Legal

Data Processing Agreement

Operated by Kynect Pte. Ltd. (trading as Grevon) — Version date: 9 June 2026

Operated by Kynect Pte. Ltd. (Grevon)  ·  Version date: 9 June 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Grevon Terms of Service between Kynect Pte. Ltd. (trading as Grevon) and the Customer. It governs the processing of personal data by Grevon on the Customer's behalf in connection with the Services. By accepting the Terms of Service, the Customer also agrees to this DPA.

1. Background and Structure

1.1 Kynect Pte. Ltd. (UEN 202555619W), a company incorporated in Singapore with its registered office at 8 Marina Boulevard, #29-01, Marina Bay Financial Centre, Singapore 018981, trading as Grevon ("Grevon", "Processor"), provides the Services to the Customer ("Controller") under the Terms of Service.

1.2 In providing the Services, Grevon processes personal data on the Customer's behalf. This DPA sets out the terms on which Grevon does so, as required by applicable Data Protection Laws including the EU GDPR, UK GDPR, Singapore PDPA, Australian Privacy Act, US state privacy laws, and other applicable legislation.

1.3 This DPA is incorporated into the Terms of Service and forms part of the Agreement. In the event of any inconsistency between this DPA and the Terms of Service with respect to the processing of personal data, this DPA prevails.

1.4 The Annexes form part of this DPA. Annex 1 sets out the details of processing. Annex 2 sets out technical and organisational security measures. Annex 3 sets out international transfer mechanisms.

2. Definitions and Interpretation

2.1 In this DPA:

2.2 Capitalised terms not defined in this DPA have the meanings given in the Terms of Service or applicable Data Protection Laws.

3. Roles of the Parties and Scope

3.1 Processor appointment. The Customer appoints Grevon as its Processor for the processing activities described in Annex 1. Where Grevon engages Sub-processors, those Sub-processors are appointed as sub-processors of the Customer.

3.2 Independent controller processing. Grevon acts as an independent Controller for personal data it processes for its own purposes, including account management, billing, fraud prevention, and security — as described in Grevon's Privacy Policy. This DPA does not apply to such independent controller processing.

3.3 Customer's obligations as Controller. The Customer is responsible for: (a) determining the lawful basis for the processing activities instructed under this DPA; (b) providing adequate privacy notices to Data Subjects; (c) ensuring it has the right to transfer or make available Personal Data to Grevon; and (d) complying with its obligations as Controller under applicable Data Protection Laws.

3.4 Processing on instructions. Grevon will process Personal Data only on the documented instructions of the Customer (including as set out in this DPA, the Terms of Service, and any written instructions given during the term). If Grevon is required by applicable law to process Personal Data other than in accordance with the Customer's instructions, Grevon will notify the Customer before doing so, unless prohibited from doing so by law.

4. Details of Processing

4.1 The subject matter, duration, nature, purposes, categories of Data Subjects, and categories of Personal Data processed under this DPA are described in Annex 1.

4.2 Grevon will not process Personal Data for any purpose other than as described in Annex 1 and the Terms of Service, or as otherwise instructed in writing by the Customer. Grevon will not sell Personal Data or use it to serve advertising.

5. Confidentiality

5.1 Grevon will ensure that personnel authorised to process Personal Data are subject to binding obligations of confidentiality (whether contractual or statutory) and receive appropriate data protection training.

5.2 Grevon will restrict access to Personal Data to personnel who need access to provide the Services, and will implement role-based access controls to enforce this restriction.

6. Security

6.1 Grevon will implement and maintain appropriate technical and organisational measures ("TOMs") to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

6.2 Grevon's current TOMs are set out in Annex 2. Grevon may update the TOMs over time provided the overall level of security is not materially diminished.

6.3 The Customer is responsible for implementing appropriate security measures with respect to its own systems, applications, and Authorised Users' access to the Services.

7. Sub-processing

7.1 General authorisation. The Customer grants Grevon general authorisation to engage Sub-processors to assist in providing the Services. Grevon's current Sub-processors are listed at grevon.ai/subprocessors.

