Data Processing Agreement
Data Processing Agreement
Version: 1.0
Effective Date: [INSERT DATE]
Last Updated: [INSERT DATE]
1. Introduction and Scope
1.1 Parties
This Data Processing Agreement (“DPA” or “Agreement”) is entered into between:
iPrego Pte. Ltd. (UEN: [INSERT UEN]), a company incorporated in Singapore, with its registered office at [INSERT ADDRESS] (“Service Provider,” “Processor,” or “we”); and
The Customer identified in the applicable Order Form or Terms of Service agreement (“Customer,” “Controller,” or “you”).
1.2 Incorporation
This DPA forms part of and is incorporated into the Terms of Service (“Principal Agreement”) between the Service Provider and Customer. In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.
1.3 Purpose
This DPA governs the Processing of Personal Data by the Service Provider on behalf of the Customer in connection with the Vouus platform and related services (“Services”).
1.4 Regulatory Framework
This DPA is designed to comply with:
- Singapore Personal Data Protection Act 2012 (PDPA)
- European Union General Data Protection Regulation (GDPR), where applicable to Customer
- Other applicable data protection laws
Where Customer is subject to GDPR, the GDPR-specific provisions in Annex A shall apply.
2. Definitions
In this DPA, unless the context otherwise requires:
| Term | Definition |
|---|---|
| ”Controller” | The party that determines the purposes and means of Processing Personal Data. Under this DPA, the Customer is the Controller. |
| ”Customer Data” | All data, content, and information (including Personal Data) uploaded, submitted, or otherwise transmitted to the Services by or on behalf of Customer. |
| ”Data Breach” | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. |
| ”Data Intermediary” | As defined under Singapore PDPA: an organization that processes Personal Data on behalf of another organization. The Service Provider acts as a Data Intermediary. |
| ”Data Subject” | An identified or identifiable natural person whose Personal Data is Processed. |
| ”GDPR” | Regulation (EU) 2016/679 of the European Parliament and of the Council. |
| ”PDPA” | Singapore Personal Data Protection Act 2012 and its subsidiary legislation. |
| ”Personal Data” | Any data about an individual who can be identified from that data or from that data combined with other information. |
| ”Processing” | Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, alignment, combination, restriction, erasure, or destruction. |
| ”Processor” | A party that Processes Personal Data on behalf of a Controller. Under this DPA, the Service Provider is the Processor. |
| ”SCCs” | Standard Contractual Clauses adopted by the European Commission for international data transfers. |
| ”Sub-Processor” | A third party engaged by the Service Provider to Process Personal Data on behalf of the Customer. |
3. Roles and Responsibilities
3.1 Customer as Controller
The Customer:
- Determines the purposes and means of Processing Personal Data;
- Is responsible for the lawful collection of Personal Data and the basis for Processing;
- Provides instructions to the Service Provider regarding Processing;
- Ensures compliance with applicable data protection laws in relation to Personal Data uploaded to the Services;
- Is responsible for responding to Data Subject requests (with assistance from Service Provider as set out herein);
- Warrants that it has obtained all necessary consents or has another lawful basis to share Personal Data with the Service Provider.
3.2 Service Provider as Processor / Data Intermediary
The Service Provider:
- Processes Personal Data only on behalf of and as instructed by the Customer;
- Does not determine the purposes of Processing;
- Implements appropriate technical and organizational measures to protect Personal Data;
- Assists the Customer in fulfilling its data protection obligations;
- Does not use Customer Data for purposes unrelated to providing the Services unless required by law.
4. Details of Processing
4.1 Subject Matter
Processing of Personal Data in connection with the provision of the Vouus platform services.
4.2 Duration
Processing continues for the duration of the Principal Agreement and for a period of 30 days thereafter (to allow for data export), unless extended for legal retention requirements.
4.3 Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| Service Delivery | Providing, operating, and maintaining the Vouus platform |
| Data Storage | Storing Customer Data within the platform |
| Analytics | Generating analytics and reports requested by Customer |
| HR/Payroll | Processing employee records if Customer uses HR features |
| CRM/Finance | Managing financial and customer relationship records |
| Optional automation features | Supporting customer-configured workflows and assisted features (as enabled by Customer) |
| Support | Providing technical support and troubleshooting |
4.4 Categories of Data Subjects
Depending on Customer’s use of the Services:
- Customer’s employees
- Customer’s clients and customers
- Customer’s contractors and vendors
- Customer’s end users
- Other individuals whose data Customer uploads
4.5 Types of Personal Data
Depending on Customer’s use of the Services:
| Category | Examples |
|---|---|
| Identity Data | Names, job titles, employee IDs |
| Contact Data | Email addresses, phone numbers, addresses |
| Employment Data | Salary, benefits, performance data, leave records |
| Financial Data | Invoice amounts, payment details (not full card numbers) |
| Operational Data | System logs, usage data, timestamps |
| Communications | Support tickets, feedback |
Customer determines what Personal Data to upload. The Service Provider does not require or request sensitive personal data (e.g., health data, biometric data, religious beliefs) unless Customer chooses to use specific features that require such data.
