BOS
BOS
Legal
How USEKASE Pte. Ltd. processes Customer Personal Data when operating the BOS platform on Your behalf.
This Data Processing Addendum ("DPA") is entered into by and between USEKASE Pte. Ltd. ("Company" or "Processor") and the entity subscribing to the BOS platform ("Customer" or "Controller").
This DPA supplements the Terms of Service ("Agreement") entered into between the parties. In the event of any conflict between the Agreement and this DPA, the terms of this DPA shall prevail with respect to its subject matter.
"Applicable Data Protection Law" means all regional and global laws relating to data protection and privacy applicable to the processing of Personal Data under this DPA, including Singapore's Personal Data Protection Act 2012 ("PDPA"), the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and any applicable US state privacy frameworks.
"Customer Personal Data" means the Personal Data contained within the Customer Data submitted to or generated within BOS by Customer or its Users in the course of operating its business.
"Data Controller" (or "Controller") means the entity that determines the purposes and means of the processing of Personal Data (the Customer).
"Data Processor" (or "Processor") means the entity that processes Personal Data on behalf of the Data Controller (the Company).
"Security Incident" means any confirmed accidental, unauthorized, or unlawful acquisition, destruction, loss, alteration, disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed by Processor.
2.1 Roles. The parties acknowledge and agree that with respect to the processing of Customer Personal Data within the BOS environment:
2.2 Duration and Subject Matter. The subject matter, nature, and purpose of the processing under this DPA are strictly bounded by the functional deployment of the BOS platform for the duration of the underlying Agreement. The specific details of the data subjects, categories, and processing activities are detailed in Schedule A of this Addendum.
3.1 Documented Instructions. Processor shall process Customer Personal Data only in accordance with Customer's documented instructions, which include the settings configured inside the BOS console, the parameters established within automated AI workflows, and the text of the Agreement and this DPA.
3.2 Compliance with Laws. Processor shall immediately inform Customer if, in its reasonable opinion, an instruction from Customer infringes Applicable Data Protection Laws. Processor shall not be liable for delays arising from its refusal to execute an instruction it believes to be non-compliant.
4.1 Security Commitments. Processor shall implement and maintain appropriate technical, administrative, and physical security measures designed to protect Customer Personal Data against a Security Incident. These measures include, but are not limited to:
4.2 Confidentiality of Personnel. Processor ensures that any personnel authorized to process Customer Personal Data are under strict, binding statutory or contractual obligations of confidentiality.
5.1 Authorization for Sub-Processors. Customer grants a general written authorization to Processor to engage third-party infrastructure sub-processors (such as cloud hosting environments, database clusters, and API-driven AI foundation model endpoints) to facilitate the Service.
5.2 List of Active Sub-Processors. Processor shall maintain an up-to-date public or console-accessible list of its current sub-processors.
5.3 Notification of Changes. Processor shall notify Customer of any intended appointment or replacement of a sub-processor at least fourteen (14) days prior to authorization (electronic notifications or administrative system banners shall suffice). Customer may object to such changes in writing on reasonable privacy or compliance grounds within ten (10) days of notification. If Customer objects, Processor may either work with Customer to find an alternative configuration or terminate the Agreement without penalty.
5.4 Sub-Processor Liability. Processor shall impose data protection obligations upon any sub-processor it engages that are no less restrictive than those configured within this DPA. Processor remains fully liable to Customer for the performance of the sub-processor's obligations.
6.1 No Foundational Training. Processor explicitly mandates that Customer Personal Data shall not be utilized to train, tune, validate, or index any public or shared multi-tenant foundation models.
6.2 Downstream AI Sub-Processors. Processor contractually binds any downstream third-party AI model providers or API infrastructure endpoints to zero-data-retention (ZDR) frameworks or identical strict boundaries, preventing the structural absorption of Customer Personal Data into external models.
7.1 Data Subject Requests. Taking into account the native architecture of the Service, Processor shall provide Customer with administrative tools inside the BOS interface to allow Customer to directly access, rectify, restrict, or delete Customer Personal Data.
7.2 Processor Assistance. If a Data Subject makes a statutory request (such as a GDPR Subject Access Request or a PDPA Access/Correction Request) directly to Processor, Processor shall promptly forward such request to Customer. Processor shall not respond directly to the Data Subject unless legally mandated to do so.
8.1 Incident Notification. In the event of a confirmed Security Incident affecting Customer Personal Data, Processor shall notify Customer via the administrative email on file without undue delay, and in any event within seventy-two (72) hours of confirming the breach.
8.2 Content of Notification. To the extent available, the notification shall describe the nature of the Security Incident, the categories and approximate number of data records affected, the anticipated operational consequences, and any corrective or mitigative actions implemented.
9.1 Audit Rights. Upon reasonable written request and no more than once per calendar year, Processor shall provide Customer with summaries of its latest security audits, penetration test reports, or independent certifications (such as SOC 2 documentation) to demonstrate compliance with this DPA.
9.2 On-Site Restrictions. In-person or on-site inspections of physical data centers are explicitly restricted to the facilities' cloud hosting vendors (e.g., AWS, Google Cloud) under their standard audit policies. Customer agrees that independent third-party certifications provided by Processor satisfy its verification rights under Applicable Data Protection Law.
10.1 Cross-Border Protections. To the extent that Customer Personal Data originated in the European Economic Area (EEA), United Kingdom, or Singapore is transferred to a country that has not received an adequacy decision by the relevant regulatory authorities, the parties agree to rely upon approved transfer mechanisms.
10.2 Standard Contractual Clauses (SCCs). Where the processing of data triggers European Union jurisdiction, the Standard Contractual Clauses (SCCs) approved by the European Commission (Module Two: Controller-to-Processor) are hereby incorporated by reference into this DPA. For the purposes of the descriptions in the SCCs, UseKase Pte. Ltd. acts as the data importer and the Customer acts as the data exporter.
11.1 Deletion Window. Upon termination or expiration of the Agreement, Processor shall, at the choice of Customer, delete or return all Customer Personal Data within its possession in accordance with the timelines established in the Terms of Service (30-day Export Window, followed by an operational 60-day structural wipe cycle).
11.2 Statutory Exceptions. Processor may retain administrative log files, financial metadata, or specific encrypted system backups to the extent required by applicable statutory record-keeping frameworks, provided such data remains protected under the security umbrellas of this DPA until permanently purged.
Employees, contractors, administrative users, clients, suppliers, and business partners of the Customer whose personal data is processed within the modules and workflows of the BOS environment.
Hosting, structuring, executing algorithmic logic, routing communications, and orchestrating artificial intelligence modules to optimize, run, and automate the overarching business operations of the Customer.
IN WITNESS WHEREOF, the parties have caused this Data Processing Addendum to be executed as an integral, binding component of their primary commercial arrangement.