7.2 Sub-processor obligations. Grevon will impose data protection obligations on each Sub-processor that are materially equivalent to those in this DPA. Grevon remains responsible for the acts and omissions of its Sub-processors to the same extent as if it performed the processing itself.

7.3 Changes to Sub-processors. Grevon will provide the Customer with at least 14 days' prior written notice of any intended addition or replacement of Sub-processors by updating the Sub-processor list. The Customer may object in writing within 14 days of notification on reasonable and documented data protection grounds. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Services on written notice without penalty, subject to receiving a pro-rata refund of prepaid Fees.

7.4 Grevon Affiliates. The Customer acknowledges that Grevon's affiliated entities may act as Sub-processors. Grevon's affiliated sub-processors are included in the Sub-processor list.

8. Data Subject and Consumer Rights

8.1 Grevon will provide the Customer with reasonable technical and organisational assistance to enable the Customer to respond to requests from Data Subjects (or, under applicable US state laws, consumers) exercising their rights under Data Protection Laws, including rights of access, correction, deletion, restriction, portability, and objection.

8.2 Where a Data Subject submits a request directly to Grevon in connection with Personal Data processed on the Customer's behalf, Grevon will promptly notify the Customer and will not respond to the Data Subject except to direct them to the Customer (unless otherwise required by law).

8.3 The Customer is responsible for responding to Data Subject requests and for determining whether the requested action is appropriate and lawful.

9. Security Incident Notification

9.1 Grevon will notify the Customer without undue delay, and where feasible within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA.

9.2 The notification will include, to the extent known at the time: (a) a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects affected and records involved; (b) contact details for Grevon's privacy team; (c) the likely consequences; and (d) measures taken or proposed to address the Security Incident and, where applicable, to mitigate its effects.

9.3 Grevon will provide further information as it becomes available and will cooperate with the Customer in its response. Notification of a Security Incident by Grevon does not constitute an admission of fault or liability.

9.4 The Customer is responsible for notifying Supervisory Authorities and Data Subjects where required by Data Protection Laws.

10. Data Protection Impact Assessments and Prior Consultation

10.1 Where required by applicable Data Protection Laws, Grevon will provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) relating to the processing activities under this DPA.

10.2 Grevon will provide reasonable assistance to the Customer in connection with any prior consultation with a Supervisory Authority required as a result of a DPIA.

11. International Transfers

11.1 Grevon's transfer mechanisms are set out in Annex 3. Where Grevon transfers Personal Data in a Restricted Transfer, it will do so using an appropriate transfer mechanism under applicable Data Protection Laws.

11.2 EU/EEA transfers. Where Personal Data protected by the EU GDPR is subject to a Restricted Transfer, the parties agree that the EU SCCs (Controller-to-Processor module) are incorporated into this DPA by reference and form part of the Agreement. The details required to complete the EU SCCs are set out in Annex 3.

11.3 UK transfers. Where Personal Data protected by the UK GDPR is subject to a Restricted Transfer, the UK IDTA is incorporated into this DPA. The information required to complete the IDTA is set out in Annex 3.

11.4 Swiss transfers. For Personal Data subject to Swiss data protection law that is transferred to countries without adequate protection, Grevon will apply equivalent safeguards, with the relevant adaptations as required under Swiss law.

11.5 The Customer warrants that any Personal Data it transfers to Grevon from a jurisdiction with data export restrictions has an appropriate lawful basis for transfer.

12. Jurisdiction-Specific Provisions

12.1 Singapore PDPA. To the extent that the Singapore Personal Data Protection Act 2012 (as amended) applies to the processing of Personal Data under this DPA, Grevon will process such data in accordance with the PDPA and will implement the data protection policies and practices required under the PDPA. Grevon will notify the Customer of a data breach affecting Singapore Personal Data in accordance with the mandatory breach notification requirements of the PDPA.

12.2 Australian Privacy Act. To the extent that the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") apply, Grevon will handle Personal Data in accordance with the APPs. Grevon will assist the Customer in responding to complaints made under the APPs and will cooperate with the Office of the Australian Information Commissioner as required.

