Source file: SkillKlip - DATA PROCESSING AGREEMENT.txt
DATA PROCESSING AGREEMENT (DPA) Between: Peoplehive Consulting Sdn Bhd (the "Processor"), a company incorporated in Malaysia, provider of the SkillKlip platform And: [Subscribing Organization Name] (the "Controller"), a company incorporated in [Country] Collectively referred to as the "Parties"
RECITALS A. The Controller has subscribed to the SkillKlip platform (the "Platform") pursuant to a Master Service Agreement or Terms and Conditions entered into between the Parties (the "Principal Agreement"). B. In the course of providing the Platform, the Processor will process personal data of the Controller's employees and authorized users on behalf of the Controller. C. The Parties wish to set out in this Agreement the terms governing such processing, in compliance with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia and, where applicable, the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws. D. This Agreement supplements and forms part of the Principal Agreement. In the event of conflict between this Agreement and the Principal Agreement on data protection matters, this Agreement shall prevail.
PART 1 � DEFINITIONS 1.1 For the purposes of this Agreement: "Applicable Data Protection Law" means the PDPA 2010, and where applicable, the GDPR and any other data protection or privacy legislation applicable in the Controller's jurisdiction. "Controller" means the subscribing organization that determines the purposes and means of processing personal data of its employees and users through the Platform. "Data Subject" means an identified or identifiable natural person whose personal data is processed � in this context, primarily the Controller's employees and authorized learner users. "Personal Data" means any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Law. "Processing" means any operation performed on personal data, including collection, recording, storage, use, analysis, transmission, and deletion. "Processor" means Peoplehive Consulting Sdn Bhd, which processes personal data on behalf of the Controller in the course of providing the Platform. "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller. "Security Incident" means any confirmed unauthorized access, disclosure, alteration, loss, or destruction of personal data.
PART 2 � SCOPE AND NATURE OF PROCESSING 2.1 Subject Matter. The Processor shall process personal data solely for the purpose of providing the SkillKlip Platform services to the Controller, as described in the Principal Agreement. 2.2 Duration. Processing shall commence on the effective date of the Principal Agreement and shall continue until termination of the subscription, after which data shall be handled in accordance with Part 8 of this Agreement. 2.3 Nature and Purpose of Processing. The Processor shall process personal data for the following specific purposes only: * Authenticating and managing Learner User accounts; * Processing uploaded video content using AI to generate learning modules, instructional content, and quiz assessments; * Recording individual learner activity, quiz attempts, quiz scores, and module completion status; * Generating HR analytics reports showing individual and organizational learning performance; * Identifying competency gaps and supporting remediation assignment by the Controller's HR administrators; * Providing technical support and security monitoring of the Platform. 2.4 Categories of Data Subjects. * Employees of the Controller assigned as Learner Users; * HR administrators and authorized Admin Users of the Controller; * Any individual whose image or voice appears in video content uploaded by the Controller. 2.5 Categories of Personal Data Processed. * Identity data: full name, work email address, employee ID, department, job role; * Learning activity data: modules accessed, video viewing progress, time on task; * Assessment data: quiz responses, scores per attempt, number of attempts, pass/fail status, dates; * Completion and competency data: overall completion status, identified knowledge gaps, remediation records; * Technical data: IP address, browser type, session data, access timestamps; * Video content data: recordings uploaded by the Controller which may contain the image and voice of identifiable individuals. 2.6 Controller's Instructions. The Processor shall process personal data only on documented instructions from the Controller, as set out in this Agreement and the Principal Agreement. If the Processor is required by applicable law to process data beyond these instructions, it shall notify the Controller before doing so unless prohibited by law.
