Last updated 18 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between KYC Genie FZC LLC ("KYC Genie", "Processor", "we", "us") and the entity that has agreed to the KYC Genie Terms of Service or otherwise engaged KYC Genie's services ("Controller", "Client", "you").
This DPA is incorporated into and subject to the Terms of Service or other written agreement between the parties (the "Principal Agreement"). In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of personal data, this DPA shall prevail.
By using KYC Genie's services, you agree to the terms of this DPA. If you require a signed, individually negotiated version of this DPA, please contact privacy@kycgenie.com.
Processor: KYC Genie FZC LLC, Amber Gem Tower, Al Rashidiya 3, Ajman, United Arab Emirates
Data Protection Officer / Contact: privacy@kycgenie.com
Controller: The entity named in the KYC Genie account registration or Principal Agreement.
In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in applicable Data Protection Law.
KYC Genie processes Personal Data on behalf of the Controller solely for the purpose of providing the Services as described in Schedule 1 and as configured and instructed by the Controller through its use of the platform.
The Controller's use of the Services - including configuring questionnaires, initiating AML screening, uploading documents, and triggering identity verification checks - constitutes the Controller's documented instructions to KYC Genie to process Personal Data for the purposes described in Schedule 1. KYC Genie shall not process Personal Data for any other purpose unless required by applicable law, in which case clause 3.1 applies.
KYC Genie does not process Personal Data for its own purposes. In particular, KYC Genie does not process Personal Data to satisfy any regulatory compliance, record-keeping, or anti-money-laundering obligation of its own, and does not act as a controller in respect of the Personal Data processed on the Controller's behalf under this DPA.
Notwithstanding the foregoing, KYC Genie may process aggregated, de-identified, or anonymised data derived from use of the Services as an independent controller for the limited purposes of securing and operating the platform, detecting and preventing fraud and misuse, and developing and improving the Services, provided that such processing does not identify, and is not used to re-identify, any individual Data Subject.
The Services include a test mode environment that provides a logically isolated environment for non-production use. All technical and organisational security measures described in this DPA apply equally to Personal Data processed in test mode. Controllers are encouraged to use synthetic or anonymised data in test mode; where real Personal Data is used in test mode, it is subject to the same protections as live data.
KYC Genie shall, in respect of all Personal Data processed under this DPA:
Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. Where KYC Genie is required by law to process Personal Data other than in accordance with the Controller's instructions, KYC Genie shall notify the Controller of that requirement before processing, unless the applicable law prohibits such notification.
If KYC Genie reasonably believes that an instruction from the Controller infringes applicable Data Protection Law, KYC Genie shall promptly notify the Controller. KYC Genie may decline to follow such an instruction until the Controller has confirmed it in writing. KYC Genie may continue to decline if, in its reasonable opinion, following the instruction would cause KYC Genie to breach applicable Data Protection Law.
Ensure that all personnel authorised to process Personal Data are subject to appropriate obligations of confidentiality and have received adequate training in data protection.
Implement and maintain appropriate technical and organisational measures to protect Personal Data as described in clause 6 of this DPA.
Not engage any Sub-processor to process Personal Data without the Controller's prior authorisation, except as set out in clause 5 of this DPA.
Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law, as further described in clause 7.
Assist the Controller in ensuring compliance with its obligations under applicable Data Protection Law relating to security of processing, breach notification, data protection impact assessments, and prior consultation with a Supervisory Authority, having regard to the nature of processing and the information available to KYC Genie.
Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits as described in clause 9.
At the Controller's election, delete or return all Personal Data upon termination of the Services, and delete existing copies, except where data is retained under the Regulatory Retention Service described in clause 10.3 or as otherwise required by applicable law, as further described in clause 10.
Promptly notify the Controller if KYC Genie receives a legally binding request for disclosure of Personal Data from a law enforcement authority or court, unless prohibited by law from doing so.
Where AI features are used in the Services (including document analysis, questionnaire autofill, and answer quality checking), such processing is performed through enterprise-grade AI services provided by KYC Genie's cloud infrastructure provider under enterprise data processing terms. Personal Data processed through AI features is not used - and KYC Genie shall obtain contractual commitments from Sub-processors that Personal Data is not used - to train, fine-tune, or improve any AI or machine learning model beyond the immediate task for which it was submitted. KYC Genie does not control, and this clause does not apply to, any temporary retention by an AI Sub-processor required under that Sub-processor's mandatory safety monitoring or abuse prevention obligations, as disclosed in that Sub-processor's published data processing terms.
