Data Processing Addendum
Effective April 30, 2026. This Data Processing Addendum applies to business and organization customers where Rework AS, trading as Genosight, processes personal data on behalf of the customer.
Legal entity: Rework AS, Norwegian organization number 927 255 812, registered address c/o Sebastian Oltedal Thorp, Vestveien 5B, 1450 Nesoddtangen, Norway.
1. Applicability
Genosight is offered today as a consumer-only educational service. Individual consumer accounts are governed by the Privacy Policy, Terms of Use, and Informed Consent; no consumer account is governed by this DPA.
This Data Processing Addendum is published to be available to organizations that may, in the future, enter into a separate written agreement with Genosight for non-consumer use cases. Until such an agreement is signed, Genosight does not accept genetic or health data for the following categories of use:
- Regulated clinical use (clinical decision support, patient management, clinical screening or diagnostics, integration into a healthcare provider's workflow);
- Academic or commercial research involving human subjects;
- Employer, insurer, or financial-services workflows (employment screening, underwriting, eligibility determinations, lending);
- Healthcare-organization deployments (hospitals, clinics, laboratories, pharmacies, health-tech platforms acting as controllers on behalf of patients).
Each of these categories carries its own regulatory framework (medical-device / IVDR / SaMD review, IRB/ethics-committee approval, GINA / employment law, insurance regulation, healthcare data protection, etc.) that goes beyond Genosight's current consumer posture. A separate written agreement, an updated Privacy Policy carve-out, a separate regulatory review, and potentially an entirely separate product configuration will be required before Genosight processes data for any of these use cases. Do not upload genetic or health data on behalf of any of these categories without first contacting Genosight at contact@genosight.ai to discuss the appropriate agreement structure.
When such a written agreement is signed, this DPA (or a successor version negotiated at that time) forms part of that agreement. If a customer account includes both consumer and organization-managed processing under a signed agreement, the parties must document the role allocation before production use.
2. Definitions
- Customer means the legal entity that has entered into an agreement with Genosight and determines the purposes and means of processing customer personal data.
- Genosight means Rework AS, trading as Genosight.
- Personal data, processing, controller, processor, data subject, and special categories of personal data have the meanings given under applicable data-protection law.
- Customer personal data means personal data that Genosight processes on behalf of Customer under the agreement.
- Subprocessor means a third party engaged by Genosight to process customer personal data on Genosight's behalf.
3. Roles
Customer is the controller, and Genosight is the processor, for customer personal data processed under this DPA. Customer is responsible for determining the lawful basis, transparency notices, consent requirements, data-subject communications, medical or research approvals, and instructions for the processing. Genosight will process customer personal data only on documented instructions from Customer unless applicable law requires otherwise.
Genosight remains an independent controller for its own account administration, security, fraud prevention, billing, tax, legal, analytics, and service-improvement records, to the extent permitted by law.
4. Processing instructions
Customer instructs Genosight to process customer personal data as necessary to provide the service, support users, maintain security, operate billing, prevent abuse, comply with law, and perform other documented instructions in the agreement or product configuration.
Genosight will promptly inform Customer if, in Genosight's opinion, an instruction infringes applicable data-protection law, unless law prohibits such notice.
5. Confidentiality
Genosight will ensure that personnel authorized to process customer personal data are bound by confidentiality obligations and receive access only as needed for their role.
6. Security measures
Genosight will maintain appropriate technical and organizational measures designed to protect customer personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include, as applicable:
- encryption in transit and private storage controls;
- encryption at rest where supported by infrastructure providers;
- row-level access controls and server-side authorization;
- segregation of production secrets from client-side code;
- least-privilege access to administrative systems;
- rate limiting, abuse controls, and idempotency controls;
- logging and monitoring for reliability and security events;
- backup, deletion, and account-deletion workflows;
- vendor due diligence for subprocessors handling sensitive data.
7. Subprocessors
Customer authorizes Genosight to use subprocessors to provide the service. Genosight will impose data-protection obligations on subprocessors that are no less protective than those required by this DPA, taking into account the nature of the subprocessing.
