Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as this “DPA”) outlines the the terms and conditions for the processing of personal data between TRUEWATCH TECHNOLOGY INC PTE. LTD. (hereinafter referred to as “We” or “TrueWatch”) and the customer (hereinafter referred to as the "Customer" or the “User”). This DPA is incorporated into and forms an integral part of the main subscription agreement (or other electronic or jointly signed written agreement) between TrueWatch and the Customer that references this agreement (the “Agreement”).

1. Introduction

This DPA is designed to ensure that TrueWatch, as the data processor, can comply with applicable data protection laws and regulations, including the Personal Data Protection Act 2012 (Singapore), when processing Customer Personal Data.

This DPA establishes the rights and obligations of both parties, i.e., TrueWatch and the Customer on the processing, security, and confidentiality of Customer Personal Data.

2. Definitions

The following definitions apply to this DPA:

“Customer Data” refers to data submitted for processing from the customer environment. The customer determines the type and quantity of Customer Data through the configuration and use of the service.

“Customer Personal Data” refers to Customer Data that contains personal data, as defined under applicable data protection laws.

“Personal Data Breach” refers to a security breach that occurs during the transmission, storage or other processing of Customer Personal Data by TrueWatch, resulting in accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to Customer Personal Data.

“Account Data” refers to customer information provided to TrueWatch related to the creation or management of their TrueWatch account, such as the first and last name of authorized users, billing contact information, username and email address. “Data Subject” refers to the natural person to whom the personal data relates.

“Processing” refers to any operation performed on personal data, including but not limited to collection, recording, storage, use, transfer, and deletion.

“Data Processor”: Refers to the party processing personal data under this agreement, namely TrueWatch.

“Controller” refers to an entity that determines the purposes and means of processing personal data, which is the Customer.

“Sub-processor” refers to any processor engaged by TrueWatch or its affiliates to process Customer Personal Data on behalf of TrueWatch or its affiliates while providing services.

“TrueWatch” refers to TRUEWATCH TECHNOLOGY INC PTE. LTD., the party to this DPA.

“Data Protection Laws” refers to data protection or privacy laws and regulations directly applicable to the parties' processing of personal data, including Singapore’s Personal Data Protection Act and other relevant data protection laws and regulations in applicable jurisdictions.

"GDPR" refers to the General Data Protection Regulation (2016/679), issued by the European Parliament and Council on April 27, 2016, regarding the protection of natural persons in relation to the processing of personal data and the free movement of such data, which repeals Directive 95/46/EC.

"SCC" refers to the Standard Contractual Clauses for the transfer of personal data to third countries, as set out in the decision of the European Commission under Regulation (EU) 2016/679 issued on June 4, 2021. For data transfers involving the UK, the SCC may include the incorporation of the UK International Data Transfer Addendum (“UK Addendum”), where applicable. For transfers from Singapore, TrueWatch will ensure compliance with Section 26 of the Personal Data Protection Act 2012 (PDPA) to provide comparable protection for Customer Personal Data.

3. Role Assignment

3.1 Both parties agree that TrueWatch acts as the data processor of Customer Personal Data when providing services. TrueWatch will process Customer Personal Data only in accordance with the agreement, this DPA (including Appendix A) and any written instructions provided by the Customer (the “Written Instructions”).

3.2 As the data controller, the customer must ensure that they have the legal right to provide personal data to TrueWatch for processing, and their instructions and requirements comply with applicable data protection laws and regulations, including ensuring proper notification and/or consent from data subjects as required by law.

4. Data Security

4.1 Security Measures. Considering the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, TrueWatch has implemented and shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk level of processing personal data. The Customer agrees that the security measures implemented by TrueWatch (listed in Appendix B) are sufficient to fulfill its obligations under this DPA. Notwithstanding the foregoing, the customer acknowledges and agrees the secure use of the products and services on the Customer's end remains the Customer’s responsibility.

4.2 Personal Data Breach. TrueWatch will notify the Customer immediately upon discovering a personal data breach, without undue delay. The notification from TrueWatch to the Customer includes (a) the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records affected; (b) the measures TrueWatch has taken or plans to take to address and mitigate the personal data breach; (c) Any measures recommended by TrueWatch for the Customer to address any personal data breach issues. TrueWatch's obligation to notify or respond to personal data breaches does not constitute an acknowledgment by TrueWatch of any fault or liability related to the personal data breach.

5. Sub-processor

5.1 The customer authorizes TrueWatch to engage sub-processors to process personal data on behalf of TrueWatch and agrees to the use of the sub-processors listed in TrueWatch’s current sub-processor list. TrueWatch shall update the sub-processor list at least 30 days before appointing any new sub-processor and provide the customer with a mechanism to receive notifications of updates to the sub-processor list (via email or in-site message). If the Customer objects to a new sub-processor based on reasonable data protection concerns, they must notify TrueWatch within 15 days of receiving the notification.

