Data Processing Addendum
Last updated: 6/5/2026
Human Layer Lab Pte. Ltd. Last updated: 5 June 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Human Layer Lab Pte. Ltd. (UEN 202616831M) ("Processor", "Human Layer Lab") and the customer entity ("Controller") for the provision of the AI workforce design platform (the "Service").
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the Singapore PDPA, the Australian Privacy Act 1988, the New Zealand Privacy Act 2020, and the EU and UK GDPR where applicable.
"Supervisory Authority" means a regulator responsible for monitoring the application of Data Protection Laws.
2. Roles and Responsibilities
2.1 Controller
The Controller determines the purposes and means of processing, ensures a lawful basis for processing, responds to Data Subject requests, and maintains its own records of processing.
2.2 Processor
Human Layer Lab, as Processor:
- Processes Personal Data only on the Controller's documented instructions
- Ensures personnel are bound by confidentiality obligations
- Implements appropriate technical and organisational security measures
- Assists the Controller with Data Subject requests
- Deletes or returns Personal Data on termination
- Provides information reasonably necessary to demonstrate compliance
3. Processing Details
3.1 Subject Matter
Processing of Personal Data in connection with the provision of the AI workforce design platform.
3.2 Duration
Processing continues for the term of the service agreement plus any retention period required by law or agreed in writing.
3.3 Nature and Purpose
| Processing activity | Purpose |
|---|---|
| Account management | Authentication and access control |
| Data storage | Secure storage of customer data |
| Analysis | Producing workforce analysis and insights |
| AI processing | Processing inputs via third-party large language model APIs to generate analysis outputs. Customer data is never used to train AI models. |
| Reporting | Generating reports, documents, and exports |
| Optional connectors | Where the Controller enables them, measuring AI adoption from the Controller's own connected systems |
3.4 Categories of Data Subjects
- The Controller's employees and administrators
- Workforce members described in the Controller's data
- Third-party contacts provided by the Controller
3.5 Categories of Personal Data
The Controller decides what Personal Data to put into the Service. Some categories are processed to operate an account and the Service; others are provided at the Controller's option, and the Service operates without them.
Processed to operate the Service:
- Contact information (name, email) for users who access the Service
- Account and profile information (role, preferences)
- Usage and technical data (platform interactions, device and browser information, IP address and approximate location, session activity)
- Billing and payment information
Provided at the Controller's option:
- Workforce and role information, uploaded documents, and knowledge base content the Controller adds
- Content of agent conversations entered by the Controller's users
- Individual usage data from connected systems, only where the Controller enables optional connectors
- Salary or compensation data, only where the Controller opts to provide it
The optional categories are not required for the Service to function, and the Service operates without them.
3.6 Special Categories
Human Layer Lab does not process special categories of Personal Data unless explicitly instructed by the Controller with appropriate safeguards. Salary and compensation data are not collected by default. Where the Controller chooses to provide them, they are processed only to support the analysis features the Controller has enabled, and the Service operates fully without them.
4. Controller Instructions
The Processor processes Personal Data only in accordance with this DPA, the service agreement, and the Controller's written instructions. If the Processor believes an instruction infringes Data Protection Laws, it will promptly inform the Controller. Additional instructions requiring significant changes to processing may be subject to additional fees.
5. Use of Data for AI Training (Prohibited)
The Processor does not use Controller Personal Data, or any anonymised or aggregated derivative of it, to train, fine-tune, or otherwise develop AI models. The Processor does not opt in to any Sub-processor training models on data processed through their APIs, and does not share Controller Personal Data with any third party for AI model training.
