Skip to main content

Data Processing Agreement

Preamble

This Data Processing Agreement amends and forms part of the Agreement between Subgen AI and the Customer. This Data Processing Agreement prevails over any conflicting terms of the Agreement but does not otherwise modify the Agreement.

1. Definitions

The capitalized words in this Agreement shall have the meaning given below:

"Agreement": means the service agreement entered into by and between the Parties, governing the provision of the Serenity* Star Services by Subgen AI to the Customer.

"Applicable Data Protection Law": means any applicable national, federal, EU, state, provincial or other privacy, data security, or data protection law or regulation, including, to the extent applicable, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable since 25 May 2018 (the "GDPR").

"Authorized Recipient": means (i) Subgen AI's affiliates, (ii) Subgen AI's team members, (ii) Subgen AI's Sub-processors or (iv) any third party that is authorized by the Applicable Data Protection Law to access the Personal Data.

"Authorized Purpose": means the authorized purpose for the Processing as mentioned in Exhibit 1.

"Customer": means any legal person who subscribes to the Serenity* Star Services and, where applicable, its affiliates.

"Data Controller": means the person who determines the purposes and the means of the Processing.

"Data Processing Agreement" or "DPA": means this data processing agreement governing the Processing carried-out by the Parties, that forms part of the Agreement.

"Data Processor": means the person who carries-out the Processing on behalf of the Data Controller and under its documented instructions.

"Data Subjects": means the person whose Personal Data is processed.

"International Data Transfer": means any disclosure of Personal Data by an organization established in the EEA to a Restricted Country.

"Subgen AI": means Subgen AI Limited, a company organized and existing under the laws of United Kingdom (Company No. 15374966), with its offices at 100 Avebury Boulevard, Milton Keynes MK9 1FH, United Kingdom and its affiliates.

"Personal Data": means any data relating to an identified or identifiable Data Subject.

"Personal Data Breach": means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, likely to result in a risk for the rights and freedoms of Data Subjects.

"Processing": means the processing of Personal Data described in Exhibit 1.

"Restricted Country": means any country located outside of the European Economic Area (EEA) and that does not benefit from an adequacy decision from the European Commission.

"SCC": means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time.

"Services": means all services provided within the Serenity* Star ecosystem by Subgen AI to the Customer, including but not limited to Serenity* AI Hub, Serenity* Nexus, Serenity* Compliance, and Serenity* Health Research.

"Sub-processor": means any Data Processor appointed by Subgen AI to carry-out all or part of the Processing on behalf of the Customer.

"Supervisory Authority": means any independent authority competent to supervise the Processing.

Terms not defined in this document. Any capitalized word that is not defined in this DPA shall have the meaning given in the Agreement.

2. Role of the Parties

2.1. Subgen AI as Data Processor

Services provided on Serenity* Star platforms. When Customer uses any of the Serenity* Star platforms:

  • The Customer is the Data Controller;
  • Subgen AI is the Data Processor for the limited and specific Authorized Purposes set out in Exhibit 1.

Services provided via Cloud Providers. When Customer uses the Services through a Cloud Provider:

  • The Customer is the Data Controller;
  • The Cloud Provider processes the Personal Data provided by the Customer as Data Processor for the purpose of making the Models available to the Customer on the Cloud Provider's Infrastructure;
  • Subgen AI will only process Personal Data provided by the Customer as Data Processor for the limited and specific Authorized Purposes set out in Exhibit 1.

Description of the Processing. Subgen AI processes the Personal Data on behalf of the Customer in order to provide the Customer with the Services under the Agreement. A description of the Processing is available in Exhibit 1 of this DPA. The Customer agrees that Subgen AI may update the description of the Processing from time to time to reflect new Services, features or functionalities.

2.2. Subgen AI as Data Controller

Subgen AI as Data Controller. The Customer authorizes Subgen AI to process the User Data as Data Controller for the purpose of:

  • Monitoring abuse;
  • Processing voluntary reports;
  • Research and development purposes, including to improve the training of Our Models only if Customer:
    • Uses the Free Services; or
    • Uses the Paid Services on Serenity* Star platforms and has not opted-out of the Subgen AI training data set by using the applicable feature on its Account.

3. General obligations of the Parties

Each Party shall comply with their respective obligations under the Applicable Personal Data Protection Law and shall not, by any act or omission, cause the other to be in breach of any such obligations under the Applicable Data Protection Law.

