Skip to content

Data Processing Agreement

Last updated: April 17, 2026

Data Processing Agreement

Last updated: April 17, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between Huneety Learning Pte. Ltd. ("Processor," "Huneety") and the customer identified in the relevant Order Form ("Controller," "Customer") for the provision of the Service (together, the "Agreement").

This DPA reflects the parties' agreement on the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Singapore Personal Data Protection Act ("PDPA"), and other applicable data protection laws.

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data.

1. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Agreement or in GDPR. For clarity:

"Personal Data" means any information processed by Huneety on behalf of Customer in connection with the Service that relates to an identified or identifiable natural person.

"Data Subject" means the individual to whom Personal Data relates, including Customer's employees, contractors, raters, and other users.

"Processing" has the meaning given in GDPR Article 4(2).

"Sub-processor" means any third party engaged by Huneety to process Personal Data on its behalf in connection with the Service.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914.

2. Roles and scope

2.1 Roles. Customer is the Controller of Personal Data. Huneety is the Processor and processes Personal Data on Customer's behalf and on Customer's documented instructions.

2.2 Customer instructions. The Agreement, this DPA, and Customer's configuration and use of the Service, together with any additional instructions Customer provides in writing from time to time, constitute Customer's complete documented instructions to Huneety. Any additional or alternative instructions must be agreed in writing.

2.3 Compliance. Each party will comply with its obligations under applicable data protection laws. Customer is responsible for the lawfulness of the Personal Data and the instructions it provides, including ensuring that all required notices have been given and consents obtained from Data Subjects.

3. Details of processing

The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data are set out in Annex 1.

4. Huneety obligations

4.1 Processing scope. Huneety will process Personal Data only on Customer's documented instructions and only as necessary to provide the Service, except where required by law (in which case Huneety will inform Customer of that legal requirement before processing, unless prohibited by law).

4.2 Confidentiality. Huneety will ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.

4.3 Security. Huneety will implement and maintain the technical and organisational measures described in Annex 2 to ensure a level of security appropriate to the risk.

4.4 Assistance to Customer. Taking into account the nature of the processing and the information available to Huneety, Huneety will provide reasonable assistance to Customer in fulfilling Customer's obligations under data protection laws relating to:

(a) responses to Data Subject requests (Articles 12–22 GDPR); (b) security of processing (Article 32 GDPR); (c) personal data breach notifications (Articles 33 and 34 GDPR); (d) data protection impact assessments and prior consultations (Articles 35 and 36 GDPR).

Huneety may charge a reasonable fee, at its then-current professional services rates, for assistance that requires significant engineering effort beyond the standard functionality of the Service.

4.5 Data Subject requests. If Huneety receives a request from a Data Subject in respect of Personal Data, Huneety will promptly forward the request to Customer and will not respond to the Data Subject directly, except to confirm receipt or as required by law.

5. Sub-processors

5.1 General authorisation. Customer grants Huneety general authorisation to engage Sub-processors to process Personal Data, subject to the conditions in this Section 5.

5.2 Current Sub-processors. The current list of Sub-processors is maintained by Huneety and provided to Customer on request.

5.3 New Sub-processors. Huneety will provide Customer with at least 15 days' prior notice by email to Customer's designated privacy or administrative contact before engaging a new Sub-processor that processes Personal Data. In the case of an emergency replacement (for example, a provider outage or a material security incident), notification will be provided as soon as reasonably practicable.

5.4 Right to object. Customer may object to a new Sub-processor on reasonable data protection grounds within 15 days of notice. The parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected portion of the Service on written notice, with a pro-rata refund of pre-paid fees for the unused portion of the term.

5.5 Sub-processor obligations. Huneety will impose, by written contract, data protection obligations on each Sub-processor that are no less protective than those in this DPA. Huneety remains liable to Customer for the acts and omissions of its Sub-processors as if they were its own.

6. International data transfers

6.1 Transfers. Personal Data may be transferred to and processed in countries outside the country of the Controller, including the locations identified in the current list of Sub-processors made available to Customer.

6.2 GDPR transfers. Where Personal Data subject to GDPR is transferred to a country that is not the subject of an adequacy decision, the parties agree that the Standard Contractual Clauses are incorporated by reference into this DPA as follows:

(a) Module 2 (Controller to Processor) applies where Customer is a controller of the Personal Data; (b) Module 3 (Processor to Processor) applies where Customer is itself a processor on behalf of a third-party controller, and that controller has authorised Customer to use Huneety as a sub-processor; (c) Module 4 (Processor to Controller) applies where Huneety processes Personal Data as a processor on behalf of Customer and returns Personal Data to Customer acting as a controller for its own purposes.

The optional docking clause (Clause 7) and the option for data subject objection (Clause 11(a)) apply. The governing law of the SCCs is the law of Ireland (Clause 17, Option 1). The forum for disputes is Ireland (Clause 18(b)). The competent supervisory authority for the purposes of Clause 13 is the Irish Data Protection Commission.

6.3 PDPA transfers. For Personal Data subject to PDPA, the parties agree that comparable contractual safeguards apply to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to PDPA.