PART 3 � PROCESSOR OBLIGATIONS 3.1 Compliance with Instructions. The Processor shall process personal data only as instructed by the Controller and shall not process personal data for any purpose other than those described in Part 2 of this Agreement. 3.2 Confidentiality. The Processor shall ensure that all personnel authorized to process personal data under this Agreement are bound by appropriate confidentiality obligations and are aware of and trained on their data protection responsibilities. 3.3 Security Measures. The Processor shall implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, or alteration, including at minimum: * Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent); * Role-Based Access Control (RBAC) ensuring Processor personnel access personal data only on a need-to-know basis; * Strict organizational account segregation ensuring no cross-organization data access; * Audit logging of all internal access to Controller's employee performance data; * Regular vulnerability assessments and penetration testing; * Formal incident response and data breach management procedures. 3.4 Sub-processors. The Processor shall not engage any new sub-processor to process the Controller's personal data without providing prior written notice to the Controller. The Controller may object to a new sub-processor within 14 days of notice. If the Controller objects and the Processor cannot accommodate the objection, either Party may terminate the Principal Agreement with 30 days' written notice without penalty. The Processor shall impose data protection obligations on all sub-processors equivalent to those set out in this Agreement. 3.5 Current Sub-processors. The Controller acknowledges and approves the following categories of sub-processors engaged by the Processor as of the effective date of this Agreement: Sub-processor Category Purpose Location AI Model Providers Video segmentation, content generation, quiz generation United States (OpenAI & Gemini) Cloud Infrastructure Providers Hosting, storage, content delivery United States / Singapore (AWS & Supabase) Video Processing Services Transcoding, streaming Singapore (AWS) Payment Processors Subscription billing Singapore (Stripe) Analytics Providers Anonymized platform usage analytics Singapore (Google Analytics) 3.6 Assistance to Controller. The Processor shall provide reasonable assistance to the Controller in fulfilling the Controller's obligations under Applicable Data Protection Law, including: * Responding to data subject rights requests directed to the Processor by the Controller's employees; * Assisting with data protection impact assessments (DPIAs) to the extent they relate to the Processor's processing activities; * Supporting the Controller in demonstrating compliance with security obligations. 3.7 No Sale of Data. The Processor shall not sell, rent, license, or transfer the Controller's personal data to any third party for commercial purposes under any circumstances. 3.8 AI Model Training Restriction. The Processor shall not use the Controller's uploaded video content, individual employee learning records, quiz responses, or any personally identifiable data to train, fine-tune, or improve its AI models without the prior written consent of the Controller.
PART 4 � CONTROLLER OBLIGATIONS 4.1 Lawful Basis. The Controller warrants that it has established and maintains a valid lawful basis under Applicable Data Protection Law for the processing of its employees' personal data through the Platform, including individual learning activity monitoring, quiz result recording, and HR performance reporting. 4.2 Employee Notification. The Controller warrants that it has informed, or will inform prior to granting Platform access, all Learner Users (employees) that: * Their individual learning activity, quiz attempts, scores, and module completion status are recorded on the Platform; * This data is visible to designated HR administrators within the organization; * The purpose of this monitoring is internal learning management and competency development. This notification shall be given in writing, whether through the organization's employment contract, HR policy, staff handbook, or a standalone written notice. 4.3 Data Accuracy. The Controller is responsible for the accuracy of personal data it provides to the Processor (e.g., employee names, email addresses, and role information). 4.4 Appropriate Use of Performance Data. The Controller warrants that it shall use individual employee learning performance data (including quiz scores and completion records) solely for legitimate learning management and competency development purposes. The Controller acknowledges that the use of such data as the sole basis for adverse employment decisions (including termination, demotion, or disciplinary action) may require a separate legal basis and HR process under Applicable Data Protection Law and employment law in the relevant jurisdiction. 4.5 Video Content Responsibility. The Controller warrants that it holds all necessary rights and consents for all video content uploaded to the Platform, including: * The consent of identifiable individuals whose image and voice appear in uploaded videos; * All necessary intellectual property licenses for any third-party content incorporated in uploaded videos. 4.6 Access Management. The Controller is responsible for managing user access within its organizational account, including promptly deactivating accounts of employees who leave the organization.
PART 5 � DATA SUBJECT RIGHTS 5.1 Where a Data Subject (e.g., an employee) submits a rights request directly to the Processor, the Processor shall: * Notify the Controller within 5 business days of receiving the request; * Not respond to the request directly without the Controller's authorization, except where required by law; * Provide reasonable technical assistance to enable the Controller to respond to the request within the legally required timeframe (21 days under PDPA 2010; 30 days under GDPR, extendable by a further 2 months in complex cases). 5.2 The Controller is responsible for responding to data subject rights requests in relation to personal data processed through the Platform, as the Data Controller. 5.3 Supported rights requests the Processor shall technically facilitate include: access and data export; correction of account data; restriction of processing; and erasure (subject to applicable retention obligations and legal holds).
PART 6 � SECURITY INCIDENTS & BREACH NOTIFICATION 6.1 In the event of a confirmed or reasonably suspected Security Incident affecting the Controller's personal data, the Processor shall: * Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident; * Provide in the initial notification (to the extent known): a description of the nature of the incident; the categories and approximate number of data subjects affected; the categories and approximate volume of personal data records affected; and the likely consequences of the incident. * Provide a full incident report within 7 calendar days of the initial notification, including: the measures taken and proposed to address the incident and mitigate its effects; and a root cause analysis. 6.2 The Controller is responsible for determining whether the incident requires notification to the relevant data protection authority or to affected data subjects under Applicable Data Protection Law, and for making such notifications. 6.3 The Processor shall cooperate fully with the Controller's incident response and any regulatory investigation arising from the incident.
