Data Processing Agreement

Article 1: Definitions

"Agreement" means this Data Processing Agreement, including any annexes and amendments.

"Controller" means the Customer who determines the purposes and means of processing Personal Data.

"Processor" means Nubio Deep Intelligence Pte. Ltd., which processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by Nubio to process Personal Data on behalf of the Controller.

"Personal Data" has the meaning given under the Personal Data Protection Act 2012 of Singapore ("PDPA"), being data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.

"Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

"PDPA" means the Personal Data Protection Act 2012 of Singapore, as amended, and any subsidiary legislation enacted thereunder.

Article 2: Scope

This DPA applies whenever Nubio processes Personal Data on behalf of the Customer in connection with the Services provided under the Master Services Agreement ("MSA"). This DPA supplements and is incorporated into the MSA. Where this DPA conflicts with the MSA on data processing matters, this DPA prevails.

The specific categories of Personal Data processed and the purposes of processing are defined in the applicable Statement of Work between Nubio and the Customer.

Article 3: Roles and Responsibilities

3.1 The Customer is the Controller and Nubio is the Processor with respect to Personal Data processed under this Agreement.

3.2 Nubio shall process Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law.

3.3 If Nubio believes that an instruction from the Controller infringes applicable data protection law, Nubio shall promptly inform the Controller and shall not be required to comply until the Controller has confirmed or amended the instruction.

3.4 The Controller warrants that it has a lawful basis for processing Personal Data under this Agreement and has provided all required notices to, and obtained all necessary consents from, Data Subjects as required by the PDPA and any other applicable data protection law.

Article 4: Processing Obligations

Nubio shall ensure that Personal Data is:

• Processed solely for the purposes specified in this Agreement and the applicable Statement of Work;
• Processed in accordance with the Controller's documented instructions;
• Subject to appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
• Retained only for the duration of the Agreement plus any statutory retention period required by applicable law.

Article 5: Confidentiality

Nubio shall ensure that persons authorised to process Personal Data have committed to appropriate confidentiality obligations, whether contractual or statutory.

Article 6: Security

6.1 Nubio implements appropriate technical and organisational security measures commensurate with the risk to Personal Data, including measures to protect against unauthorised access, accidental loss, destruction, or damage.

6.2 Security measures are reviewed and updated periodically to reflect evolving threats and technological developments.

6.3 Nubio shall provide a summary of its security measures to the Customer upon reasonable written request, subject to appropriate confidentiality obligations.

Article 7: Sub-processors

7.1 The Customer provides general authorisation for Nubio to engage sub-processors, subject to this Article.

7.2 Nubio maintains a list of current sub-processors, available to the Customer upon request.

7.3 Nubio shall notify the Customer at least thirty (30) days before engaging a new sub-processor or replacing an existing one.

7.4 The Customer may object in writing within fourteen (14) days of receiving notification. If the objection cannot be reasonably resolved, the Customer may terminate the affected services without penalty.

7.5 Nubio shall ensure that all sub-processors are bound by data protection obligations no less protective than those in this DPA.

Article 8: Data Breach Notification

8.1 Nubio shall notify the Customer without undue delay upon becoming aware of a Data Breach affecting Personal Data processed under this Agreement. Where the breach is determined to be notifiable under the PDPA, Nubio shall notify the Customer within three (3) calendar days of that determination, and shall complete its assessment of notifiability within thirty (30) days of becoming aware of the breach.

8.2 Notification shall include, to the extent reasonably available: a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address and mitigate the breach.

8.3 Nubio shall cooperate with the Customer in investigating and remediating any Data Breach.

8.4 Notification of a Data Breach shall not be construed as an admission of fault or liability by Nubio.

Article 9: Data Subject Rights

9.1 Nubio shall provide reasonable assistance to the Customer in responding to requests from individuals exercising their rights under the PDPA, including access and correction requests.

9.2 If Nubio receives a request directly from an individual, Nubio shall promptly redirect the individual to the Customer and notify the Customer of the request.

9.3 The Customer shall bear the cost of any assistance that is excessive or complex in nature.

Article 10: International Data Transfers

10.1 If Personal Data is transferred outside Singapore, Nubio shall ensure that the recipient jurisdiction provides a comparable standard of protection to the PDPA, or that appropriate contractual or other safeguards are in place.

10.2 Transfer mechanisms may include contractual obligations equivalent to those in this DPA, binding corporate rules, or reliance on an adequacy assessment by the relevant authority.

Article 11: Audit

11.1 The Customer may audit Nubio's compliance with this DPA upon at least thirty (30) days' prior written notice, no more than once per calendar year.

11.2 Audits may be conducted by the Customer or by an independent third-party auditor bound by confidentiality obligations acceptable to Nubio.

11.3 Nubio shall provide reasonable cooperation and access to relevant records during an audit, subject to the protection of confidential information of Nubio and its other customers.

Article 12: Data Retention and Deletion

12.1 Upon termination or expiration of the Agreement, Nubio shall, at the Customer's written election, delete or return all Personal Data within ninety (90) days, unless applicable law requires continued retention.

12.2 Nubio may retain anonymised and aggregated data that cannot be used to identify any individual.

12.3 Where retention is required by law, Nubio shall continue to protect such data in accordance with this DPA for the duration of retention.

Article 13: Liability

13.1 Each party's liability arising out of or in connection with this DPA is subject to the limitations set forth in the MSA.

13.2 Nothing in this DPA limits either party's liability for fraud, gross negligence, or wilful misconduct.

Article 14: Governing Law

This DPA is governed by the laws of the Republic of Singapore. Disputes shall be resolved in accordance with the dispute resolution provisions of the MSA.

Article 15: Contact