12.3 US state laws. To the extent applicable US state privacy laws (including the CCPA/CPRA) apply to the Customer's processing, Grevon agrees to the following: (a) Grevon is a "service provider" or "processor" within the meaning of such laws and processes Personal Data only for the business purposes set out in this DPA; (b) Grevon will not sell Personal Data or share it for cross-context behavioural advertising; (c) Grevon will notify the Customer if it determines it can no longer comply with the applicable law; and (d) Grevon will assist the Customer in meeting its obligations regarding consumer rights requests, opt-out signals, and other requirements under applicable US state privacy laws.

12.4 Other jurisdictions. Where the Customer is subject to data protection laws of other jurisdictions not specifically addressed above, the parties will cooperate in good faith to comply with those applicable requirements.

13. Return or Deletion of Data

13.1 Upon the termination or expiry of the Terms of Service, Grevon will, at the Customer's written election: (a) return to the Customer a copy of all Personal Data in a commonly used, machine-readable format; or (b) securely delete or destroy all Personal Data processed on the Customer's behalf, including copies held by Sub-processors. Grevon will carry out the return or deletion within 30 days of the Customer's election and will confirm completion in writing.

13.2 If the Customer does not make an election within 30 days of termination, Grevon will securely delete the Personal Data.

13.3 Grevon may retain Personal Data beyond the period in clauses 13.1–13.2 to the extent required: (a) by applicable law; (b) for the establishment, exercise, or defence of legal claims (for no longer than reasonably necessary and ordinarily no more than two years, extended only until a relevant claim is resolved); or (c) in routine encrypted back-up systems that are subject to automatic deletion on a rolling basis. Grevon will continue to protect any such retained data in accordance with this DPA.

14. Audits and Information

14.1 Grevon will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including the information set out in Annexes 1 and 2.

14.2 Grevon will allow for and contribute to audits (including inspections) conducted by the Customer or an independent auditor mandated by the Customer, subject to: (a) at least 30 days' prior written notice (except where required by a Supervisory Authority on shorter notice); (b) no more than one audit per calendar year unless a Supervisory Authority requires otherwise or there is a reasonable basis to suspect material non-compliance; (c) the auditor being bound by confidentiality obligations acceptable to Grevon; and (d) the audit being conducted during normal business hours and in a manner that minimises disruption.

14.3 Grevon may satisfy an audit request by providing the Customer with current third-party certifications or audit reports (such as SOC 2 Type II reports) covering the relevant period and scope, in lieu of an on-site audit. If the Customer reasonably considers the certifications or reports insufficient, the parties will agree on additional steps.

14.4 The Customer will bear its own costs of any audit and Grevon's reasonable costs of assisting with the audit.

15. Liability

15.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service, to the extent permitted by applicable Data Protection Laws.

15.2 Nothing in this DPA limits a party's liability to Data Subjects or to Supervisory Authorities under applicable Data Protection Laws.

15.3 Where a Data Subject obtains compensation from Grevon for damage caused by a breach of Data Protection Laws attributable to the Customer, the Customer will indemnify Grevon for the portion of compensation corresponding to the Customer's responsibility for the damage, in accordance with the indemnification provisions of the Terms of Service.

16. General

16.1 Duration. This DPA is effective from the date the Customer first accepts the Terms of Service and continues until the later of: (a) termination or expiry of the Terms of Service; or (b) the date on which Grevon has completed all return or deletion obligations under clause 13.

16.2 Entire agreement. This DPA (including its Annexes) constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements relating to the processing of Personal Data under the Terms of Service.

16.3 Precedence. In the event of conflict between this DPA and any incorporated SCCs or other transfer mechanisms, the SCCs or transfer mechanisms prevail with respect to the subject matter they govern.

16.4 Governing law. This DPA is governed by the laws of the Republic of Singapore, without prejudice to the mandatory application of any other governing law required by applicable Data Protection Laws (including the law of the EU or UK to the extent required under the applicable SCCs or IDTA).

16.5 Amendments. Grevon may update this DPA from time to time to reflect changes in Data Protection Laws or its processing activities. Grevon will provide reasonable notice of material changes. Where an update is required to comply with applicable law, it may take effect immediately on notice.

