Legal
Data Processing Agreement
How we process client data as your data intermediary under the PDPA.
1. Scope and roles
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between [Company Legal Name] Pte. Ltd. (“CorpSec AI”, “Processor”) and the Customer (“Controller”), and applies where CorpSec AI processes personal data on the Controller’s behalf.
The Controller is the controlling organisation and CorpSec AI is its data intermediary (processor) under the PDPA. The Controller determines the purposes and means of processing; CorpSec AI processes only on the Controller’s documented instructions, which include the Terms and use of the Service.
2. Subject-matter and details of processing
Subject-matter: provision of the Service. Duration: the term of the subscription plus any period required for return/deletion. Nature and purpose: AI-assisted document generation, compliance workflows, KYC/AML screening and company management. Types of data: company records; officer, director, shareholder and beneficial-owner details; identifiers (e.g. NRIC/passport); and related documents. Data subjects: the Controller’s clients, their officers and beneficial owners, and the Controller’s personnel.
3. Processor obligations
CorpSec AI will:
- Process personal data only on the Controller’s documented instructions, unless required by law (and if so, notify the Controller unless prohibited).
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Schedule below).
- Not use client data to train AI models and engage AI providers on terms that prohibit such training.
- Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its PDPA obligations.
- Make available information reasonably necessary to demonstrate compliance with this DPA.
4. Sub-processors
The Controller authorises CorpSec AI to engage sub-processors to provide the Service. Current sub-processors and their function/region are listed on our Security page (for example: cloud hosting and database/storage in Singapore; an AI model provider; and a payment processor). CorpSec AI imposes data-protection obligations on each sub-processor no less protective than this DPA and remains responsible for their performance. We will give reasonable prior notice of any new sub-processor; the Controller may object on reasonable data-protection grounds.
5. Security measures (Schedule)
Technical and organisational measures include:
- Encryption of data in transit (TLS) and at rest.
- Per-firm tenant isolation enforced at the application layer and by database row-level security.
- Private document storage accessed only via short-lived signed URLs after authorisation.
- Role-based access control and least-privilege administration.
- Masking of identifiers such as NRIC/passport in the application and before AI processing.
- Append-only, immutable audit logging of key actions.
- Backups and platform-level point-in-time recovery via our hosting provider.
6. Personal data breach
CorpSec AI will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and will provide information reasonably available to help the Controller meet its own notification obligations (including any obligation to notify the PDPC and affected individuals under the PDPA). Notification is not an acknowledgement of fault.
7. Data-subject requests
If CorpSec AI receives a request from a data subject relating to the Controller’s data, it will (unless legally required to respond) refer the request to the Controller and assist the Controller in responding, taking into account the nature of the processing and the tools available in the Service (including export and correction features).
8. Return and deletion
On termination or expiry, and on the Controller’s request, CorpSec AI will make the Controller’s data available for export and will then delete or return it, except to the extent retention is required by law or to comply with the Controller’s own statutory record-keeping obligations (for example AML/CDD records and audit logs retained for at least five years). Immutable audit logs are retained as records of processing.
9. Audits
CorpSec AI will, on reasonable prior written notice and no more than once per year (unless required by a regulator or following a breach), make available information and, where appropriate, relevant third-party audit reports or certifications to demonstrate compliance with this DPA. Any on-site audit is subject to reasonable confidentiality, security and scheduling conditions and to the Controller bearing its own costs.
10. International transfers
The Service is hosted in Singapore. Where a sub-processor processes data outside Singapore, CorpSec AI ensures a comparable standard of protection consistent with the PDPA Transfer Limitation Obligation.
11. Liability
The liability of each party under or in connection with this DPA is subject to, and counts towards, the limitations and exclusions of liability set out in the Terms of Service, including the aggregate liability cap and the exclusion of indirect and consequential loss. Nothing in this DPA increases a party’s liability beyond what is stated in the Terms.
12. Precedence and general
This DPA prevails over the Terms to the extent of any conflict on data-processing matters. In all other respects the Terms apply, including governing law (Singapore) and dispute resolution by SIAC arbitration as set out in the Terms of Service. Contact: privacy@corpsec.ai.