This Data Processing Agreement ("DPA") is entered into between Veritos Pte. Ltd. ("Processor") and the customer entity that has agreed to the Veritos Terms of Service ("Controller"). This DPA governs the processing of personal data by Veritos on behalf of the Controller in connection with the Veritos platform.
In this DPA:
Veritos shall process personal data only on documented instructions from the Controller, as set out in the Terms of Service and this DPA, unless required to do so by applicable law. Veritos shall inform the Controller if it believes any instruction infringes applicable data protection law.
Veritos shall ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations and have received adequate data protection training.
Veritos shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
The Controller authorises Veritos to engage sub-processors to assist in providing the Service. Veritos shall ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA. Veritos will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
Current sub-processors include Supabase (database infrastructure) and Stripe (payment processing). An up-to-date list is available on request.
Veritos shall assist the Controller in fulfilling its obligations to respond to data subject requests under the PDPA, including requests for access, correction, and withdrawal of consent, taking into account the nature of the processing.
Veritos shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data. The notification shall include, to the extent available, the nature of the breach, the categories and approximate number of individuals affected, and the measures taken or proposed to address the breach.
Upon termination of the Service, Veritos shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless applicable law requires retention of the data.
Veritos shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or a mandated auditor, subject to reasonable notice and confidentiality obligations.
This DPA is governed by the laws of Singapore. Any disputes shall be subject to the exclusive jurisdiction of the courts of Singapore.
For questions about this DPA or to request a signed copy, contact us at legal@veritos.io.