KINOBI AI DATA PROCESSING ADDENDUM (“DPA”)

DPA Version: January 02, 2026

This Data Processing Addendum (“DPA”) forms part of the Master Subscription and Services Agreement (the “Agreement”) between HelloMrKinobi Pte. Ltd. (“Kinobi AI”) and Customer. This DPA applies to the extent Kinobi AI processes Personal Information on behalf of Customer in connection with the Services.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail solely with respect to the processing of Personal Information.

Table of Contents

1. Definitions
2. Roles of the Parties
3. Scope and Purpose of Processing
4. Customer Obligations
5. Kinobi AI Obligations
6. Information Security
7. Sub-Processors
8. Cross-Border Transfers
9. Data Subject Rights
10. Security Incidents
11. Audit and Information Rights
12. Data Retention and Deletion
13. Privacy Contact
14. Limitation of Liability
15. Governing Law
16. Order of Precedence
    Schedule A – Description of Processing

1. DEFINITIONS: 

Unless otherwise defined in this DPA, capitalised terms have the meanings set out in the Agreement. “Personal Information” means any information relating to an identified or identifiable individual, including information defined as “personal data” or “personal information” under applicable data protection laws, including the Singapore Personal Data Protection Act 2012 (“PDPA”), GDPR (where applicable), and ISO/IEC 27018. “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means. “Data Protection Laws” means all applicable laws and regulations relating to privacy or data protection, including PDPA and, where applicable, GDPR.

2. ROLES OF THE PARTIES: 

Customer is the data controller (or equivalent role under applicable law). Kinobi AI is the data processor, processing Personal Information solely on documented instructions from Customer and in accordance with this DPA.

3. SCOPE AND PURPOSE OF PROCESSING: 

Kinobi AI shall process Personal Information solely for the purpose of providing, operating, maintaining, securing, and supporting the Services, and for no other purpose except as required by applicable law. The nature, categories, and volume of Personal Information processed depend on Customer’s configuration and use of the Services.

4. CUSTOMER OBLIGATIONS: 

Customer represents and warrants that: (a) it has obtained all necessary consents, notices, and lawful bases required under Data Protection Laws to provide Personal Information to Kinobi AI; (b) its instructions to Kinobi AI comply with Data Protection Laws; and (c) it shall not instruct Kinobi AI to process Personal Information in a manner that violates applicable law. Customer remains solely responsible for determining the purposes and means of processing.

5. KINOBI AI OBLIGATIONS: 

Kinobi AI shall: (a) process Personal Information only in accordance with Customer’s documented instructions and this DPA; (b) ensure that personnel authorised to process Personal Information are subject to confidentiality obligations; (c) implement appropriate administrative, technical, and organisational safeguards; and (d) not disclose Personal Information to third parties except as permitted under this DPA or required by law.

6. INFORMATION SECURITY: 

Kinobi AI shall maintain an information security programme aligned with generally accepted industry standards, including the principles of ISO/IEC 27001, ISO/IEC 27018, and SOC 2. Security measures may include, as appropriate, access controls, encryption in transit, monitoring and logging, incident management, and personnel security training. Kinobi AI does not warrant that its security measures are infallible.

7. SUB-PROCESSORS: 

Customer authorises Kinobi AI to engage affiliates and third-party sub-processors to process Personal Information for the purpose of providing the Services. Kinobi AI shall ensure that such sub-processors are subject to written obligations that are no less protective than those set out in this DPA. A list of material sub-processors may be made available upon reasonable request.

8. CROSS-BORDER TRANSFERS: 

Customer acknowledges that Personal Information may be processed or stored outside the country from which it was collected, including in Singapore and other jurisdictions where Kinobi AI or its sub-processors operate. Kinobi AI shall ensure that such transfers are subject to appropriate safeguards as required by applicable Data Protection Laws.