3.1. General obligations of Subgen AI

Subgen AI shall:

  • Process the Personal Data only in accordance with the documented lawful instructions of the Customer as set forth in this DPA, the Agreement or by email and for no other purpose, unless required to do so by the applicable laws. In such a case, Subgen AI shall promptly inform the Customer of that legal requirement, unless prohibited to do so by applicable law and/or on important grounds of public interest;
  • Promptly inform the Customer if, in its opinion, the Customer's instructions infringe the Applicable Data Protection Law. In such an event, Subgen AI is entitled to refuse to perform the Processing of Personal Data that it believes to be in violation of the Applicable Data Protection Law;
  • Ensure that any person Subgen AI authorizes to process Personal Data (including Subgen AI team members and the Subprocessors), are subject to a duty of confidentiality, whether by contract or statutory, and must not allow any person to process Personal Data who is not under such confidentiality obligations;
  • Taking into account the nature of the Processing and the information available to Subgen AI, upon the Customer's written request and to the extent that is commercially reasonable and required by the Applicable Data Protection Laws, provide the Customer with reasonable and timely assistance (i) in the event of an investigation from a Supervisory Authority related to the Processing, (ii) to conduct a data protection impact assessment, a prior consultation with a Supervisory Authority, (iii) to comply with its obligations under Article 32 GDPR.

3.2. General obligations of the Customer

The Customer agrees that:

  • It will comply with its obligations under the Applicable Data Protection Law regarding the Processing and any Processing instruction it issues to Subgen AI;
  • It is responsible for providing guidance to Authorized users regarding the use of the Serenity* Star Services, and in particular the use of Personal Data within the Services;
  • It is responsible for applying filters to prevent any unauthorized use of Personal Data by the Authorized Users;
  • It is responsible for ensuring compliance with all security requirements when using any component of the Serenity* Star ecosystem;
  • Subgen AI's security obligations under this DPA apply without prejudice to the Customer's own security obligations under the Applicable Data Protection Law;
  • It has provided notice and obtained all consents and rights necessary under the Applicable Data Protection Law for Subgen AI to process Personal Data under this DPA.

4. Data Subjects Rights

4.1. Information

As Data Controller, the Customer is solely responsible for providing the Data Subjects with any information required by the Applicable Data Protection Law.

4.2. Data Subject Requests

Taking into account the nature of the Processing and upon the Customer's request, Subgen AI shall provide the Customer with commercially reasonable assistance to enable the Customer to respond to any request from Data Subjects to exercise any of their rights under the Applicable Data Protection Law.

4.3. Direct Requests

In the event that any request is made directly to Subgen AI, Subgen AI will not respond to such request directly without the Customer's prior consent, unless required to do so by applicable law. Instead, Subgen AI will transfer that request to the Customer who will then be solely responsible to respond to such request. If Subgen AI is legally required to respond to the Data Subjects' request, Subgen AI will promptly notify the Customer and provide it with a copy of the request unless prohibited to do so by applicable law.

5. Security and Personal Data Breach

5.1. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Subgen AI shall implement and maintain appropriate technical and organizational measures across the Serenity* Star ecosystem to protect Personal Data from any Personal Data Breach and to preserve the security and confidentiality of the Personal Data. These measures include:

  • Encryption of data at rest and in transit
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Continuous monitoring and logging of system access
  • Regular backup procedures
  • Specific security measures for each Serenity* Star platform component

5.2. Personal Data Breach

In the event of a Personal Data Breach, Subgen AI shall:

  1. Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
  2. Provide detailed information including:
    • Description of the nature of the breach
    • Categories and number of Data Subjects affected
    • Categories of Personal Data involved
    • Measures taken or proposed to address the breach
    • Potential consequences of the breach
  3. Cooperate with the Customer in investigating and remediating the breach
  4. Document all breaches and remedial actions taken

6. Sub-processing

6.1. General Authorization

The Customer provides prior general authorization for Subgen AI to engage Sub-processors for the Serenity* Star ecosystem, subject to the following conditions:

  • Subgen AI maintains an up-to-date list of Sub-processors on its website
  • Subgen AI provides 30 days' prior notice of any intended changes to the Sub-processor list
  • Sub-processors are bound by data protection obligations no less protective than those in this DPA
  • Subgen AI remains liable for its Sub-processors' compliance with the DPA obligations

6.2. Objection Right

Customers may object to new Sub-processors within 30 days of notification. If no resolution is reached, Customer may terminate the affected Services.