6. Security Measures
6.1 Technical Measures
- Encryption in transit (TLS) and at rest
- Role-based access control
- Authentication via a managed identity provider, supporting passwordless sign-in and single sign-on
- Append-only audit logging with a minimum 12-month retention
- Network and infrastructure security provided by the Processor's hosting and infrastructure sub-processors
6.2 Organisational Measures
- Information security policies and procedures
- Staff security awareness
- Access limited to personnel who require it
- Incident response procedures
- Regular security review
6.3 SOC 2
The Processor is working toward a SOC 2 Type II report and is progressing through the audit process with its compliance and audit partners. The Processor's security program is built to the SOC 2 Trust Services Criteria. Current security documentation and the roadmap are available on request under NDA. The Processor does not currently hold a completed SOC 2 report.
7. Sub-processors
7.1 Current Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Anthropic | AI processing (large language models) | United States |
| OpenAI | AI processing (large language models) | United States |
| AI processing (large language models) | United States | |
| Perplexity | Research and data enrichment | United States |
| Tavily | Web search and retrieval | United States |
| Render | Application hosting (web and worker) | United States |
| Neon | Database | United States |
| Upstash | Cache and session storage | United States |
| Cloudflare | File storage | United States / global edge |
| Temporal Cloud | Workflow orchestration | United States |
| PostHog | Product analytics and session replay | United States |
| WorkOS | Authentication | United States |
| Resend | Transactional email | United States |
| Stripe | Billing and payments | United States |
No Sub-processor is authorised to use Controller Personal Data to train AI models.
7.2 Authorisation
The Controller provides general authorisation for the Processor to engage Sub-processors for the provision of the Service, subject to this section.
7.3 Changes to Sub-processors
The Processor maintains a current list of Sub-processors and makes it available to the Controller on request. The Processor will provide notice of changes to the list as required by applicable Data Protection Laws.
7.4 Sub-processor Obligations
Each Sub-processor is engaged under its own standard terms, including the Sub-processor's own data protection terms. The Processor remains responsible for its Sub-processors' performance of the services they provide.
8. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, and objection). The Processor will respond to assistance requests within a reasonable time and in any event within 10 business days. Assistance beyond reasonable levels may be subject to additional fees.
9. Personal Data Breach
9.1 Notification
The Processor will notify the Controller of a Personal Data breach affecting Controller Personal Data without undue delay, and in any event no later than 72 hours after becoming aware of it.
9.2 Content
Notifications will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and the measures taken or proposed.
9.3 Cooperation
The Processor will cooperate with the Controller's investigation and remediation, providing further information as reasonably requested.
10. Data Protection Impact Assessments
On request, the Processor will provide reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities.
11. Audits
The Controller may verify the Processor's compliance with this DPA on reasonable notice (minimum 30 days), during business hours, no more than once per year unless a breach has occurred, and at the Controller's expense. The Processor may satisfy audit requests by providing third-party assessments and compliance reports (including its SOC 2 report once available). Audit findings are confidential.
12. International Transfers
Where the Processor transfers Personal Data across borders, it applies appropriate contractual safeguards so that the data receives a comparable standard of protection, consistent with the Singapore PDPA, the Australian Privacy Principles, and the New Zealand Privacy Act 2020. If the Controller's Personal Data is subject to the EU or UK GDPR, the parties will put the appropriate transfer mechanisms (such as Standard Contractual Clauses and the UK Addendum) in place.
13. Return and Deletion
On request following termination of the service agreement, the Processor will, at the Controller's choice, return Personal Data in a commonly used format or delete it, and will complete the requested return or deletion within 30 days, except where retention is required by law. Absent such a request, the Processor retains Personal Data for as long as needed to provide the Service and to meet legal and operational requirements. On request, the Processor will certify deletion in writing.
14. Liability
Liability under this DPA is subject to the limitations set out in the main service agreement.
15. Governing Law
This DPA is governed by the laws of Singapore, except that for matters subject to the GDPR the relevant provisions of Data Protection Laws apply. In the event of conflict between this DPA and the service agreement on matters of data protection, this DPA prevails.
16. Contact
Human Layer Lab Pte. Ltd. Contact: team@humanlayerlab.com
By using the Service, the Controller agrees to the terms of this Data Processing Addendum.