5.2 TrueWatch shall enter into contracts with sub-processors that impose data protection obligations equivalent to those set forth in this DPA, ensuring compliance with applicable Data Protection Laws.

5.3 TrueWatch shall be liable for the acts and omissions of its sub-processors under this DPA to the same extent as if TrueWatch were performing the services directly. TrueWatch will make all reasonable steps to ensure that these sub-processors provide sufficient guarantees to protect the security of personal data.

6. Data Subject Rights

6.1 TrueWatch will assist the Customer in fulfilling their obligations related to data subject rights under applicable Data Protection Laws, including but not limited to access, rectification, erasure and restriction of processing. If a data subject directly contacts TrueWatch to exercise their rights and the request pertains to the Customer's data, TrueWatch will make reasonable efforts to forward the request to the Customer within 7 business days of receipt.

6.2 The TrueWatch Customer retains ultimate responsibility for responding to such requests and ensuring compliance with applicable Data Protection Laws.

7. Data Transfer and Deletion

7.1 Upon termination or expiration of the Agreement, personal data will be deleted within 30 days of receiving the Customer's written request, unless otherwise required by applicable law.

7.2 Unless otherwise required by applicable law, any Customer Personal Data archived in backups will be isolated and protected from any further processing. Notwithstanding the foregoing, to the extent required by applicable law for TrueWatch to retain some or all Customer Personal Data, archived Customer Personal Data will be retained for no longer than 7 years, and this DPA will continue to apply to the retained Customer Personal Data.

8. Audit

8.1 TrueWatch's audit report. Upon the Customer's written request and in compliance with the confidentiality terms of the Agreement, TrueWatch shall provide the Customer with a copy or excerpt of the relevant audit report related to service security, including, for example, ISO 27001 certification, SOC 2 report, or other similar certifications or security audit documentation.

8.2 The audit documentation will be limited to security controls directly relevant to the processing of Customer Personal Data under this DPA

9. Data Transfer

9.1 The Customer authorizes TrueWatch and its sub-processors to transfer Customer Data across borders, including but not limited to transfers from the European Economic Area ("EEA”) and the United Kingdom (“UK”), and Singapore. To protect the transfer of personal data from the EEA and the UK, both parties agree to execute the Standard Contractual Clauses (“SCCs”) and the UK Addendum. The execution of this DPA or the Agreement constitutes the execution of the SCCs and any associated annexes. For transfers originating from Singapore, TrueWatch shall ensure compliance with the requirements of the Personal Data Protection Act 2012 (Singapore).

9.2 Specific application of the Standard Contractual Clauses:

(1) Module 2 shall apply;

(2) In Clause 7 (Docking), the optional docking clause shall apply;

(3) In Clause 9 (Use of Sub-processors), Option 2 for the 'general written authorization' clause for sub-processors shall apply, and the prior notice period is specified in Clause 5.1 of this DPA;

(4) In Clause 11 (Remedies), the optional language shall not apply;

(5) In Clause 13 (Supervision), the competent supervisory authority shall be the German authority for data originating from the EEA and the UK relevant authority for data originating from the UK;

(6) In Clause 17 (Governing Law), the SCCs shall be governed by German law for any data originating from the EEA and governed by UK law for data originating from the UK;

(7) In Article 18(b) (Choice of Venue and Jurisdiction), both parties agree that disputes shall be submitted to German courts for data originating from the EEA and to the UK courts for data originating from the UK;

(8) Annex I of the SCCs shall supplement the information set forth in Appendix A of this DPA;

(9) Annex II of the SCCs shall supplement the information set forth in Appendix B of this DPA.

9.3 If TrueWatch provides services involving the transfer of Customer Personal Data from the EEA, UK or Singapore to a third country not recognized as providing adequate protection for Customer Personal Data, the SCCs should be used and completed in accordance with the provisions of Section 9.2.

10. Conflict

In the event of a conflict or inconsistency between this DPA, the SCCs, and the Agreement, the order of precedence shall be: (1) SCCs; (2) this DPA; (3) the Agreement.

11. Agreement Amendment

11.1 TrueWatch may amend this DPA under the following circumstances: (a) Amendments are necessary to comply with applicable laws, regulations, or regulatory guidance; (b) Amendments are commercially reasonable, do not materially reduce the security of the service, do not alter the scope of TrueWatch's processing of Customer Personal Data, and do not have a material adverse effect on the Customer's rights under this DPA.  

Appendix A: Data Processing Details

  1. List of Parties 1.1 Data Exporter: Name: [ ] Address: [ ] Contact Name: [ ] Position: [ ] Contact Information: [ ] Data transfer activities involved in this Data Processing Agreement: To provide, support and improve services, process Customer Personal Data and account data. Signature and Date: Both parties agree that execution the agreement signifies that both parties have signed Appendix A. Role (Controller/Processor): For Customer Personal Data, TrueWatch acts as a processor or controller; for account data, TrueWatch acts as a controller.