The parties acknowledge that, where the Controller is a regulated entity, its use of the Services may constitute an outsourced or third-party arrangement under applicable financial services regulatory frameworks. KYC Genie shall provide the Controller with reasonable assistance, consistent with the information and audit rights set out in clause 9, to support the Controller in meeting its applicable outsourcing, supervisory, and oversight requirements in respect of the Services.
The Controller represents, warrants, and undertakes that:
The Controller shall defend, indemnify, and hold harmless KYC Genie, its affiliates, and their respective officers, directors, employees, and agents against all claims, losses, damages, fines, liabilities, costs, and expenses (including reasonable legal costs) arising out of or in connection with:
The liability cap in clause 12.2 applies to claims brought by the Controller against KYC Genie. It does not apply to the Controller's indemnification obligations under this clause, which are uncapped in respect of claims brought by KYC Genie against the Controller.
The Controller grants KYC Genie general authorisation to engage the Sub-processors listed in Schedule 2. KYC Genie shall ensure that each Sub-processor is bound by data protection obligations no less protective than those imposed on KYC Genie under this DPA.
KYC Genie shall provide at least 30 days' prior written notice of any intended addition or replacement of Sub-processors, including by updating the Sub-processor list referenced in Schedule 2 or by notification through the platform. Notice is not required for changes that do not involve the processing of new categories of Personal Data or that do not materially increase the risk to Data Subjects.
The Controller may object to a new Sub-processor on reasonable data protection grounds by notifying KYC Genie in writing within the notice period. KYC Genie shall consider the objection and may, at its reasonable discretion, take appropriate measures to address it. If KYC Genie cannot reasonably accommodate the objection, the Controller may terminate the affected Services on written notice, subject to the terms of the Principal Agreement. Continued use of the Services after the notice period without objection constitutes acceptance of the new Sub-processor.
KYC Genie remains fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA to the extent that KYC Genie would itself be liable, subject always to the limitations of liability in clause 12.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of Data Subjects, KYC Genie implements and maintains appropriate technical and organisational security measures including:
KYC Genie shall regularly review its security measures and incorporate improvements to address identified risks. Results of the most recent independent penetration test or security assessment are available to Controllers on reasonable written request, subject to appropriate redaction and NDA. KYC Genie may notify Controllers when relevant security certifications are obtained.
KYC Genie shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
If KYC Genie receives a request directly from a Data Subject in relation to Personal Data processed on behalf of the Controller, KYC Genie shall:
Where Personal Data is being retained under the Regulatory Retention Service described in clause 10.3 (to assist the Controller in meeting its own AML and KYC record-keeping obligations), KYC Genie shall inform the Controller of the applicable retention period and legal basis when responding to erasure or restriction requests, to assist the Controller in responding to the Data Subject.
In the event of a Personal Data Breach affecting Personal Data processed under this DPA, KYC Genie shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. This timeline is designed to assist the Controller in meeting its own notification obligations to the relevant Supervisory Authority under GDPR Article 33 and equivalent provisions.
The breach notification shall, to the extent then available, include:
Where all information is not available at the time of initial notification, KYC Genie shall provide further information in phases as it becomes available.
KYC Genie shall cooperate fully with the Controller in investigating the breach, mitigating its effects, and fulfilling any notification obligations to Supervisory Authorities or Data Subjects.
Notification of a breach by KYC Genie under this clause does not constitute an acknowledgement of fault or liability in respect of that breach.
KYC Genie shall make available to the Controller, on reasonable written request, all information reasonably necessary to demonstrate compliance with the obligations in this DPA, including its data protection policies, sub-processor list, and relevant security documentation.
The Controller may request an audit of KYC Genie's processing under this DPA. KYC Genie shall facilitate such audits by:
Where the Controller's own regulatory obligations require an on-site audit of KYC Genie's processing facilities, such audits may be arranged by prior written agreement, subject to: (i) reasonable prior written notice; (ii) reasonable scheduling constraints agreed in advance; (iii) the audit being conducted at the Controller's cost; and (iv) execution of an appropriate NDA prior to commencement. Independent third-party technical audits may similarly be arranged by mutual written agreement at the Controller's reasonable cost.
Audit requests shall be made no more than once per calendar year, unless there are reasonable grounds to suspect a material breach of this DPA or as required by a Supervisory Authority.
Upon termination or expiry of the Services, or on the Controller's written request during the term, KYC Genie shall, at the Controller's election:
If the Controller does not make an election within 30 days of termination, KYC Genie shall proceed with deletion.
