Data Processing Addendum

Last updated: January 31, 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Simpler Terms of Service ("Agreement") between Simpler AI Pte. Ltd. ("Simpler", "we", "us") and you ("Customer", "you"). By accepting the Agreement, you also accept this DPA.

1. Definitions

"Customer Data"

Personal data that Customer submits to the Services for processing on Customer's behalf, including data of Customer's end users and contacts.

"Data Controller"

The entity that determines the purposes and means of processing personal data. For Customer Data, the Customer is the Data Controller.

"Data Intermediary" (also "Data Processor")

An organisation that processes personal data on behalf of another organisation pursuant to a contract. For Customer Data, Simpler is the Data Intermediary.

"Personal Data"

Data about an individual who can be identified from that data, or from that data combined with other information to which the organisation has or is likely to have access.

"PDPA"

The Personal Data Protection Act 2012 of Singapore, as amended from time to time.

"Services"

The Simpler platform and related services as described in the Agreement.

"Sub-processor"

A third party engaged by Simpler to process Customer Data on behalf of Customer.

2. Scope and Roles

2.1 Applicability

This DPA applies to Simpler's processing of Customer Data in connection with the Services. It does not apply to data that Simpler collects directly from Customers for account management purposes (governed by our Privacy Policy).

2.2 Roles of the Parties

Customer as Data Controller: You determine the purposes and means of processing Customer Data. You are responsible for the lawfulness of the personal data you submit to the Services.
Simpler as Data Intermediary: We process Customer Data solely on your behalf and in accordance with your documented instructions as set out in this DPA and the Agreement.

3. Customer Obligations

As the Data Controller, you are responsible for:

Ensuring you have all necessary consents, permissions, and legal bases to collect and process the personal data you submit to the Services;
Providing all required privacy notices to your end users informing them that their data may be processed by service providers;
Responding to data subject requests (access, correction, deletion) from your end users;
Ensuring your use of the Services complies with all applicable data protection laws;
Not submitting sensitive personal data (health, financial, biometric) unless expressly permitted under your subscription plan.

4. Simpler's Obligations

As your Data Intermediary, Simpler will:

4.1 Processing Instructions

Process Customer Data only in accordance with your documented instructions as set out in this DPA and the Agreement;
Not process Customer Data for any purpose other than providing the Services;
Not sell, share, or use Customer Data for our own commercial purposes;
Inform you if we believe an instruction violates applicable data protection laws.

4.2 Confidentiality

Ensure that persons authorised to process Customer Data have committed to confidentiality obligations;
Limit access to Customer Data to personnel who need access to perform the Services.

4.3 Security Measures

We implement appropriate technical and organisational measures to protect Customer Data, including:

Encryption at rest: AES-256 encryption for stored data
Encryption in transit: TLS 1.2 or higher for data transmission
Access controls: Role-based access, multi-factor authentication for administrative access
Infrastructure security: Hosted on Cloudflare's globally distributed infrastructure with SOC 2 Type II certification
Regular security reviews: Periodic vulnerability assessments and security updates

4.4 Sub-processors

You provide general authorisation for us to engage Sub-processors to process Customer Data;
Our current Sub-processors are listed at simpler.asia/sub-processors;
We will provide at least 15 days' notice before engaging a new Sub-processor by updating our Sub-processors page;
If you object to a new Sub-processor, you may terminate the affected Services within 30 days of our notice;
We ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA.

4.5 Data Subject Requests

If we receive a request from an individual regarding Customer Data, we will redirect the individual to you unless prohibited by law;
We will provide reasonable assistance to help you respond to data subject requests, to the extent permitted by our systems.

4.6 Data Breach Notification

We will notify you without undue delay, and in any event within 24 hours, upon becoming aware of a personal data breach affecting Customer Data;
Our notification will include: nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address the breach;
We will cooperate with you and provide reasonable assistance in your compliance with breach notification obligations under the PDPA.

5. International Data Transfers

Customer Data may be transferred to and processed in countries outside Singapore by our Sub-processors. We ensure appropriate safeguards for such transfers through:

Contractual data protection obligations with Sub-processors;
Selection of Sub-processors with recognised security certifications (SOC 2, ISO 27001);
Where applicable, reliance on adequacy decisions or other transfer mechanisms recognised under Singapore law.

6. Data Retention and Deletion

6.1 During the Agreement

We retain Customer Data for the duration of the Agreement and as necessary to provide the Services.

6.2 Upon Termination

Upon termination of the Agreement, we will delete Customer Data within 30 days, unless retention is required by law;
You may request a copy of your Customer Data in a portable format before termination;
We may retain anonymised or aggregated data that does not identify individuals.

6.3 Retention Periods for Specific Data Types

CRM contacts and message logs: Deleted upon account termination or as configured by you
Voice call summaries: Deleted upon account termination or as configured by you
SBIN business entities: Deleted upon withdrawal of consent or account termination
Billing records: Retained for 7 years as required by Singapore law

7. Audit and Compliance

Upon reasonable request (no more than once per year), we will provide written responses to reasonable security questionnaires;
We will make available relevant security certifications, audit reports, or attestations upon request;
We will cooperate with regulatory authorities as required by law.

8. Liability

Each party's liability arising from this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability for fraud, gross negligence, or wilful misconduct.

9. Term

This DPA remains in effect for the duration of the Agreement. The obligations in this DPA that by their nature should survive termination (including confidentiality, data deletion, and liability) will survive termination of the Agreement.

10. Governing Law

This DPA is governed by the laws of Singapore. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Agreement.

11. Contact

For questions about this DPA or data protection matters:

Data Protection Officer: dpo@simpler.asia
General inquiries: support@simpler.asia

Related Documents:
Terms of Service | Privacy Policy | Sub-processors