This Zealys Data Processing Agreement (“DPA”) is incorporated into and forms part of our Terms of Service between you and us (the “Agreement”).

This DPA reflects the parties’ agreement with respect to Customer Personal Data which is processed on your behalf by us as a Data Intermediary or our sub-intermediaries as part of providing the Services.

In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency.

The duration of this DPA will follow the duration of the Agreement.

1. DEFINITIONS

1.1 In this Agreement, unless the context otherwise requires, the following terms shall have the meanings assigned to them below. Terms not otherwise defined in this DPA will bear the meanings as set forth in the Agreement.

1.1.1 “Customer Personal Data” means Personal Data which you disclose to us, or which we process on your behalf, including but not limited to:

(a) Identity and contact information (name, NRIC/FIN, passport, DOB, address, phone, email)

(b) Employment and compensation data (job title, department, salary, bank details, CPF)

(c) Benefits, leave, and attendance records

(d) Performance, training, and disciplinary records

(e) Medical information (where required for leave or benefits administration)

(f) Dependent, beneficiary, and emergency contact information

(g) Biometric data (if applicable for attendance systems)

(h) Any other Personal Data uploaded by the Customer to the platform

1.1.2 “Data Subject” means an individual, whether living or deceased, to whom Personal Data relates.

1.1.3 “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which may apply to you, including but not limited to the PDPA.

1.1.4 “PDPA” means the Singapore Personal Data Protection Act 2012, including all subsidiary legislation, amendments and regulations; and

1.1.5 “Personal Data” means data, whether true or not, about an individual who can be identified:

(a) from that data alone; or

(b) from that data and other information which either party possesses or is likely to have access.


2. HANDLING AND PROTECTION OF PERSONAL DATA

Compliance with Data Protection Laws

2.1 We shall comply with all of our obligations under the PDPA as a Singapore-incorporated data intermediary at our own cost.

2.2 You shall comply with all of your obligations under Data Protection Laws at your own cost.

Confidentiality

2.3 Without prejudice to any existing contractual arrangements between us, we shall treat all Customer Personal Data as confidential and shall inform all our employees, agents and/or approved sub-intermediaries engaged in processing Customer Personal Data of its confidential nature. We shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

Data Anonymisation

2.4 We may create anonymised, aggregated statistical data derived from the use of the Services, for purposes including but not limited to business intelligence, product improvement, and benchmarking.

3. YOUR RESPONSIBILITIES

Compliance with Laws

3.1 Within the scope of the Agreement and your use of the Services, you will be responsible for complying with all requirements that apply to you under Data Protection Laws with respect to the Customer Personal Data. In particular, but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for:

(a) the accuracy, quality, and legality of Personal Data and the means by which you acquired such Personal Data;

(b) complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of Personal Data, including but not limited to providing adequate notices and obtaining any necessary consents and authorisations;

(c) ensuring you have the right to transfer, or provide access to, the Personal Data to us for processing in accordance with the terms of the Agreement (including this DPA);

(d) responding to Data Subject requests to access, correct, or delete their Personal Data;

(e) complying with all laws applicable to any content created, generated or managed through our Services; and

(f) ensuring that your use of Customer Personal Data complies with Data Protection Laws and is strictly limited to the purposes set out in the Agreement (including this DPA).

3.2 You will inform us without undue delay if you are not able to comply with your responsibilities under this ‘Compliance with Laws’ section or Data Protection Laws.

4. OUR RESPONSIBILITIES

Process, Use and Disclosure

4.1 We shall only process, use or disclose Customer Personal Data:

(a) strictly for the purposes of fulfilling our obligations and providing the Services required under this Agreement;

(b) with your prior written consent; or

(c) when required by law or an order of court, but we shall notify you as soon as practicable before complying with such law or order of court.

Access to Customer Personal Data

4.2 We shall provide you access to the Customer Personal Data through the Services and the Zealys Software.

Accuracy and Correction of Personal Data

4.3 The Services provide you with a number of controls that you can use to retrieve, correct, delete or otherwise modify Customer Personal Data, which you can use to assist you in connection with your obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under Data Protection Laws (“Data Subject Requests“).

(a) As the Customer Personal Data we process is entirely controlled by you, it is your responsibility to ensure the Customer Personal Data is accurate and complete, except in the event of errors or glitches in the Services or the Zealys Software, in which case, we shall take steps to correct any errors or glitches as soon as practicable upon your written notification.

(b) To the extent that you are unable to independently address a Data Subject Request through the Services, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the processing of Personal Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance, and we will notify you of these costs in advance.