Notwithstanding clause 10.1, KYC Genie may retain Personal Data in encrypted backup systems for up to 45 days following deletion for business continuity purposes. Such data shall be isolated from active processing and permanently deleted when the relevant backup cycle completes.
KYC Genie is a technology processor and is not itself an obliged entity under anti-money-laundering legislation. KYC Genie is not legally required to retain Personal Data after termination, does not do so for its own regulatory or record-keeping purposes, and does not determine the retention periods that apply to the Controller. Retention is controlled by the Controller.
Because the Controller - as the obliged entity conducting KYC/AML due diligence - is typically required under applicable anti-money-laundering and financial-crime laws to retain KYC records for a number of years (commonly five to seven) following the end of the relevant business relationship, KYC Genie provides a retention feature to support the Controller in meeting that obligation. By default, and reflecting the most common regulatory requirement, KYC Genie retains the following categories of KYC records for 7 years following the end of the relevant business relationship:
The Controller controls this retention. The Controller may set a different retention period, disable post-termination retention, or - at or following termination - instead elect under clause 10.1 to receive a full data export and request deletion, in which case no post-termination retention will apply. The 7-year default exists solely as a convenience and reflects the Controller's documented decision to use the Services for regulated KYC/AML purposes; KYC Genie applies it on the Controller's instruction and does not independently determine that any particular retention period is required. Where a deletion request cannot be fulfilled in full because of a retention setting the Controller has enabled, KYC Genie shall notify the Controller and confirm the applicable retention period.
KYC Genie is established in the United Arab Emirates. KYC Genie and its Sub-processors may process Personal Data in any country in which they or their infrastructure providers maintain operations, subject to the appropriate transfer mechanisms set out in Schedule 3 and applicable Data Protection Law. Where a Controller requires Personal Data to be processed within a specific jurisdiction, this may be agreed in writing between the parties.
Where the Controller is established in the European Economic Area, the transfer of Personal Data from the Controller to KYC Genie constitutes a restricted transfer under GDPR. Such transfers are made on the basis of the European Commission Standard Contractual Clauses (Module 2: Controller to Processor), incorporated into this DPA as Schedule 3.
Where the Controller is established in the United Kingdom, transfers of Personal Data to KYC Genie are made pursuant to the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs under section 119A of the UK Data Protection Act 2018, as incorporated in Schedule 3.
For Controllers established in the United Arab Emirates, KYC Genie processes Personal Data in compliance with applicable UAE Data Protection Law. As KYC Genie is itself established in the UAE, no restricted cross-border transfer mechanism is required for the Controller's transfer of Personal Data to KYC Genie. Onward transfers from KYC Genie to its Sub-processors are made on the basis of appropriate safeguards as specified in Schedule 2.
KYC Genie ensures that transfers of Personal Data to Sub-processors located outside the EEA are made on the basis of appropriate safeguards, as specified in Schedule 2.
For Controllers established outside the EEA, United Kingdom, and United Arab Emirates, the legal basis for the transfer of Personal Data from the Controller to KYC Genie is the Controller's responsibility, as set out in clause 4. KYC Genie's onward transfers of Personal Data to its Sub-processors are made on the basis of appropriate safeguards as specified in Schedule 2 and each Sub-processor's published data processing terms.
Each party's liability to the other under this DPA is subject to the limitations and exclusions in the Principal Agreement. Where the Principal Agreement does not specifically address liability for data protection matters, clauses 12.2 to 12.5 apply.
Subject to clause 12.3, each party's total aggregate liability to the other under or in connection with this DPA (whether in contract, tort including negligence, or otherwise) shall not exceed the total fees paid or payable by the Controller to KYC Genie in the 12 months immediately preceding the event giving rise to the claim.
The cap in clause 12.2 shall not apply to, and nothing in this DPA limits either party's liability for:
The liability cap shall also not apply to Personal Data Breaches directly caused by KYC Genie's wilful misconduct or fraud.
Where a Data Subject or Supervisory Authority brings a claim or imposes a fine in respect of a breach caused primarily by one party, that party shall indemnify the other against reasonable costs, damages, and fines directly attributable to its fault, subject always to the liability cap in clause 12.2 and the exclusions in clause 12.3.
Where both parties have contributed to a breach, any resulting financial liability - including regulatory fines and Data Subject compensation - shall be apportioned in proportion to each party's degree of responsibility, as required by GDPR Article 82 and equivalent provisions.
This DPA takes effect on the date the Controller first uses the Services or executes a signed DPA with KYC Genie (whichever is earlier) and continues until the termination or expiry of the Principal Agreement.
