This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer and Pulspective (together, the “parties”) and governs the processing of personal data by Pulspective on behalf of the Customer in connection with the Pulspective platform (the “Service”).
By subscribing to the Service, the Customer agrees to the terms of this DPA. This DPA supplements and is subject to the Terms of Service.
1. Definitions
- “Controller” — the Customer (the healthcare organisation), who determines the purposes and means of processing personal data
- “Processor” — Pulspective, who processes personal data on behalf of the Controller
- “Sub-processor” — any third party engaged by Pulspective to process personal data in connection with the Service
- “Personal Data” — any data about an individual who can be identified from that data, as defined in the PDPA
- “Processing” — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
- “PDPA” — Singapore's Personal Data Protection Act 2012 and its subsidiary legislation, as amended from time to time
2. Subject Matter of Processing
Pulspective processes Personal Data on behalf of the Customer solely for the purpose of providing the Service, which includes:
- Enrolling nurse devices to ward groups via QR invite codes
- Receiving and storing anonymous check-in responses and concern submissions
- Generating aggregated ward-level wellbeing analytics
- Facilitating manager authentication and platform access
- Delivering communications from managers to nurse devices
3. Duration of Processing
Processing shall commence on the date the Customer first accesses the Service and shall continue until the earlier of: (a) the termination or expiry of the subscription; or (b) the Controller's written instruction to cease processing.
4. Categories of Personal Data and Data Subjects
Data subjects
- Nursing staff employed or engaged by the Customer (“Nurses”) — data is pseudonymous/device-linked
- Managers and administrators of the Customer who access the management portal
Categories of personal data
- Nurse data: device UUID (pseudonymous identifier), ward group association, timestamped check-in responses (wellbeing scores, concern text, compliments), device enrolment timestamp
- Manager data: email address, organisation name, authentication session tokens, activity logs
Special categories
Check-in data may contain information relating to mental health or workplace stress. While this data is submitted anonymously and is never linked to an identified individual, the Customer should treat aggregated ward-level reports with appropriate sensitivity and restrict access to authorised personnel only.
5. Controller Obligations
The Customer, as Controller, shall:
- Ensure there is a valid legal basis for processing Personal Data under the PDPA, including providing appropriate notice to nursing staff about the platform and obtaining any required consent
- Ensure that its instructions to Pulspective comply with applicable law
- Not instruct Pulspective to process Personal Data in a manner that would cause Pulspective to breach applicable law
- Not use the Service or its outputs to identify or take adverse action against individual nurses
6. Processor Obligations
Pulspective, as Processor, shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law
- Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organisational security measures (see Section 8)
- Assist the Controller in responding to data subject access requests, corrections, and erasure requests within 30 days
- Notify the Controller without undue delay upon becoming aware of a Personal Data breach (see Section 9)
- Delete or return all Personal Data to the Controller upon termination of the Service, as described in Section 11
- Make available all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits
7. Sub-processors
The Customer grants Pulspective general written authorisation to engage the following sub-processor:
- Supabase Inc. (United States) — database infrastructure, authentication, and storage services. Supabase processes data under a Data Processing Agreement with Pulspective and is SOC 2 Type II certified.
Pulspective will notify the Customer of any intended changes to sub-processors (additions or replacements) with at least 14 days' prior notice. The Customer may object to a new sub-processor on reasonable grounds within that period by notifying privacy@pulspective.com.
Pulspective shall impose data protection obligations on all sub-processors equivalent to those in this DPA and shall remain liable for the acts and omissions of its sub-processors.
8. Security Measures
Pulspective implements and maintains the following security measures:
- Encryption of all Personal Data in transit using TLS 1.2 or higher
- Encryption of all Personal Data at rest using AES-256
- Manager authentication via single-use magic links (no passwords stored)
- Database-level Row Level Security (RLS) policies limiting data access to the relevant organisation
- Access to production systems restricted to authorised Pulspective personnel
- Logical separation of nurse device data from check-in response data (Decoupled Authentication architecture)
Pulspective will regularly review and, where appropriate, update these security measures to account for technical advances and the risks associated with processing.
9. Personal Data Breach Notification
In the event of a Personal Data breach affecting Customer data, Pulspective will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include, to the extent known at the time:
- A description of the nature of the breach and the categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
The Controller remains responsible for notifying the Personal Data Protection Commission (PDPC) and affected individuals in accordance with the PDPA's Notification Obligation, which requires mandatory notification within 3 business days where the breach is likely to result in significant harm.
10. International Data Transfers
Personal Data may be transferred to and stored in the United States by Supabase Inc. Pulspective ensures that such transfers are made on the basis of adequate contractual safeguards (including data processing agreements with Supabase) that provide a standard of protection comparable to the PDPA.
11. Data Return and Deletion
Upon termination or expiry of the subscription, Pulspective will, at the Controller's choice:
- Make all Customer Personal Data available for export in a machine-readable format for a period of 30 days following termination; and/or
- Permanently delete all Customer Personal Data (including copies held by sub-processors) within 30 days of termination or the Controller's written request, whichever is sooner
Pulspective may retain Personal Data beyond this period only to the extent required by applicable law, in which case Pulspective will inform the Controller of the legal basis and the data to be retained.
12. Governing Law
This DPA is governed by the laws of Singapore. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Singapore.
13. Contact
For data protection enquiries or to exercise rights under this DPA: privacy@pulspective.com
For Hospital and Health System customers requiring a countersigned DPA for procurement purposes, please contact us at legal@pulspective.com.