9. DATA SUBJECT RIGHTS: 

To the extent required by Data Protection Laws, Kinobi AI shall provide reasonable assistance to Customer to enable Customer to respond to requests from individuals to exercise their rights relating to Personal Information. Where permitted by law, Kinobi AI may charge a reasonable fee for such assistance.

10. SECURITY INCIDENTS: 

Kinobi AI shall notify Customer without undue delay upon becoming aware of a confirmed unauthorised access to or disclosure of Personal Information. Such notification shall include information reasonably available regarding the nature of the incident and remedial actions taken or planned. Customer remains responsible for regulatory and individual notifications unless otherwise required by applicable law.

11. AUDIT AND INFORMATION RIGHTS: 

Upon reasonable written request, Kinobi AI shall make available information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications, summaries of audit reports, or other compliance documentation. Customer shall not have the right to conduct on-site audits of Kinobi AI’s systems, except where required by applicable law.

12. DATA RETENTION AND DELETION: 

Upon termination or expiration of the Services, Kinobi AI shall delete or return Personal Information in accordance with the Agreement, unless retention is required by law or for legitimate backup, security, or compliance purposes. Aggregated or de-identified data may be retained.

13. PRIVACY CONTACT: 

Kinobi AI shall maintain a designated data protection officer (“DPO”) or privacy contact responsible for overseeing compliance with applicable Data Protection Laws and handling privacy-related inquiries. Customer may contact Kinobi AI regarding Personal Information or data protection matters via the contact details made available in the Services documentation or on Kinobi AI’s website.

14. LIMITATION OF LIABILITY: 

The liability of each Party arising out of or relating to this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA increases Kinobi AI’s liability beyond what is expressly stated in the Agreement.

15. GOVERNING LAW: 

This DPA shall be governed by and construed in accordance with the laws governing the Agreement.

16. ORDER OF PRECEDENCE: 

In the event of a conflict between documents, the following order of precedence shall apply solely with respect to the processing of Personal Information: 1. this DPA; 2. the Agreement; and 3. any Order Form.

SCHEDULE A – DESCRIPTION OF PROCESSING

This Schedule A is provided for informational and procurement purposes only and shall not apply unless expressly incorporated by reference.

A. Categories of Data Subjects: 

Depending on Customer’s use of the Services, data subjects may include: students, mentees, learners; alumni (if enabled by Customer); mentors and programme participants; Customer employees, administrators, and staff, and; employer representatives or external partners

B. Categories of Personal Information:

Depending on Customer configuration, Personal Information may include: names, usernames, contact details; institutional identifiers (e.g. student or employee ID); programme participation data; internship, application, or mentoring records; communications and activity logs, and; authentication and access data. Kinobi AI does not intentionally require sensitive personal data unless expressly configured by Customer.

C. Purpose of Processing: 

Provision, operation, and support of the Services; user authentication and access management; programme administration and reporting, and; system security, monitoring, and compliance.

D. Nature of Processing: 

Collection, storage, organisation; access, use, transmission, and; deletion or anonymisation upon request or termination.

E. Retention: 

Personal Information is retained in accordance with the Agreement and Customer instructions, subject to applicable law and legitimate backup or compliance requirements.

F. Indicative Data Sensitivity Classification: (Informational only; non-binding) 

For purposes of risk assessment and implementation of proportionate safeguards under applicable Data Protection Laws (including PDPA), Personal Information processed through the Services may generally fall into the following indicative categories, depending on Customer configuration and use:

1. Low Sensitivity Personal Information: Names and usernames; institutional email addresses, and; publicly available profile information
2. Moderate Sensitivity Personal Information: Student or user identification numbers; programme participation records; mentoring or internship application data, and; communications and activity logs.
3. Higher Sensitivity Personal Information: Government-issued identifiers (where provided by Customer), and; records relating to individual performance, assessments, or feedback

Kinobi AI does not intentionally process sensitive personal data (such as health, biometric, or financial information) unless expressly configured by Customer. This classification is provided for informational and risk-assessment purposes only and does not modify or expand Kinobi AI’s obligations under the Agreement or this DPA.