Data Processing Agreement
Data Processing Agreement
Version: 1.0
Effective Date: [INSERT DATE]
Last Updated: [INSERT DATE]
1. Introduction and Scope
1.1 Parties
This Data Processing Agreement (“DPA” or “Agreement”) is entered into between:
iPrego Pte. Ltd. (UEN: [INSERT UEN]), a company incorporated in Singapore, with its registered office at [INSERT ADDRESS] (“Service Provider,” “Processor,” or “we”); and
The Customer identified in the applicable Order Form or Terms of Service agreement (“Customer,” “Controller,” or “you”).
1.2 Incorporation
This DPA forms part of and is incorporated into the Terms of Service (“Principal Agreement”) between the Service Provider and Customer. In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.
1.3 Purpose
This DPA governs the Processing of Personal Data by the Service Provider on behalf of the Customer in connection with the Vouus platform and related services (“Services”).
1.4 Regulatory Framework
This DPA is designed to comply with:
- Singapore Personal Data Protection Act 2012 (PDPA)
- European Union General Data Protection Regulation (GDPR), where applicable to Customer
- Other applicable data protection laws
Where Customer is subject to GDPR, the GDPR-specific provisions in Annex A shall apply.
2. Definitions
In this DPA, unless the context otherwise requires:
| Term | Definition |
|---|---|
| ”Controller” | The party that determines the purposes and means of Processing Personal Data. Under this DPA, the Customer is the Controller. |
| ”Customer Data” | All data, content, and information (including Personal Data) uploaded, submitted, or otherwise transmitted to the Services by or on behalf of Customer. |
| ”Data Breach” | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. |
| ”Data Intermediary” | As defined under Singapore PDPA: an organization that processes Personal Data on behalf of another organization. The Service Provider acts as a Data Intermediary. |
| ”Data Subject” | An identified or identifiable natural person whose Personal Data is Processed. |
| ”GDPR” | Regulation (EU) 2016/679 of the European Parliament and of the Council. |
| ”PDPA” | Singapore Personal Data Protection Act 2012 and its subsidiary legislation. |
| ”Personal Data” | Any data about an individual who can be identified from that data or from that data combined with other information. |
| ”Processing” | Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, alignment, combination, restriction, erasure, or destruction. |
| ”Processor” | A party that Processes Personal Data on behalf of a Controller. Under this DPA, the Service Provider is the Processor. |
| ”SCCs” | Standard Contractual Clauses adopted by the European Commission for international data transfers. |
| ”Sub-Processor” | A third party engaged by the Service Provider to Process Personal Data on behalf of the Customer. |
3. Roles and Responsibilities
3.1 Customer as Controller
The Customer:
- Determines the purposes and means of Processing Personal Data;
- Is responsible for the lawful collection of Personal Data and the basis for Processing;
- Provides instructions to the Service Provider regarding Processing;
- Ensures compliance with applicable data protection laws in relation to Personal Data uploaded to the Services;
- Is responsible for responding to Data Subject requests (with assistance from Service Provider as set out herein);
- Warrants that it has obtained all necessary consents or has another lawful basis to share Personal Data with the Service Provider.
3.2 Service Provider as Processor / Data Intermediary
The Service Provider:
- Processes Personal Data only on behalf of and