16.6 Contact. For DPA-related enquiries, please contact Grevon's privacy team at privacy@grevon.ai. Customers requiring a countersigned DPA for their records may request one through their account manager.

Annex 1 — Details of Processing

Item Details
Controller (Customer) The Customer as identified in the Order Form or account registration.
Processor (Grevon) Kynect Pte. Ltd. (UEN 202555619W), 8 Marina Boulevard, #29-01, Marina Bay Financial Centre, Singapore 018981, trading as Grevon.
Subject matter Processing of Personal Data in connection with the provision of Grevon's AI-agent and integration platform enabling AI Agents to interact with Guests, handle enquiries, and record bookings in the Customer's systems.
Duration For the duration of the Subscription Term and until completion of return or deletion obligations under clause 13.
Nature and purpose of processing Collection, storage, transmission, retrieval, and use of Personal Data to: (a) operate AI Agents that receive guest enquiries, present property options, and create booking records; (b) transmit booking details to the Customer's property management system or designated system; (c) tokenise payment-card data via PCI DSS-compliant providers; (d) support guest communications as configured by the Customer; and (e) operate, secure, and improve the Services.
Categories of Data Subjects Guests (end users who interact with AI Agents), prospective guests, and the Customer's Authorised Users.
Categories of Personal Data
  • Identity and contact data: name, email address, phone number, and (where provided) address or identification details.
  • Booking and stay data: dates, property, room or rate type, booking reference, preferences, accessibility or dietary requirements, loyalty references.
  • Conversation content: text or voice content of Guest interactions with AI Agents operated by Grevon.
  • Payment data: tokenised payment reference only (Grevon does not process full card numbers).
  • Technical data: IP address, device identifiers, and usage logs where collected through the Services.
Special categories of Personal Data Not processed by default. Where a Guest voluntarily provides information that may constitute special category data (such as accessibility or dietary requirements), such data is processed solely to fulfil the booking or guest request. The Customer is responsible for determining the lawful basis for any such processing.
Processing locations As described in Annex 3. Personal Data is hosted in the cloud region selected for the Customer's account. Access from other locations may occur as described in clause 11 and Annex 3.

Annex 2 — Technical and Organisational Security Measures

Grevon implements and maintains the following technical and organisational measures, which may be updated from time to time provided the overall level of security is not materially diminished:

Access control

Encryption

Network and infrastructure security

Resilience and availability

Personnel measures

Incident response

Organisational measures

Annex 3 — International Transfer Mechanisms

Overview

Grevon hosts the Services on third-party cloud infrastructure. Personal Data may be processed in, or accessed from, the locations of Grevon's cloud providers and Sub-processors. Where Grevon operates regional hosting options, it will host Personal Data in, or near, the geographic region selected for the Customer's account. Personal Data may nonetheless be accessed from other locations for support, security, maintenance, and operational purposes.

EU/EEA Standard Contractual Clauses

Where a Restricted Transfer of Personal Data protected by the EU GDPR occurs, the parties incorporate the EU Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) into this DPA. For the purposes of the SCCs:

UK International Data Transfer Addendum (IDTA)

Where a Restricted Transfer of Personal Data protected by the UK GDPR occurs, the UK IDTA (issued by the UK Information Commissioner's Office) is incorporated into this DPA. The information required to complete the IDTA is as set out in this Annex 3 (EU SCC section) and Annex 1, adapted as necessary for UK GDPR purposes. The applicable law and jurisdiction for the IDTA is England and Wales (subject to any mandatory application of Singapore law).

Supplementary measures

In addition to the contractual safeguards above, Grevon applies the following supplementary measures to protect Personal Data in the context of international transfers: encryption in transit and at rest; access controls limiting who can access transferred data; and Grevon's internal policies restricting access to Personal Data to those with a legitimate business need.

Other jurisdictions

For Personal Data transferred from other jurisdictions with data export requirements (including Switzerland, Canada, and applicable APAC jurisdictions), Grevon will apply appropriate transfer mechanisms as required by applicable law. Details are available from Grevon's privacy team at privacy@grevon.ai.