Data Processing Agreement

Effective Date: January 30, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MatterGuard and the Client. It governs the processing of personal data by MatterGuard on behalf of the Client.

1. Definitions

  • "Controller" means the Client, who determines the purposes and means of processing personal data.
  • "Processor" means MatterGuard Pte. Ltd., who processes personal data on behalf of the Controller.
  • "Personal Data" means any data relating to an identified or identifiable individual processed through the Service.
  • "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • "Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Data Breach" means any unauthorized access, disclosure, or loss of personal data.

2. Scope and Purpose

This DPA applies to all processing of personal data by the Processor on behalf of the Controller in connection with the MatterGuard Service. The Processor shall process personal data only:

  • For the purpose of providing the Service as described in the Terms of Service
  • In accordance with the Controller's documented instructions
  • In compliance with applicable data protection laws, including the PDPA

3. Categories of Data Processed

CategoryData Types
Client IdentificationNames, addresses, identification numbers, nationality, date of birth
Contact InformationEmail addresses, phone numbers, business addresses
Identity DocumentsPassport copies, NRIC copies, proof of address documents
Corporate InformationCompany registration details, beneficial ownership structures, director information
Risk Assessment DataScreening results, risk ratings, due diligence notes

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that personnel authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Notify the Controller without undue delay upon becoming aware of a Data Breach
  • Delete or return all personal data upon termination of the Service
  • Make available all information necessary to demonstrate compliance with this DPA

5. Security Measures

The Processor implements the following security measures:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Control: Role-based access, multi-factor authentication
  • Audit Logging: Comprehensive logging of all data access and modifications
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Physical Security: Data centers with ISO 27001 certification
  • Backup: Regular encrypted backups with tested recovery procedures

6. Subprocessors

The Controller authorizes the Processor to engage subprocessors to assist in providing the Service. The Processor shall:

  • Maintain a list of current subprocessors (available at /legal/subprocessors)
  • Notify the Controller of any intended changes to subprocessors
  • Ensure subprocessors are bound by data protection obligations no less protective than those in this DPA
  • Remain liable for the acts and omissions of its subprocessors

7. Data Breach Notification

In the event of a Data Breach, the Processor shall:

  • Notify the Controller within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories of data affected, and approximate number of data subjects affected
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to address the breach
  • Cooperate with the Controller in investigating and remediating the breach

8. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, including:

  • Access to personal data
  • Correction of inaccurate data
  • Deletion of personal data
  • Data portability
  • Withdrawal of consent

9. Data Retention and Deletion

Upon termination of the Service or upon the Controller's request:

  • The Processor shall return or delete all personal data within 30 days
  • The Controller may request a copy of all data in a portable format before deletion
  • The Processor may retain data required by law, with appropriate safeguards
  • Deletion shall be performed using secure methods that prevent recovery

10. Audit Rights

The Controller may:

  • Request information necessary to demonstrate compliance with this DPA
  • Conduct audits, including inspections, with reasonable notice
  • Engage a third-party auditor (subject to confidentiality obligations)

The Processor shall make available SOC 2 Type II reports and other relevant certifications upon request.

11. International Transfers

Where personal data is transferred outside Singapore, the Processor shall ensure:

  • The recipient country provides comparable data protection standards
  • Appropriate safeguards are in place (e.g., standard contractual clauses)
  • Compliance with PDPA transfer requirements

12. Liability

Each party shall be liable for damages caused by processing that infringes applicable data protection laws. The Processor shall be liable for damages caused by processing that does not comply with this DPA or the Controller's lawful instructions.

13. Contact Information

MatterGuard Pte. Ltd.

1 Raffles Place, #20-61, Tower 2, Singapore 048616

Legal Inquiries: [email protected]

Data Protection Officer: [email protected]

© 2026 MatterGuard Pte. Ltd.. All rights reserved.

Document Version: 1.0 | Last Updated: January 30, 2026