Genie AI

Data Processing Agreement

Last updated: December 1, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Genie AI ("Processor") and you ("Controller") for the provision of AI chatbot services.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.

3. Scope and Purpose

The Processor will process Personal Data only for the purpose of providing the services as described in the main agreement and as instructed by the Controller.

4. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller with data subject requests
  • Delete or return all Personal Data upon termination
  • Make available information necessary to demonstrate compliance

5. Sub-processors

The Controller authorizes the use of sub-processors listed in our Trust Center. The Processor will inform the Controller of any changes to sub-processors with at least 30 days notice.

6. Data Transfers

Any transfer of Personal Data outside the EEA will be subject to appropriate safeguards including Standard Contractual Clauses as approved by the European Commission.

7. Security Measures

We maintain SOC 2 Type II certification and implement security measures including encryption at rest and in transit, access controls, regular security testing, and incident response procedures.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.

9. Term and Termination

This DPA will remain in effect for the duration of the main agreement. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by law.

Built with v0