1.2 Data Importer: Name: TRUEWATCH TECHNOLOGY INC PTE. LTD. Address: 55 Ubi Ave 3 #02-06A Aspial One, Singapore 408864

Contact Name: [ ] Position: [ ] Contact Method: [ ] In this Data Processing Agreement, the data transfer-related activities involved: To provide, support and improve services, process Customer Personal Data and account data. Signature and Date: Both parties agree that execution the agreement signifies that both parties have signed Appendix A. Role (Controller/Processor): For Customer Personal Data, TrueWatch acts as a processor or controller; for account data, TrueWatch acts as a controller.

  1. Data Transfer Description 2.1 Categories of Data Subjects whose personal data is transferred

(1) Account Data: Data Subjects may include customer's employees.

(2) Customer Personal Data: Data subjects may include the customer's employees, customers, suppliers and end users.

2.2 Categories of Personal Data Transferred (1) Account Data: Personal data provided by the customer to TrueWatch for using the service. (2) Regarding Customer Personal Data: Personal data provided by the customer to TrueWatch for using the service.

2.3 Sensitive Data No sensitive data is transferred.

2.4 Frequency of Transfers (is data transferred on a one-off or continuous basis?) Personal data is transferred on a continuous basis.

2.5 Nature of Processing Regarding Account Data: General account management and other activities as outlined in the TrueWatch Public Privacy Policy. Regarding Customer Personal Data: analysis, storage and other services as described in the agreement, order, DPA and documentation.

2.6 Purpose of data transfer and further processing To enable TrueWatch to provide services and products to the Customers and exercise its rights and obligations under the Agreement.

2.7 Retention period of personal data Regarding Account Data: retained as required for managing the customer’s account under TrueWatch’s privacy policy. Regarding Customer Personal Data: retained according to the Customer’s service configuration or the retention schedule outlined in the documentation.  

Appendix B: Technical and Organizational Security Measures

TrueWatch will implement at least the following technical and organizational security measures for the processing of Customer Personal Data on behalf of its customers.

  1. Encryption and Key Management 1.1 TrueWatch maintains encryption mechanisms and cryptographic key management policies and procedures to ensure the effective management of cryptographic systems within TrueWatch. 1.2 TrueWatch encrypts data during transmission across static and public networks according to industry standard practices (if applicable). 1.3 Customer Personal Data stored within TrueWatch systems is encrypted using strong encryption algorithms.

  2. Compliance Audit 2.1 TrueWatch will maintain SSAE 18 SOC 2 certification, or a similar industry-recognized certification throughout the term of the Agreement. Certifications will be updated annually. Upon the Customer's request, TrueWatch will provide a summary of its most recent SOC 2 report within every 12 months during the validity of the Agreement. 2.2 TrueWatch complies with ISO 27001 and other industry standards and practices guidelines.

  3. Access Control 3.1 Only authorized users can access data, including when stored on any electronic or portable media or during transmission. Authorized users are granted access only to the data and resources necessary to perform their respective duties. 3.2 TrueWatch maintains user access control mechanisms to facilitate timely configuration and deconfiguration of user accounts.

  4. Business Continuity 4.1 TrueWatch maintains business continuity, backup and disaster recovery plans (“BC/DR Plans”) designed to minimize service disruptions and ensure compliance with the applicable laws. 4.2 The BC/DR Plans address threats to the services and any dependencies and establishing procedures for restoring access to and use of the services. The BC/DR Plans are tested regularly.

  5. Change Control 5.1 TrueWatch maintains policies and procedures for implementing changes to the services, including underlying infrastructure and system components, to ensure quality standards are met. The Customer will be notified of significant changes that could affect the availability or functionality of the services. 5.2 TrueWatch conducts annual penetration testing on its networks and services to identify vulnerabilities. Vulnerabilities are remediated within a timeframe based on their severity, in accordance with TrueWatch's vulnerability management policies and procedures, and assessed under TrueWatch's risk management framework. 5.3 TrueWatch regularly conducts network vulnerability scans, and identified vulnerabilities will be remediated based on their severity and according to TrueWatch's vulnerability management policies and procedures, and assessed under TrueWatch's risk management framework. 5.4 Security patches are applied according to TrueWatch's documented patch update plan. Critical patches are prioritized and applied within industry-standard timeframes to address vulnerabilities.

  6. Data Security 6.1 TrueWatch takes technical safeguards and other security measures to ensure the safety and confidentiality of Customer Personal Data. 6.2 TrueWatch isolates Customer Personal Data in the production environment.

  7. Governance and Risk Management 7.1 TrueWatch maintains and implements an information security plan, which is reviewed at least once a year. 7.2 TrueWatch maintains a risk management plan, which is assessed at least once a year. 7.3 TrueWatch maintains an incident response plan to address potential security breaches or other incidents.

  8. Administrative Control 8.1 TrueWatch engages third-party providers to conduct background checks on all TrueWatch personnel authorized to access Customer Personal Data. 8.2 TrueWatch employees are required to complete security awareness training during onboarding and participate in mandatory annual refresher training.

1/22/20251/22/2025