Data Processing Addendum

Last updated: 6/5/2026

Human Layer Lab Pte. Ltd. Last updated: 5 June 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Human Layer Lab Pte. Ltd. (UEN 202616831M) ("Processor", "Human Layer Lab") and the customer entity ("Controller") for the provision of the AI workforce design platform (the "Service").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the Singapore PDPA, the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, and the EU and UK GDPR where applicable.

"Supervisory Authority" means a regulator responsible for monitoring the application of Data Protection Laws.

2. Roles and Responsibilities

2.1 Controller

The Controller determines the purposes and means of processing, ensures a lawful basis for processing, responds to Data Subject requests, and maintains its own records of processing.

2.2 Processor

Human Layer Lab, as Processor:

  • Processes Personal Data only on the Controller's documented instructions
  • Ensures personnel are bound by confidentiality obligations
  • Implements appropriate technical and organisational security measures
  • Assists the Controller with Data Subject requests
  • Deletes or returns Personal Data on termination
  • Provides information reasonably necessary to demonstrate compliance

3. Processing Details

3.1 Subject Matter

Processing of Personal Data in connection with the provision of the AI workforce design platform.

3.2 Duration

Processing continues for the term of the service agreement plus any retention period required by law or agreed in writing.

3.3 Nature and Purpose

Processing activityPurpose
Account managementAuthentication and access control
Data storageSecure storage of customer data
AnalysisProducing workforce analysis and insights
AI processingProcessing inputs via third-party large language model APIs to generate analysis outputs. Customer data is never used to train AI models.
ReportingGenerating reports, documents, and exports
Optional connectorsWhere the Controller enables them, measuring AI adoption from the Controller's own connected systems

3.4 Categories of Data Subjects

  • The Controller's employees and administrators
  • Workforce members described in the Controller's data
  • Third-party contacts provided by the Controller

3.5 Categories of Personal Data

The Controller decides what Personal Data to put into the Service. Some categories are processed to operate an account and the Service; others are provided at the Controller's option, and the Service operates without them.

Processed to operate the Service:

  • Contact information (name, email) for users who access the Service
  • Account and profile information (role, preferences)
  • Usage and technical data (platform interactions, device and browser information, IP address and approximate location, session activity)
  • Billing and payment information

Provided at the Controller's option:

  • Workforce and role information, uploaded documents, and knowledge base content the Controller adds
  • Content of agent conversations entered by the Controller's users
  • Individual usage data from connected systems, only where the Controller enables optional connectors
  • Salary or compensation data, only where the Controller opts to provide it

The optional categories are not required for the Service to function, and the Service operates without them.

3.6 Special Categories

Human Layer Lab does not process special categories of Personal Data unless explicitly instructed by the Controller with appropriate safeguards. Salary and compensation data are not collected by default. Where the Controller chooses to provide them, they are processed only to support the analysis features the Controller has enabled, and the Service operates fully without them.

4. Controller Instructions

The Processor processes Personal Data only in accordance with this DPA, the service agreement, and the Controller's written instructions. If the Processor believes an instruction infringes Data Protection Laws, it will promptly inform the Controller. Additional instructions requiring significant changes to processing may be subject to additional fees.

5. Use of Data for AI Training (Prohibited)

The Processor does not use Controller Personal Data, or any anonymised or aggregated derivative of it, to train, fine-tune, or otherwise develop AI models. The Processor does not opt in to any Sub-processor training models on data processed through their APIs, and does not share Controller Personal Data with any third party for AI model training.

6. Security Measures

6.1 Technical Measures

  • Encryption in transit (TLS) and at rest
  • Role-based access control
  • Authentication via a managed identity provider, supporting passwordless sign-in and single sign-on
  • Append-only audit logging with a minimum 12-month retention
  • Network and infrastructure security provided by the Processor's hosting and infrastructure sub-processors

6.2 Organisational Measures

  • Information security policies and procedures
  • Staff security awareness
  • Access limited to personnel who require it
  • Incident response procedures
  • Regular security review

6.3 SOC 2

The Processor is working toward a SOC 2 Type II report and is progressing through the audit process with its compliance and audit partners. The Processor's security program is built to the SOC 2 Trust Services Criteria. Current security documentation and the roadmap are available on request under NDA. The Processor does not currently hold a completed SOC 2 report.

