Legal
Data Processing Agreement
This agreement governs how Pulspective processes personal data on your organisation's behalf, in compliance with Singapore's PDPA.
Last updated: 23 May 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer and Pulspective (together, the “parties”) and governs the processing of personal data by Pulspective on behalf of the Customer in connection with the Pulspective platform (the “Service”).
By subscribing to the Service, the Customer agrees to the terms of this DPA. This DPA supplements and is subject to the Terms of Service.
1. Definitions
- “Controller”: the Customer (the organisation), who determines the purposes and means of processing personal data
- “Processor”: Pulspective, who processes personal data on behalf of the Controller
- “Sub-processor”: any third party engaged by Pulspective to process personal data in connection with the Service
- “Personal Data”: any data about an individual who can be identified from that data, as defined in the PDPA
- “Processing”: any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
- “PDPA”: Singapore's Personal Data Protection Act 2012 and its subsidiary legislation, as amended from time to time
2. Subject Matter of Processing
Pulspective processes Personal Data on behalf of the Customer solely for the purpose of providing the Service, which includes:
- Enrolling shift workers to team groups via invite links and authenticating their accounts
- Receiving and storing check-in responses, concern submissions, and compliment messages
- Generating aggregated team-level wellbeing analytics for managers
- Facilitating manager authentication and platform access
- Delivering broadcast communications from managers to team members
- Facilitating in-app messaging between members and managers in connection with concern reports
3. Duration of Processing
Processing shall commence on the date the Customer first accesses the Service and shall continue until the earlier of: (a) the termination or expiry of the subscription; or (b) the Controller's written instruction to cease processing.
4. Categories of Personal Data and Data Subjects
Data subjects
- Shift workers employed or engaged by the Customer (“Members”), who access the platform via authenticated accounts
- Managers and administrators of the Customer who access the management portal
Categories of personal data
- Member data: email address, display name, profile photo (optional), group assignment, employment status, timestamped check-in responses (wellbeing scores, free-text offload entries, rotating question answers), concern submissions (category, urgency, title, description, messages), compliment messages, push notification tokens, and last active timestamp
- Manager data: email address, display name, organisation name, role, authentication session tokens, and activity logs
Sensitive data
Check-in data and concern submissions may contain information relating to mental health, workplace stress, or interpersonal matters. The Customer should treat access to this data with appropriate sensitivity and restrict access to authorised personnel only. Pulspective limits manager access to aggregated team-level analytics and does not surface individual member responses through the platform interface.
5. Controller Obligations
The Customer, as Controller, shall:
- Ensure there is a valid legal basis for processing Personal Data under the PDPA, including providing appropriate notice to shift workers about the platform and obtaining any required consent
- Ensure that its instructions to Pulspective comply with applicable law
- Not instruct Pulspective to process Personal Data in a manner that would cause Pulspective to breach applicable law
- Not use the Service or its outputs to identify individual members for the purpose of taking adverse employment action
6. Processor Obligations
Pulspective, as Processor, shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law
- Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 8)
- Assist the Controller in responding to data subject access requests, corrections, and erasure requests within 30 days
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach (see Section 9)
- Delete or return all Personal Data to the Controller upon termination of the Service, as described in Section 11
- Make available all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits
7. Sub-processors
The Customer grants Pulspective general written authorisation to engage the following sub-processors:
- Supabase Inc. (United States): database infrastructure, authentication, and storage services. Supabase processes data under a Data Processing Agreement with Pulspective and is SOC 2 Type II certified.
- Resend Inc. (United States): transactional email delivery for authentication and notification emails. Processes manager email addresses only at the point of delivery.
- Getstream Inc. (United States): in-app messaging infrastructure for concern-related conversations between members and managers. Processes user identifiers and message content.
- Vercel Inc. (United States): application hosting and content delivery. May process IP addresses and request metadata in connection with serving the platform.
Pulspective will notify the Customer of any intended changes to sub-processors (additions or replacements) with at least 14 days' prior notice. The Customer may object to a new sub-processor on reasonable grounds within that period by notifying privacy@pulspective.com.
Pulspective shall impose data protection obligations on all sub-processors equivalent to those in this DPA and shall remain liable for the acts and omissions of its sub-processors.
8. Security Measures
Pulspective implements and maintains the following security measures:
- Encryption of all Personal Data in transit using TLS 1.2 or higher
- Encryption of all Personal Data at rest using AES-256
- Manager authentication via single-use magic links (no passwords stored)
- Database-level Row Level Security (RLS) policies limiting data access to the relevant organisation
- Manager dashboard restricted to aggregated team-level analytics only; individual member responses are not surfaced through the platform interface
- Access to production systems restricted to authorised Pulspective personnel
Pulspective will regularly review and, where appropriate, update these security measures to account for technical advances and the risks associated with processing.
9. Personal Data Breach Notification
In the event of a Personal Data breach affecting Customer data, Pulspective will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include, to the extent known at the time:
- A description of the nature of the breach and the categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
The Controller remains responsible for notifying the Personal Data Protection Commission (PDPC) and affected individuals in accordance with the PDPA's Notification Obligation, which requires mandatory notification within 3 business days where the breach is likely to result in significant harm.
10. International Data Transfers
Personal Data may be transferred to and stored in the United States by our sub-processors. Pulspective ensures that such transfers are made on the basis of adequate contractual safeguards (including data processing agreements with each sub-processor) that provide a standard of protection comparable to the PDPA.
11. Data Return and Deletion
Upon termination or expiry of the subscription, Pulspective will, at the Controller's choice:
- Make all Customer Personal Data available for export in a machine-readable format for a period of 30 days following termination; and/or
- Permanently delete all Customer Personal Data (including copies held by sub-processors) within 30 days of termination or the Controller's written request, whichever is sooner
Pulspective may retain Personal Data beyond this period only to the extent required by applicable law, in which case Pulspective will inform the Controller of the legal basis and the data to be retained.
12. Governing Law
This DPA is governed by the laws of Singapore. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Singapore.