Home / Data Processing Agreement
Data Processing Agreement
How PMOS processes personal data on behalf of its customers, in compliance with the PDPA.
1. Scope & Purpose
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PMOS Pte. Ltd. ("Data Intermediary" / "Processor") and you ("Data Controller") and governs the processing of personal data by PMOS on your behalf through the PMOS Platform.
Under the PDPA, PMOS acts as a data intermediary when processing personal data on your behalf for the purpose of providing the Services. PMOS processes personal data only on your documented instructions.
2. Definitions
- "Personal Data" has the meaning given in Section 2 of the PDPA — data about an individual who can be identified from that data, or from that data combined with other information to which the organisation has or is likely to have access
- "Processing" includes collecting, using, disclosing, storing, modifying, or deleting personal data
- "Data Breach" means any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data
- "PDPC" means the Personal Data Protection Commission of Singapore
3. Data Processing Details
| Element | Details |
|---|
| Nature of Processing | Cloud-based SaaS platform for pool management operations |
| Purpose | Providing pool management, technician scheduling, compliance tracking, marketplace, and reporting services |
| Categories of Data Subjects | Your employees, contractors, technicians, customers, pool facility managers |
| Types of Personal Data | Names, contact details, job assignments, GPS location (technicians), water test results, transaction records |
| Duration | For the term of your subscription agreement plus the applicable retention period |
4. Obligations of PMOS as Data Intermediary
PMOS shall:
- Process personal data only on your documented instructions and for the purposes specified in this DPA
- Implement appropriate technical and organisational security measures (see Section 6)
- Ensure all personnel authorised to process personal data are bound by confidentiality obligations
- Assist you in responding to data access and correction requests under Sections 21 and 22 of the PDPA
- Notify you of any data breach within 24 hours of discovery
- Support you in notifying the PDPC within the statutory 3 calendar days if the breach is notifiable
- Delete or return all personal data upon termination of the agreement (at your election)
- Make available all information necessary to demonstrate compliance with this DPA
5. Obligations of the Data Controller
You shall:
- Ensure you have a lawful basis (including consent where required) for the personal data provided to PMOS
- Provide clear and documented instructions for data processing
- Notify data subjects about the processing of their data through PMOS, including the purposes and their rights under the PDPA
- Notify PMOS promptly of any consent withdrawal by data subjects
6. Security Measures
PMOS implements and maintains the following security measures:
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Control: Role-based access (RBAC), MFA for admin, least-privilege principle
- Network Security: Firewalls, intrusion detection/prevention (IDS/IPS), DDoS protection
- Data Hosting: Singapore-based data centres (ISO 27001, SOC 2 Type II certified)
- Backups: Daily encrypted backups with 30-day retention, tested quarterly
- Monitoring: 24/7 security monitoring, automated alerting, quarterly penetration testing
- Staff: Annual PDPA training, background checks for personnel handling personal data
7. Sub-Processors
PMOS engages the following sub-processors, all bound by equivalent data protection obligations:
| Sub-Processor | Purpose | Location |
|---|
| Amazon Web Services (AWS) | Cloud infrastructure & hosting | Singapore (ap-southeast-1) |
| Stripe | Payment processing | Singapore / USA |
| Tazapay | Escrow payments (PMOS Market) | Singapore |
| Cloudflare | CDN & security | Singapore edge node |
| SendGrid | Transactional email delivery | Singapore / USA |
PMOS will notify you of any changes to sub-processors at least 30 days in advance. You may object to a new sub-processor, in which case PMOS will work to find an alternative or allow you to terminate without penalty.
8. Data Breach Notification
In the event of a data breach:
- PMOS will notify you within 24 hours of becoming aware of the breach
- Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate
- PMOS will cooperate fully with your breach response and any PDPC investigation
- Where the breach is a notifiable data breach under the PDPA (affects 500+ individuals or causes significant harm), PMOS will assist you in notifying the PDPC within 3 calendar days
9. Audit Rights
You may audit PMOS's compliance with this DPA upon 30 days' written notice, no more than once per year (unless a breach has occurred). PMOS will provide reasonable cooperation, access to relevant premises and records, and information necessary for the audit. Audits shall be conducted during business hours and shall not unreasonably interfere with PMOS's operations.
10. Data Return & Deletion
Upon termination of the agreement:
- PMOS will, at your election, return all personal data in standard formats (CSV, JSON, PDF) or securely delete it
- Deletion will be completed within 30 days of your request
- PMOS will provide written certification of deletion upon request
- Data required for legal/regulatory compliance may be retained for the minimum period required
11. Governing Law
This DPA is governed by the laws of the Republic of Singapore. The dispute resolution provisions in the Terms of Service apply to this DPA.