7. International Data Transfers

7.1. Transfer Mechanisms

Subgen AI shall only transfer Personal Data to countries outside the EEA that:

  • Have been deemed adequate by the European Commission
  • Are covered by appropriate safeguards (such as SCCs)
  • Fall under specific derogations provided by GDPR

7.2. Standard Contractual Clauses

Where required, the Parties agree to be bound by the EU Standard Contractual Clauses, which are incorporated by reference into this DPA.

8. Audits

8.1. Audit Rights

Upon reasonable notice and no more than once per year, Customer may audit Subgen AI's compliance with this DPA by:

  • Requesting documentation and certifications
  • Conducting on-site audits during regular business hours
  • Using an independent auditor bound by confidentiality obligations

8.2. Audit Process

  • Customer must provide at least 30 days' notice
  • Audits must not unreasonably interfere with Subgen AI's operations
  • Customer bears all audit costs
  • Audit findings must be shared with both Parties

9. Return or Deletion of Personal Data

9.1. End of Services

Upon termination of Services, Subgen AI shall:

  • Return Personal Data to Customer in a standard format, or
  • Delete all Personal Data from its systems
  • Ensure Sub-processors also comply with return/deletion requirements

9.2. Retention Period

Personal Data will be retained for 30 days after Service termination unless:

  • Longer retention is required by law
  • Customer requests immediate deletion
  • Specific retention periods are defined for individual Serenity* Star platforms

10. Term and Termination

10.1. Duration

This DPA shall commence with the Agreement and continue until all Personal Data is deleted or returned to Customer.

10.2. Survival

Obligations relating to confidentiality, liability, and dispute resolution survive termination.

11. Limitation of Liability

11.1. Liability Cap

The total aggregate liability of either Party under this DPA shall be subject to the limitations set forth in the Agreement.

11.2. Exclusions

Liability caps do not apply to:

  • Willful misconduct or gross negligence
  • Breach of confidentiality obligations
  • Violations of Data Protection Laws

The liability framework specifically considers the diverse services within the Serenity* Star ecosystem and provides appropriate protection for both Parties while ensuring compliance with data protection regulations.

12. Compliance with Laws and Regulations

12.1 Compliance Framework

Subgen AI shall maintain a comprehensive compliance framework covering:

  • EU AI Act compliance
  • GDPR requirements
  • Industry-specific regulations
  • Local data protection laws

12.2 Documentation and Records

Both parties shall maintain required documentation including:

  • Records of processing activities
  • Impact assessments
  • Security incident logs
  • Compliance certifications

13. Changes to this DPA

13.1 Modification Process

  • Subgen AI may modify this DPA with 30 days' notice
  • Material changes require Customer consent
  • Changes required by law take immediate effect
  • Updates will be communicated via email and platform notifications

13.2 Objection Rights

  • Customers may object to material changes within 15 days
  • If no agreement is reached, Customer may terminate Services

14. Dispute Resolution

14.1 Governing Law

This DPA is governed by the laws of the United Kingdom, without regard to its conflict of law principles.

14.2 Jurisdiction

Courts of London, United Kingdom shall have exclusive jurisdiction over any disputes.

14.3 Dispute Process

  1. Informal resolution attempt required
  2. Mediation through agreed third party
  3. Legal proceedings as last resort

Exhibit 1 - Description of the Processing

Subgen AI may update the description of the Processing from time to time to reflect new Services, features or functionality within the Serenity* Star ecosystem.

1. Serenity* AI Hub

A. List of the Parties

  • Data Controller: The Customer
  • Data Processor: Subgen AI
  • Subgen AI privacy contact: [email protected]

B. Description of the Processing

Categories of Data Subjects:

  • The Customer
  • The Authorized Users
  • End-Users
  • Any other natural person whose Personal Data is used by the Customer or the Authorized User as User Data

Categories of Personal Data:

  • Account data (professional contact details, organization name, Subgen AI User ID etc.)
  • API Keys (where applicable)
  • Any Personal Data included in the User Data
  • Support request data

Special categories of Personal Data:

  • None. Customer shall not process sensitive data under this DPA without prior written agreement.

