor is engaged under a written agreement with data protection obligations substantially equivalent to those in this DPA. Genpire remains liable to the Customer for its sub-processors' acts and omissions.

Where personal data is transferred across borders, the transfer is covered by an appropriate mechanism, including the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and such additional measures as required under applicable laws (including the India Digital Personal Data Protection Act 2023 where relevant).

The Customer's default data residency region is identified in the Order Form. Alternative regions are available to enterprise customers on request, subject to technical feasibility.

Genpire will notify the Customer within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide reasonable assistance with the Customer's own notification obligations. Notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

A "Personal Data Breach" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in Genpire's possession or control. It does not include unsuccessful attempts (failed login attempts, port scans, DDoS attempts, and similar activity that does not compromise data).

Shorter, contractually fixed breach windows are available to enterprise customers under Section 12.

Genpire may collect and process aggregated, anonymised, and de-identified data about how the platform is used ("Service Data") for billing, fraud prevention, security analysis, performance monitoring, and product improvement. Service Data that has been aggregated, anonymised, or de-identified such that it can no longer be associated with an identified or identifiable individual is not Customer Personal Data and is not subject to the obligations in this DPA.

Service Data is not used to train foundation models or general-purpose AI without the Customer's prior, specific, written consent.

On termination of the agreement, Genpire will, at the Customer's written choice, return or delete all Customer Personal Data within thirty (30) days, subject to any retention required by applicable law. Backups may persist for up to ninety (90) days before permanent deletion as part of routine backup rotation, during which they remain subject to the security commitments in Section 5.

If the Customer does not provide an instruction within thirty (30) days, Genpire may permanently delete or anonymise the data in accordance with its documented retention schedule.

The Customer may request information necessary to demonstrate Genpire's compliance with this DPA. Genpire will respond in good faith to reasonable written questionnaires and requests for documentation.

Genpire is actively working toward SOC 2 and ISO 27001 certifications, with targeted completion by Q2 2027. Once obtained, provision of these independent third-party audit reports under confidentiality will satisfy the Customer's standard audit rights.

Enhanced audit rights, including on-site or third-party audits, are available to enterprise customers under Section 12. Genpire will respond to reasonable security questionnaires (e.g., CAIQ, SIG Lite) no more than once per twelve-month period, except following a Personal Data Breach.

This DPA is Genpire's standard short-form. For customers entering into an annual enterprise agreement, Genpire offers a broader DPA that can be adapted per client. Personalised terms are agreed in writing and, where they differ from this DPA, prevail solely for the customer and contract to which they apply. To request the broader DPA or discuss personalised terms, contact enterprise@genpire.com.

Liability under this DPA is subject to the limitations and exclusions set out in the underlying agreement. Claims under this DPA do not give rise to a separate cap on liability. Neither party is liable for indirect, incidental, or consequential damages, or for administrative fines imposed on the other by a supervisory authority.

This DPA is governed by the laws of the State of Israel, with exclusive jurisdiction in the competent courts of Tel-Aviv-Jaffa, save where a different governing law or jurisdiction is mandatorily required by Applicable Data Protection Laws. Save that, where the EU Standard Contractual Clauses apply, they are governed by the law of the EU member state designated in the SCCs (defaulting to Ireland).

Genpire may update this DPA from time to time to reflect changes in law, product, or operating practice. The current version is always available at genpire.com/dpa. Material changes will be notified to active customers at least thirty (30) days in advance.