PART 7 � INTERNATIONAL DATA TRANSFERS 7.1 The Processor may transfer personal data to countries outside Malaysia and, where applicable, outside the European Economic Area (EEA), solely as required to provide the Platform services through its approved sub-processors. 7.2 The Processor shall ensure that all international data transfers are protected by appropriate safeguards, including: * Standard Contractual Clauses (SCCs) approved by the relevant data protection authority; * Data Processing Agreements with sub-processors requiring equivalent data protection standards; * Transfer Impact Assessments (TIAs) where required. 7.3 For GDPR-Subject Controllers: Where the Controller is subject to the GDPR, the Parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) are hereby incorporated by reference. For the purposes of the Annexes to the SCCs, the 'Technical and Organizational Measures' shall be those described in Part 3.3 of this DPA, and the 'Competent Supervisory Authority' shall be the authority in the Member State where the Controller is established."
PART 8 � DATA RETENTION AND DELETION 8.1 Upon termination of the Principal Agreement, or upon written instruction from the Controller, the Processor shall: * Provide the Controller with a 30-day data export window during which all organizational data (including employee learning records, quiz results, and uploaded video content) may be exported in a machine-readable format; * After the export window, permanently and irreversibly delete all personal data of the Controller from its systems, including from backups, within a further 30 days; * Provide the Controller with a written Certificate of Deletion confirming that all personal data has been deleted, within 14 days of completion of deletion. 8.2 Notwithstanding the above, the Processor may retain personal data for longer periods where required by applicable law (e.g., billing records retained for 7 years under Malaysian financial regulations), provided that such retained data is stored securely with access strictly limited to those with a legal need. 8.3 The Processor shall maintain and make available to the Controller, on request, a written record of all categories of personal data held on the Controller's behalf.
PART 9 � AUDIT RIGHTS 9.1 The Controller shall have the right, upon at least 30 days' prior written notice, to conduct or commission an audit of the Processor's data processing activities and security measures relevant to the processing of the Controller's personal data, subject to: * Audits being conducted during normal business hours; * The Controller bearing its own audit costs; * The auditor being subject to confidentiality obligations; * No more than one audit per 12-month period, unless a Security Incident has occurred. 9.2 In lieu of a direct audit, the Processor may provide the Controller with a current third-party security certification (e.g., ISO 27001, SOC 2 Type II) or independent audit report, which the Controller may accept at its discretion as satisfying the audit right.
PART 10 � LIABILITY 10.1 Each Party shall be liable to the other for any material breach of this Agreement causing proven loss or damage. 10.2 Limitation of Liability: The Processor�s total aggregate liability for all claims arising out of or related to this Agreement (including data protection breaches) shall be limited to the total amount of fees paid by the Controller in the twelve (12) months preceding the event giving rise to the claim. Under no circumstances shall the Processor be liable for uncapped or indirect damages, regardless of the nature of the claim." 10.3 Where a regulatory fine or penalty is imposed on either Party arising from a data protection breach, liability between the Parties shall be apportioned according to each Party's respective degree of fault.
PART 11 � GENERAL PROVISIONS 11.1 Governing Law. This Agreement is governed by the laws of Malaysia. Disputes shall be resolved in accordance with the dispute resolution clause in the Principal Agreement. 11.2 Order of Precedence. In the event of conflict between this Agreement and the Principal Agreement on data protection matters, this Agreement shall take precedence. 11.3 Amendments. This Agreement may only be amended by written agreement signed by authorized representatives of both Parties. 11.4 Severability. If any provision of this Agreement is found invalid or unenforceable, the remaining provisions shall continue in full force. 11.5 Entire Agreement. This Agreement, together with the Principal Agreement and any schedules, constitutes the entire agreement between the Parties relating to the processing of personal data.
SCHEDULE 1 � PROCESSING DETAILS SUMMARY Element Details Subject matter Provision of AI-powered video learning and employee assessment services Duration Duration of Principal Agreement subscription Nature of processing Collection, storage, AI analysis, assessment scoring, HR reporting, deletion Purpose Internal corporate learning management and employee competency tracking Data subject categories Employees (Learner Users), HR Administrators (Admin Users), individuals appearing in uploaded videos Personal data categories Identity, learning activity, assessment results, completion status, technical data, video content Special categories of data None anticipated � uploading organizations should ensure no special category data is included in videos Retention period As per Part 8 of this Agreement SIGNATURES For and on behalf of the Processor: Name: _____________________________ Title: ______________________________ Signature: __________________________ Date: ______________________________ Company: Peoplehive Consulting Sdn Bhd
For and on behalf of the Controller: Name: _____________________________ Title: ______________________________ Signature: __________________________ Date: ______________________________ Company: [Subscribing Organization Name] Registration No.: ____________________ Country: ___________________________
Essential cookies keep sign-in and security working. Analytics cookies stay off until you enable them. Review the details in our Privacy Policy.