(c) If a Data Subject Request or other communication regarding the processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

Security Measures

4.4 We shall only permit authorised personnel to access your Personal Data on a need-to-know basis. Further, we shall protect your Personal Data in our control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent:

(a) unauthorised or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of your Personal Data, or other similar risks; and

(b) the loss of any storage medium or device on which Personal Data is stored.

You are responsible for independently determining whether our Security Practices adequately meets your obligations under Data Protection Laws. You are also responsible for your secure use of the Services, including protecting the security of Personal Data in transit to and from the Services (including to securely backup or encrypt such data).

Retention of Personal Data.

4.5 We shall not retain Customer Personal Data (or any documents or records containing Customer Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this Agreement. At the end of this Agreement, we shall delete all Customer Personal Data in our possession within one (1) year from the date of expiry or termination unless applicable laws require retention. Where applicable, we shall also instruct all sub-intermediaries to whom we may have disclosed Customer Personal Data for the purposes of this Agreement to delete such Customer Personal Data.

Notification of Breach

4.6 We shall notify you as soon as practicable when we become aware of a breach of Customer Personal Data and provide reasonable information in our possession to assist you to meet your obligations to report a Personal Data breach as required under Data Protection Laws. We may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by us.

Sub-Intermediaries

4.7 You agree we may engage sub-intermediaries to assist in fulfilling our obligations with respect to the processing of Customer Personal Data under the Agreement, including but not limited to hosting, infrastructure, product feature support, product feature integrations, maintenance service and customer support. By agreeing to this DPA, you agree our sub-intermediaries may have access to Customer Personal Data. Our sub-intermediaries may change from time to time, may include third parties but will exclude any of our employees or consultants. Please refer to our Security Practices for more information on our current sub-intermediaries. We shall be liable for any breaches by our sub-intermediaries in accordance with the terms of this DPA.

Data Transfers

4.8 You acknowledge and agree that we shall be entitled to process Customer Personal Data, including by using sub-intermediaries, in accordance with this DPA and the PDPA, outside the country in which either party may be located. Such data transfers shall be on a basis as necessary to provide the Services in accordance with the Agreement, including but not limited to transfer of Customer Personal Data to other jurisdictions where our sub-intermediaries have operations. Wherever Customer Personal Data is transferred outside of Singapore, each party will ensure such transfers are made in compliance with the requirements of the PDPA.

Compliance Audit

4.9 Where required by applicable Data Protection Laws, we will allow for and contribute to audits reasonably necessary to assess compliance with this DPA, including inspections conducted by your auditor at your own cost. You acknowledge and agree that you may exercise your audit rights under this DPA by instructing us at least sixty (60) days in advance to comply with the audit measures described in this ‘Compliance Audit’ section, unless shorter notice is otherwise required by law or regulation.

4.10 You acknowledge that the Services are hosted by our hosting sub-intermediary who maintain independently validated security programs, including SOC and ISO 27001.

5. GENERAL PROVISIONS

Governing Law

5.1 This DPA will be governed by and construed in accordance with the laws of Singapore, without regard to its conflicts of laws principles. All disputes, controversies or differences arising out of or in connection with this contract, including any question regarding its existence, validity or termination, shall before or after the commencement of any other proceedings, be first referred to mediation in Singapore at the Singapore International Mediation Centre in accordance with its Mediation Rules for the time being in force, without prejudice to any recourse to apply to any tribunal or court of law of competent jurisdiction for any form of interim relief.

Indemnity

5.2 Each party shall indemnify the other party and its officers, employees and agents, against all actions, claims, demands, losses, damages, statutory penalties, expenses and cost (including legal costs on an indemnity basis), in respect of its breach of obligations under this DPA. Each party shall promptly notify the other party of any claim for which indemnification may be sought and shall cooperate in the defence of such claim.

Limitation of Liability

5.3 Our total aggregate liability arising out of or in connection with this DPA, whether in contract, tort, indemnity, or otherwise, shall not exceed the total fees paid by you to us in the twelve (12) months preceding the event giving rise to the claim.

5.4 We shall not be liable for any indirect, incidental, consequential, special, or punitive damages, loss of profits, loss of business, or loss of data, except to the extent such exclusion is prohibited by applicable law.

Authorisation

5.5 The legal entity agreeing to this DPA as the customer represents that it is authorised to agree to and enter into this DPA for and on behalf of itself only. No other affiliates, partners or persons with vested business interests are party to this DPA.

Severability

5.6 If any individual provision of this DPA is determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

Amendments

5.7 Notwithstanding anything else to the contrary in the Agreement and without prejudice to any provision under this DPA, we reserve the right to make any updates and changes to this DPA.