Genosight's current subprocessor categories include cloud hosting and database, authentication, storage, AI processing, payment processing, email, security, logging, and monitoring providers. Current providers may include Supabase, Vercel, Anthropic, Stripe, Resend, Sentry, and Cloudflare Turnstile. The current named list is maintained on the Subprocessors page.
Genosight may add or replace subprocessors. Where required by law or the agreement, Genosight will provide notice of material subprocessor changes and give Customer a reasonable opportunity to object on documented data-protection grounds.
8. International transfers
Where Genosight transfers customer personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, Genosight will use appropriate transfer safeguards, such as standard contractual clauses, the UK International Data Transfer Addendum, the Swiss addendum, approved certification mechanisms, or another lawful transfer mechanism. Customer authorizes Genosight to enter into those safeguards on Customer's behalf as needed for subprocessor transfers.
9. Assistance
Taking into account the nature of processing and information available to Genosight, Genosight will provide reasonable assistance to Customer with:
- responding to data-subject requests;
- security obligations;
- personal-data breach notifications;
- data protection impact assessments;
- prior consultation with supervisory authorities where required.
Customer remains responsible for validating the identity and authority of requesters and for determining whether and how to respond to any data-subject request.
10. Personal-data breaches
Genosight will notify Customer without undue delay after becoming aware of a personal-data breach affecting customer personal data. Notice will include available information about the nature of the breach, affected data, likely consequences, measures taken or proposed, and a contact point for follow-up. Genosight may provide information in phases as investigation progresses.
11. Return and deletion
At the end of the services, Genosight will delete or return customer personal data according to the agreement, product controls, and applicable law. Genosight may retain data that must be kept for legal, accounting, security, dispute, or compliance reasons, subject to continued protection and deletion when retention is no longer needed.
12. Audits
Genosight will make available information reasonably necessary to demonstrate compliance with this DPA. Where legally required and not satisfied by documentation, Customer may request an audit on reasonable notice, during normal business hours, subject to confidentiality, security, and operational restrictions. Audits must not compromise other customers' data, Genosight security, or trade secrets.
13. Sensitive-data safeguards
Customer acknowledges that genetic data and health information may be special-category personal data and may trigger explicit-consent, transparency, DPIA, medical-device, clinical, research, or national genetic-data requirements. Customer is responsible for ensuring that its use of Genosight is lawful for its intended context and that users receive appropriate notices, consents, and professional support.
Customer must not use Genosight or Genosight outputs for insurance, employment, lending, housing, law-enforcement, surveillance, forensic matching, or eligibility decisions unless Genosight has expressly agreed in writing and the use is lawful in every applicable jurisdiction.
14. HIPAA and regulated health workflows
This DPA is not a HIPAA Business Associate Agreement. Genosight does not agree to act as a HIPAA business associate, clinical laboratory, medical-device manufacturer, or regulated healthcare provider unless the parties sign a separate written agreement that expressly says so.
15. Liability and conflict
Liability under this DPA is subject to the limitations and exclusions in the agreement unless prohibited by applicable law. If this DPA conflicts with another part of the agreement regarding personal-data processing, this DPA controls for that conflict.
16. Governing law
This DPA is governed by the same law and dispute forum as the main agreement, unless mandatory data-protection law requires otherwise.
Appendix 1 - Processing details
Subject matter
Provision of Genosight's DNA upload, genetic analysis, health-profile context, report generation, findings chat, billing, account, support, security, and related services.
Duration
The term of the agreement plus any retention period required for deletion, legal compliance, backup overwrite, billing, security, or dispute purposes.
Nature and purpose
Hosting, storing, parsing, analyzing, transforming, retrieving, generating, displaying, transmitting, securing, exporting, deleting, and supporting customer personal data to provide Genosight.
Categories of data subjects
Customer's authorized users, account administrators, invited users, end users, support contacts, and individuals whose data is uploaded or entered into the service under Customer's authority.
Categories of personal data
Account identifiers, contact details, authentication metadata, raw DNA files, genotype data, variant data, health profile data, family history, symptoms, medications, supplements, allergies, habits, goals, report content, chat content, support communications, billing metadata, device data, IP address, logs, and security metadata.
Special categories
Genetic data, health data, sex or life-stage information, ethnicity where provided by the user, and other information that may reveal sensitive health, family, or biological information.