7. Sub-processors

7.1 Current Sub-processors

Sub-processorPurposeRegion
AnthropicAI processing (large language models)United States
OpenAIAI processing (large language models)United States
GoogleAI processing (large language models)United States
PerplexityResearch and data enrichmentUnited States
TavilyWeb search and retrievalUnited States
RenderApplication hosting (web and worker)United States
NeonDatabaseUnited States
UpstashCache and session storageUnited States
CloudflareFile storageUnited States / global edge
Temporal CloudWorkflow orchestrationUnited States
PostHogProduct analytics and session replayUnited States
WorkOSAuthenticationUnited States
ResendTransactional emailUnited States
StripeBilling and paymentsUnited States

No Sub-processor is authorised to use Controller Personal Data to train AI models.

7.2 Authorisation

The Controller provides general authorisation for the Processor to engage Sub-processors for the provision of the Service, subject to this section.

7.3 Changes to Sub-processors

The Processor maintains a current list of Sub-processors and makes it available to the Controller on request. The Processor will provide notice of changes to the list as required by applicable Data Protection Laws.

7.4 Sub-processor Obligations

Each Sub-processor is engaged under its own standard terms, including the Sub-processor's own data protection terms. The Processor remains responsible for its Sub-processors' performance of the services they provide.

8. Data Subject Rights

The Processor will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, and objection). The Processor will respond to assistance requests within a reasonable time and in any event within 10 business days. Assistance beyond reasonable levels may be subject to additional fees.

9. Personal Data Breach

9.1 Notification

The Processor will notify the Controller of a Personal Data breach affecting Controller Personal Data without undue delay, and in any event no later than 72 hours after becoming aware of it.

9.2 Content

Notifications will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and the measures taken or proposed.

9.3 Cooperation

The Processor will cooperate with the Controller's investigation and remediation, providing further information as reasonably requested.

10. Data Protection Impact Assessments

On request, the Processor will provide reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities.

11. Audits

The Controller may verify the Processor's compliance with this DPA on reasonable notice (minimum 30 days), during business hours, no more than once per year unless a breach has occurred, and at the Controller's expense. The Processor may satisfy audit requests by providing third-party assessments and compliance reports (including its SOC 2 report once available). Audit findings are confidential.

12. International Transfers

Where the Processor transfers Personal Data across borders, it applies appropriate contractual safeguards so that the data receives a comparable standard of protection, consistent with the Singapore PDPA, the Australian Privacy Principles, and the New Zealand Privacy Act 2020. If the Controller's Personal Data is subject to the EU or UK GDPR, the parties will put the appropriate transfer mechanisms (such as Standard Contractual Clauses and the UK Addendum) in place.

13. Return and Deletion

On request following termination of the service agreement, the Processor will, at the Controller's choice, return Personal Data in a commonly used format or delete it, and will complete the requested return or deletion within 30 days, except where retention is required by law. Absent such a request, the Processor retains Personal Data for as long as needed to provide the Service and to meet legal and operational requirements. On request, the Processor will certify deletion in writing.

14. Liability

Liability under this DPA is subject to the limitations set out in the main service agreement.

15. Governing Law

This DPA is governed by the laws of Singapore, except that for matters subject to the GDPR the relevant provisions of Data Protection Laws apply. In the event of conflict between this DPA and the service agreement on matters of data protection, this DPA prevails.

16. Contact

Human Layer Lab Pte. Ltd. Contact: team@humanlayerlab.com

By using the Service, the Controller agrees to the terms of this Data Processing Addendum.

We use cookies to improve your experience and analyze traffic.