The obligations in clause 10.3 (Regulatory Retention Service) survive termination of this DPA for as long as KYC Genie retains any Personal Data processed under it. The liability provisions in clause 12 survive termination and continue to apply to any claims arising under this DPA, for the duration of the applicable limitation period under governing law. The Controller's indemnity obligations in clause 4.1 survive termination and continue to apply to any claims arising from the Controller's use of the Services, for the duration of the applicable limitation period under governing law.
This DPA is governed by English law. Although KYC Genie FZC LLC is incorporated in the United Arab Emirates, English law has been selected as the governing law for this DPA as a well-developed, internationally recognised legal framework appropriate for cross-border data processing relationships, widely accepted by Controllers established across the EEA, UK, UAE, and internationally. Each party irrevocably submits to the non-exclusive jurisdiction of the English courts in relation to any dispute arising from or in connection with this DPA. Nothing in this clause limits the right of either party to seek urgent interim relief in any competent jurisdiction.
Where the Controller is a UAE-established entity, either party may elect in writing to resolve disputes under UAE law in the courts of the UAE, in lieu of the English courts.
KYC Genie complies with the Data Protection Law applicable to it as a Processor, including the data protection law of its place of establishment in the United Arab Emirates. This DPA is designed to apply consistently regardless of the Controller's jurisdiction; KYC Genie's obligations under this DPA apply in respect of whichever Data Protection Law governs the Controller's use of the Services.
In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of Personal Data, this DPA shall prevail. The SCCs incorporated in Schedule 3 shall prevail over this DPA to the extent of any conflict relevant to transfers to which those clauses apply.
KYC Genie may update this DPA from time to time to reflect changes in applicable law or its processing activities. For material changes, KYC Genie shall provide the Controller with at least 30 days' notice before the changes take effect, given by updating the DPA on KYC Genie's website and notifying the Controller's account by email or in-platform notification. Continued use of the Services after the notice period constitutes acceptance of the updated DPA. Non-material updates (such as adding new Sub-processors in accordance with clause 5.2, correcting typographical errors, or clarifications that do not reduce the Controller's rights) take effect on publication without prior notice. Where a signed DPA is in place, only material changes require mutual written agreement; non-material updates take effect on the same basis as above.
If any provision of this DPA is found by a competent court to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
If a change in applicable Data Protection Law prevents either party from fulfilling all or part of its obligations under this DPA, the parties shall use reasonable efforts to bring the relevant processing into compliance within 60 days. If compliance cannot be achieved within that period, either party may terminate the affected Services on written notice. The parties agree that such termination is the sole remedy in these circumstances and neither party shall have any further liability to the other arising from the change in law.
This DPA, together with the Principal Agreement and the Schedules hereto, constitutes the entire agreement between the parties relating to the processing of Personal Data in connection with the Services, and supersedes all prior agreements, representations, or understandings on the same subject matter.
This Schedule sets out the details of processing carried out by KYC Genie as Processor on behalf of the Controller, as required by GDPR Article 28(3) and equivalent provisions under applicable Data Protection Law.
The provision of KYC Genie's Know Your Customer (KYC) and due diligence workflow platform, including questionnaire management, AML screening, identity verification, AI document analysis, and associated compliance reporting.
For the term of the Principal Agreement, plus any post-termination retention period under the Regulatory Retention Service specified in clause 10.3 (where applicable).
Collection, storage, structuring, retrieval, use, disclosure to Sub-processors, restriction, and deletion of Personal Data as part of the KYC due diligence process, specifically:
To enable the Controller to fulfil its regulatory KYC, AML, and customer due diligence obligations in respect of its business relationships with the Data Subjects, and to manage, review, and record those obligations through the Services.