5. Instructions and Compliance
5.1 Processing Instructions
The Service Provider shall Process Personal Data only:
- In accordance with the Customer’s documented instructions;
- As necessary to provide the Services;
- As required by applicable law (in which case, the Service Provider will inform Customer before Processing unless prohibited by law).
The Principal Agreement, this DPA, and Customer’s configuration of the Services constitute Customer’s complete instructions. Additional instructions require written agreement and may be subject to additional fees.
5.2 Notification of Conflicting Instructions
If the Service Provider believes an instruction infringes applicable data protection law, it shall promptly notify the Customer. The Service Provider is not obligated to assess the legality of all instructions but shall act in good faith.
6. Security Measures
6.1 Technical and Organizational Measures
The Service Provider implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
| Category | Measures |
|---|---|
| Access Control | Role-based access, multi-factor authentication, least-privilege principle |
| Encryption | TLS 1.2+ for data in transit; AES-256 for data at rest |
| Infrastructure | Cloud infrastructure with SOC 2 Type II and/or ISO 27001 certification |
| Monitoring | Intrusion detection, logging, alerting |
| Network Security | Firewalls, network segmentation, DDoS protection |
| Personnel | Background checks, security training, confidentiality agreements |
| Physical Security | Data center physical access controls (via cloud providers) |
| Incident Response | Documented incident response procedures |
| Business Continuity | Regular backups, disaster recovery procedures |
6.2 Security Updates
The Service Provider may update security measures from time to time, provided such updates do not materially decrease the overall security of the Services.
6.3 Customer Security Responsibilities
Customer is responsible for:
- Maintaining secure login credentials;
- Configuring access permissions appropriately;
- Ensuring secure transmission of data to the Services;
- Implementing appropriate security for Customer’s own systems.
7. Sub-Processors
7.1 Authorization
Customer provides general authorization for the Service Provider to engage Sub-Processors to perform specific processing activities.
7.2 Current Sub-Processors
A list of current Sub-Processors is available at [INSERT SUBPROCESSOR LIST URL] or upon request.
Current Sub-Processor categories include:
| Category | Purpose | Example Providers |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, compute | AWS, Cloudflare |
| Database Services | Database management | [As applicable] |
| Email Services | Transactional email delivery | Resend, SendGrid |
| Payment Processing | Billing and payments | Stripe |
| Analytics | Service analytics (anonymized) | [As applicable] |
| AI Services | AI feature functionality | OpenAI, Anthropic (as applicable) |
| Support Tools | Customer support operations | [As applicable] |
7.3 Sub-Processor Obligations
The Service Provider ensures that each Sub-Processor:
- Is bound by written obligations providing at least the same level of data protection as this DPA;
- Implements appropriate security measures;
- Processes Personal Data only as necessary for the delegated functions.
7.4 New Sub-Processors
Before engaging a new Sub-Processor, the Service Provider will:
- Update the Sub-Processor list at least 30 days before the new Sub-Processor begins Processing;
- Notify Customer via email if Customer has subscribed to Sub-Processor notifications.
7.5 Objection to Sub-Processors
If Customer has a reasonable objection to a new Sub-Processor based on data protection concerns:
- Customer shall notify the Service Provider in writing within 14 days of receiving notice;
- The parties shall negotiate in good faith to resolve the objection;
- If resolution is not possible, Customer may terminate the affected Services without penalty.
7.6 Liability for Sub-Processors
The Service Provider remains liable for the acts and omissions of its Sub-Processors to the same extent it would be liable if performing the Processing directly.
8. Data Breach Notification
8.1 Notification to Customer
In the event of a Data Breach affecting Customer Data, the Service Provider will:
- Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the breach;
- Provide available information regarding the nature of the breach, categories and volume of data affected, and likely consequences;
- Describe measures taken or proposed to address the breach.
8.2 Ongoing Information
The Service Provider will continue to provide information as the investigation progresses and cooperate with Customer’s reasonable requests regarding the breach.
8.3 Customer Notification Obligations
Customer is responsible for determining whether to notify Data Subjects or regulatory authorities and for making such notifications. The Service Provider shall assist Customer as reasonably required.
8.4 Public Statements
Neither party shall make public statements regarding a Data Breach involving Customer Data without the other party’s prior approval, except as required by law.
9. Data Subject Rights
9.1 Customer Responsibility
Customer is responsible for responding to Data Subject requests (access, correction, deletion, portability, objection).
9.2 Service Provider Assistance
The Service Provider shall:
- Promptly forward any Data Subject requests received directly to Customer;
- Provide Customer with self-service tools (where available) to respond to requests;
- Provide reasonable assistance to Customer in responding to requests, subject to applicable fees for extensive assistance.
9.3 Response Time
The Service Provider will respond to Customer’s reasonable requests for assistance within 10 business days.
10. Data Retention and Deletion
10.1 Retention Period
Customer Data is retained for the duration of the Principal Agreement.
10.2 Data Export
Upon termination or expiration of the Principal Agreement, Customer may export Customer Data using available export features within 30 days.