6.4 UK transfers. Where the UK GDPR applies, the UK International Data Transfer Addendum to the SCCs is incorporated by reference.

7. Personal data breach

7.1 Notification. Huneety will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer's Personal Data.

7.2 Information. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

7.3 Cooperation. Huneety will cooperate with Customer's reasonable requests for further information and will support Customer's notification obligations to supervisory authorities and Data Subjects.

8. Audits

8.1 Audit rights. Customer may audit Huneety's compliance with this DPA no more than once per twelve-month period, and additionally as required by a competent supervisory authority or following a confirmed Personal Data breach.

8.2 Audit method. Huneety will satisfy audit requests by providing written responses to Customer's questionnaires and, where available, copies of relevant third-party security certifications, audit reports, or summaries.

8.3 On-site audits. On-site audits will be conducted on reasonable prior written notice, during normal business hours, in a manner that does not disrupt Huneety's operations or compromise the confidentiality or security of other customers' data. Each party will bear its own costs.

9. Return and deletion

9.1 During the term. Customer may export Personal Data through the Service at any time during the term.

9.2 On termination. Within 30 days of termination of the Agreement, Customer may export Personal Data through the Service. After that period, Huneety will delete all Personal Data, unless retention is required by applicable law.

9.3 Backups. Personal Data residing in routine backups will be deleted in accordance with Huneety's backup rotation cycle and will remain subject to the security and confidentiality obligations of this DPA until deleted.

10. Liability and term

10.1 Liability. Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement.

10.2 Term. This DPA takes effect on the effective date of the Agreement and continues for the duration of the Agreement and for as long as Huneety processes Personal Data on Customer's behalf.

10.3 Survival. Provisions intended by their nature to survive termination, including Sections 6, 7, 9, and 10, will survive. Section 8 (Audits) survives for twelve (12) months after termination, solely for the purpose of verifying Huneety's compliance with Section 9 (Return and deletion).

11. Special categories of personal data

The Service is not designed to process special categories of personal data within the meaning of GDPR Article 9 or sensitive personal data under PDPA. Customer is responsible for not submitting such data through the Service. If Customer submits special categories of personal data, Customer warrants that it has a valid legal basis under GDPR Article 9 (or equivalent under applicable law) for doing so and will indemnify Huneety against any claims arising from such submission.

12. Governing law

This DPA is governed by the law specified in the Agreement, except for the Standard Contractual Clauses, which are governed by the law specified in Section 6.2.

ANNEX 1 — DETAILS OF PROCESSING

Subject matter Provision of the Huneety Learning competency assessment, skills analytics, and individual development planning platform.

Duration For the duration of the Agreement, plus the periods specified in Section 9.

Nature and purpose of processing Hosting, storage, transmission, retrieval, organisation, structuring, analysis, and AI-assisted generation of personal data submitted to the Service for the purpose of operating the platform features engaged by Customer.

Categories of Data Subjects

  • Customer's authorised users (administrators, HR personnel, managers)
  • Customer's employees and contractors who are subjects of competency assessments and development plans
  • Raters and reviewers participating in 360-degree assessments
  • Customer's prospective hires whose role profiles are processed in the platform

Categories of Personal Data

  • Identification and contact data: name, email address, job title
  • Organisational data: organisation name, department, country code, employee identifier, manager name and email
  • Authentication data: hashed credentials, multi-factor authentication state, single sign-on identifiers
  • Assessment data: competency ratings, 360-degree feedback responses, skills assessment results, observations and suggestions, strengths and weaknesses summaries
  • Development plan data: individual development plans, career path history, plan comments
  • AI interaction data: messages submitted to AI features, including pasted job descriptions and conversation history with the AI assistant
  • Usage data: pages visited, features used, session duration, IP address, device and browser information

Special categories of personal data None intended. See Section 11.

ANNEX 2 — TECHNICAL AND ORGANISATIONAL MEASURES

Huneety implements the following measures, described in further detail on the Security page.

Encryption

  • TLS 1.2 or higher for all data in transit
  • Encryption at rest for all customer databases and storage volumes

Access control

  • Role-based access control with least-privilege principles
  • Workspace-level data isolation enforced by database row-level security
  • Multi-factor authentication for administrative accounts
  • Single sign-on support via Google and Microsoft identity providers
  • Restricted internal access to production systems on a need-to-know basis

Application security

  • Strongly-typed input validation on all API endpoints
  • Per-IP rate limiting on public endpoints
  • Sanitised error responses to prevent information leakage
  • Encrypted secret management; no credentials in source control

Infrastructure

  • Hosting on managed providers with built-in DDoS protection
  • Automated database backups with periodic restore testing
  • Hardened deployment for the report generation service

Monitoring and response

  • Centralised application and security event logging
  • Audit trail for sensitive operations
  • Documented incident response process
  • Regular internal security reviews and dependency vulnerability monitoring

Data lifecycle

  • Customer-initiated data export
  • Data deletion on request and on termination, subject to backup rotation cycles

Last reviewed: April 17, 2026. For questions: contact@huneety.com