Nature of the Processing:

  • Generation of AI model outputs
  • Model fine-tuning and customization
  • User authentication and authorization
  • Service delivery and optimization

2. Serenity* Compliance

A. List of the Parties

  • Data Controller: The Customer
  • Data Processor: Subgen AI
  • Subgen AI privacy contact: [email protected]

B. Description of the Processing

Categories of Data Subjects:

  • The Customer
  • The Authorized Users
  • Compliance officers and administrators
  • Individuals whose data is processed for compliance purposes

Categories of Personal Data:

  • Account data
  • Compliance monitoring data
  • Policy acceptance records
  • Audit logs and compliance reports

3. Serenity* Health Research

A. List of the Parties

  • Data Controller: The Customer
  • Data Processor: Subgen AI
  • Subgen AI privacy contact: [email protected]

B. Description of the Processing

Categories of Data Subjects:

  • The Customer
  • The Authorized Users
  • Research staff and administrators
  • Research subjects (in anonymized form only)

Categories of Personal Data:

  • Account data
  • Research protocol data
  • Anonymized research data
  • Analysis results

4. Serenity* Nexus

A. List of the Parties

  • Data Controller: The Customer
  • Data Processor: Subgen AI
  • Subgen AI privacy contact: [email protected]

B. Description of the Processing

Categories of Data Subjects:

  • The Customer
  • The Authorized Users
  • Enterprise users
  • Support staff

Categories of Personal Data:

  • Account data
  • Usage patterns and interaction data
  • Corporate workflow data
  • Training data for specialized agents

Common Processing Elements

Duration of Processing:

  • For the term of the Agreement

Frequency of Processing:

  • Continuous, as required for service delivery

Nature and Purpose of Processing:

  • To provide and maintain the Serenity* Star services
  • To ensure security and compliance
  • To provide customer support
  • To improve and optimize services

Type of Personal Data:

  • As specified for each platform above
  • No special categories of data unless explicitly agreed

Retention Periods:

  • Active processing: Duration of the Agreement
  • Post-termination: 30 days unless otherwise specified
  • Backup retention: Up to 90 days
  • Compliance data: As required by applicable laws

Technical and Organizational Security Measures:

  • As detailed in Exhibit 2 of this DPA

Exhibit 2 - Technical and Organizational Measures

1. General Security Architecture

1.1 Infrastructure Security

  • Multi-layered security architecture
  • Regular security audits and assessments
  • Continuous monitoring and threat detection
  • Automated security patching and updates

1.2 Access Control Systems

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Privileged access management
  • Regular access reviews and audits

1.3 Network Security

  • Network segmentation
  • Encrypted communications
  • Intrusion detection/prevention systems
  • DDoS protection

2. Platform-Specific Security Measures

2.1 Serenity* AI Hub

  • Model isolation and sandboxing
  • Secure API endpoints
  • Training data protection
  • Model access controls

2.2 Serenity* Compliance

  • Real-time compliance monitoring
  • Automated policy enforcement
  • Audit trail maintenance
  • Regulatory reporting capabilities

2.3 Serenity* Health Research

  • Healthcare data encryption
  • HIPAA-compliant infrastructure
  • Research data anonymization
  • Secure data sharing protocols

2.4 Serenity* Nexus

  • Enterprise-grade security
  • Secure SSO integration
  • Data loss prevention
  • Workspace isolation

3. Data Protection Measures

3.1 Encryption

  • Data at rest: AES-256
  • Data in transit: TLS 1.2 / TLS 1.3
  • Key management system
  • Regular encryption updates

3.2 Data Backup and Recovery

  • Automated backup systems
  • Geographic redundancy
  • Regular recovery testing
  • Backup encryption

3.3 Data Minimization

  • Purpose limitation controls
  • Data retention policies
  • Automated data cleanup
  • Privacy by design implementation

4. Organizational Security Measures

4.1 Security Training

  • Regular employee training
  • Security awareness programs
  • Phishing simulations
  • Compliance education

4.2 Incident Response

  • 24/7 security team
  • Incident response plan
  • Regular drills and updates
  • Stakeholder communication protocols

4.3 Physical Security

  • Data center security
  • Office access controls
  • CCTV monitoring
  • Visitor management