| Category | Data fields |
|---|---|
| Individual identity data | Full name (including former names), date of birth, nationality, gender, country of birth |
| Contact data | Email address, telephone number, residential and correspondence address (street, city, postal code, country) |
| Identity document data | Passport number, national ID number, driver's licence number, document expiry date, document images |
| Government identifiers | Social Security Number, Social Insurance Number, Emirates ID, NRIC, tax identification number, or jurisdiction-equivalent identifier, as applicable |
| Corporate data | Legal name, trading name, company registration number, jurisdiction and date of incorporation, registered address, principal place of business, beneficial ownership structure, UBO information |
| Corporate documents | Certificates of incorporation, articles of association, shareholder registers, financial statements, business licences, proof of address documents |
| Biometric data | Facial images and liveness video collected during identity verification checks. Processed and retained by the relevant Sub-processor providing identity verification services only - KYC Genie does not store biometric data on its own systems. |
| Screening and risk data | AML, sanctions, and PEP screening results; adverse media findings; risk scores; KYC status and review history; identity verification outcomes |
| Questionnaire response data | Responses to due diligence questionnaire questions and any supporting documents uploaded in connection with those responses |
| Platform user data | Name, email address, role, and login activity of the Controller's employees who access the platform |
The following Sub-processors are authorised as at the effective date of this DPA. The categories of Personal Data each Sub-processor processes, and the appropriate safeguards applicable to any transfer, are as set out below. Each Sub-processor processes Personal Data across the locations in which it and its own infrastructure providers operate, as described in that Sub-processor's published documentation. KYC Genie will provide at least 30 days' prior written notice of any additions or replacements in accordance with clause 5.2. For the current list, contact privacy@kycgenie.com.
| Sub-processor | Purpose | Transfer safeguard |
|---|---|---|
| Microsoft Azure | Cloud infrastructure hosting, including data and document storage, user authentication, AI processing, and caching | Microsoft Data Processing Agreement incorporating EU SCCs and applicable transfer safeguards |
| ComplyAdvantage | AML, sanctions, PEP, and adverse media screening; ongoing monitoring alerts | ComplyAdvantage Data Processing Agreement incorporating EU SCCs / UK IDTA Addendum |
| ComplyCube | Identity document verification, biometric liveness checks, multi-bureau database checks. Biometric data is processed and retained solely on the identity verification Sub-processor's systems in accordance with that Sub-processor's data retention policy, and is not transferred to or stored by KYC Genie. | ComplyCube Data Processing Agreement incorporating UK IDTA / EU SCCs |
| SendGrid (Twilio Inc.) | Transactional email delivery (workflow notifications, verification links, status alerts). Notification emails may include the name of the entity or individual to whom the notification relates and the name of the Controller's account. No KYC document content, identity document data, screening results, or government identifier data is transmitted to SendGrid. | Twilio Data Processing Addendum incorporating EU SCCs / UK IDTA Addendum |
Where the Controller is established in the European Economic Area, the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, Module 2 (Controller to Processor), as adopted by the European Commission Decision of 4 June 2021 (C(2021) 3972), are incorporated into this DPA by reference and apply to transfers of Personal Data from the Controller to KYC Genie.
For the purposes of the SCCs, the following options and details apply:
| SCC Clause | Selection / Detail |
|---|---|
| Clause 7 - Docking clause | The optional docking clause is included. |
| Clause 9 - Sub-processors | Option 2 (general written authorisation). The Sub-processor list is set out in Schedule 2 of this DPA. Notice period: 30 days, as per clause 5.2 of this DPA. |
| Clause 11 - Redress | The optional independent resolution body clause is not included. |
| Clause 13 - Supervisory authority | The supervisory authority of the EU Member State in which the Controller is established. |
| Clause 17 - Governing law of SCCs | Irish law. |
| Clause 18 - Jurisdiction | Courts of Ireland. |
| Annex I.A - List of parties | Data exporter: Controller as identified in the Principal Agreement. Data importer: KYC Genie FZC LLC, Amber Gem Tower, Al Rashidiya 3, Ajman, United Arab Emirates; Data Protection Officer: privacy@kycgenie.com. |
| Annex I.B - Description of transfer | As set out in Schedule 1 of this DPA. |
| Annex I.C - Competent supervisory authority | As per Clause 13 above. |
| Annex II - Technical and organisational measures | As described in clause 6 of this DPA. |
Note on governing law: The EU SCCs are governed by Irish law (Clause 17 above) in accordance with the EU Commission's requirement that SCCs be governed by the law of an EU Member State. This applies only to the SCCs themselves and does not conflict with English law governing the remainder of this DPA under clause 14.1; Irish law governs the SCCs solely to satisfy the requirements of the EU standard clauses framework.
The full text of the EU SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
Where the Controller is established in the United Kingdom, transfers of Personal Data from the Controller to KYC Genie are made pursuant to the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office (version B1.0, March 2022), or the Addendum to the EU SCCs approved under section 119A of the UK Data Protection Act 2018, as applicable. The details of the restricted transfer are as set out in Schedule 1 of this DPA.
For Controllers established in the United Arab Emirates, KYC Genie processes Personal Data in compliance with applicable UAE Data Protection Law. As KYC Genie is established in the UAE, no restricted cross-border transfer mechanism is required for the Controller's transfer of Personal Data to KYC Genie.