10.3 Deletion
Following the 30-day export period (or upon earlier written request by Customer), the Service Provider will:
- Delete Customer Data from production systems within 30 days;
- Delete Customer Data from backup systems within 90 days (or such longer period as necessary for backup rotation).
10.4 Retention for Legal Purposes
The Service Provider may retain limited data as required by applicable law or for legitimate record-keeping purposes (e.g., invoicing records), in which case such data will be protected and not used for other purposes.
10.5 Certification
Upon Customer’s written request, the Service Provider will certify in writing that deletion has been completed.
11. International Data Transfers
11.1 Processing Locations
Customer Data may be Processed in the following regions: [INSERT REGIONS, e.g., Singapore, United States, European Union].
11.2 Transfer Safeguards
Where Personal Data is transferred outside Singapore or (for GDPR-subject data) outside the EEA/UK, the Service Provider ensures appropriate safeguards, including:
- Service providers located in jurisdictions with adequate data protection laws; or
- Contractual protections (e.g., SCCs for GDPR-subject data); or
- Other approved transfer mechanisms.
11.3 GDPR Data Transfers
For Customers subject to GDPR, Annex A includes the EU Standard Contractual Clauses (Module 2: Controller to Processor), incorporated by reference.
12. Audit and Compliance
12.1 Documentation
Upon reasonable written request (no more than once per year), the Service Provider will provide:
- Summaries of security policies and practices;
- Copies of relevant certifications (e.g., SOC 2 reports, ISO 27001 certificates);
- Responses to reasonable security questionnaires.
12.2 Third-Party Audits
The Service Provider undergoes regular independent security audits. Customer may request audit reports (subject to confidentiality).
12.3 On-Site Audits
On-site audits by Customer or Customer’s representative may be conducted:
- With at least 30 days’ written notice;
- During normal business hours;
- At Customer’s expense;
- Subject to reasonable scope and confidentiality requirements;
- No more than once per year (unless a Data Breach has occurred).
12.4 Regulatory Audits
The Service Provider will cooperate with audits by regulatory authorities to the extent required by law.
13. Confidentiality
13.1 Personnel Confidentiality
The Service Provider ensures that personnel authorized to Process Personal Data:
- Are subject to confidentiality obligations;
- Process Personal Data only as instructed;
- Receive appropriate training.
13.2 Restrictions on Disclosure
The Service Provider shall not disclose Personal Data to third parties except:
- To Sub-Processors as permitted herein;
- As instructed by Customer;
- As required by law (with notice to Customer where permitted).
14. Liability
14.1 Liability Cap
The total aggregate liability of each party under this DPA is subject to the limitations set forth in the Principal Agreement.
14.2 Customer Indemnification
Customer shall indemnify the Service Provider against any claims arising from:
- Customer’s violation of data protection laws;
- Customer’s instructions that infringe applicable law;
- Personal Data uploaded by Customer in breach of Customer’s obligations.
15. Term and Termination
15.1 Term
This DPA commences on the effective date of the Principal Agreement and continues until the Principal Agreement terminates and all Personal Data has been deleted or returned.
15.2 Survival
Sections regarding confidentiality, liability, data deletion, and general provisions survive termination.
16. General Provisions
16.1 Governing Law
This DPA is governed by the laws of Singapore, without regard to conflict of law principles.
16.2 Amendments
The Service Provider may update this DPA to reflect changes in law, regulatory guidance, or processing practices. Material changes will be communicated with at least 30 days’ notice.
16.3 Entire Agreement
This DPA, together with the Principal Agreement, constitutes the complete agreement regarding data processing.
16.4 Severability
If any provision of this DPA is invalid, the remaining provisions remain in effect.
16.5 No Third-Party Beneficiaries
This DPA does not confer rights on third parties, except as required by applicable data protection law.
Contact
For data protection inquiries:
- Data Protection Officer: iPrego Pte. Ltd.
- Email:
[DPO_EMAIL] - Address: [INSERT ADDRESS], Singapore
Annex A: GDPR-Specific Provisions
This Annex applies where Customer is subject to GDPR.
A.1 EU Standard Contractual Clauses
Where Personal Data originating from the EEA/UK is transferred to the Service Provider in a jurisdiction not recognized as providing adequate protection, the EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2: Controller to Processor) are incorporated by reference.
The following appendices to the SCCs are deemed completed as follows:
- Annex I.A (List of Parties): As set out in this DPA (Customer as data exporter; Service Provider as data importer)
- Annex I.B (Description of Transfer): As set out in Section 4 of this DPA
- Annex I.C (Competent Supervisory Authority): [Customer’s lead supervisory authority, e.g., Irish Data Protection Commission]
- Annex II (Technical and Organizational Measures): As set out in Section 6 of this DPA
- Annex III (List of Sub-Processors): As set out in Section 7 and available at [Sub-Processor URL]
A.2 UK Addendum
For transfers from the UK, the UK Addendum to the EU SCCs (as issued by the UK ICO) is incorporated.
A.3 Data Protection Impact Assessments
The Service Provider will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments where required under GDPR Article 35.
A.4 Prior Consultation
The Service Provider will assist Customer in prior consultation with supervisory authorities under GDPR Article 36 where required.