Data Processing Addendum South East Asia

Version October 2025

1. General

1.1 The Data Intermediary (Fellow Digitals Pte. Ltd.) processes the personal data only by order and for the benefit of the Organisation (the Customer) during the term of the Addendum. The Data Intermediary will under no circumstances process the personal data for its own purposes, unless statutory obligations dictate otherwise.

1.2 The Data Intermediary notifies the Organisation immediately if the Data Intermediary has reason to believe that the Data Intermediary can no longer comply with the Data Processing Addendum.

1.3 The Organisation provides personal data to the Data Intermediary. An overview of the categories of personal data available to the Data Intermediary is listed in Annex 1. If necessary, the Parties will adjust Annex 1 during the term of the Data Processing Addendum.

1.4 The Data Intermediary processes personal data for the Organisation in accordance with the written instructions and under the express responsibility of the Organisation. The Data Intermediary processes personal data for the Organisation in accordance with the instructions detailed in the DPA.

1.5 The Organisation has control over the processing of the personal data and has defined the purpose of and the means for the processing of the personal data. The control over the processing will never rest with the Data Intermediary. The Parties record in Annex 1 what processing the Data Intermediary will carry out at the Organisation's order.

1.6 If a provision of the laws of Singapore applicable to the Data Intermediary compels it in a manner that derogates from what is agreed in this Data Processing Addendum, the Data Intermediary will notify the Organisation of this statutory provision before the processing, unless this provision prohibits such notification.

1.7 The Organisation guarantees to the Data Intermediary that:

  • The content, use, and/or processing of personal data are not unlawful and do not infringe on any rights of a third party.

  • Valid consent has been obtained from individuals whose personal data is being processed, where required under the PDPA.

  • The Organisation has complied with all notification obligations under the PDPA.

1.8 The Organisation will notify the Data Intermediary of any changes in the laws and regulations underlying the rights and obligations of the Parties in this Data Processing Addendum.

1.9 The Data Intermediary expressly warrants that personal data will only be used for the specific purposes notified to individuals and documented in Annex 1. Any new purpose requires explicit consent from the Organisation and, where required, from the individuals concerned.

2. Security (Protection Obligation)

2.1 The Data Intermediary shall implement and maintain comprehensive technical and organisational security arrangements to protect personal data in its possession or under its control against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, in accordance with the Protection Obligation under the PDPA.

2.2 The security measures of the Data Intermediary will provide an appropriate level of protection, having regard to the state of the art, the costs of implementation, as well as the risks associated with the processing and the nature of the personal data.

2.3 The measures taken on entry into this Data Processing Addendum, as referred to in this article, are listed in Annex 2.

2.4 The Data Intermediary cannot guarantee absolute security but commits to maintaining security measures consistent with industry best practices.

2.5 If the Organisation requests changes to security arrangements, the Parties will consult on implementation, timeline, and any associated costs.

2.6 Accuracy Obligation: The Data Intermediary will implement appropriate measures to ensure that personal data received from the Organisation is preserved and managed accurately, completely, and in a non-misleading manner.

3. Inspections and Audits

3.1 The Organisation is entitled to have an annual inspection, including audits, of the performance of the Data Processing Addendum carried out by an independent expert who is bound to confidentiality.

3.2 The inspection initiated by the Organisation takes place at least two weeks after prior written announcement to the Data Intermediary by the Organisation.

3.3 The Data Intermediary declares to be willing to cooperate in such an inspection and enter into consultations with the Organisation on any recommendations for improvement made by the expert. The obligation to cooperate referred to here does not automatically imply the obligation to follow all recommendations.

3.4 The Organisation can obviously not have an inspection carried out at other sub-processors. Regarding the part of the security for which sub-processors are responsible, the Data Intermediary can, at the Organisation's request, provide the data security policy and any certificates of sub-processors.

3.5 The inspection referred to in paragraph 3.1 can be onerous for the business operations of the Data Intermediary. The Parties, therefore, agree that these inspections will only take place after the Organisation has requested and assessed the similar inspection reports available at the Data Intermediary and presents reasonable arguments why an inspection initiated by the Organisation is nevertheless justified.

3.6 The Organisation will provide the Data Intermediary with a copy of the report of the inspection immediately on receipt.

3.7 The Parties agree that the Organisation shall bear the costs of an audit, unless the audit reveals major defects that can be attributed to the Data Intermediary. In that case, the parties shall consult on how to share the costs of the audit.

3.8 The Data Intermediary acknowledges the Personal Data Protection Commission's (PDPC) authority to conduct investigations and agrees to:

  • Cooperate fully with any PDPC investigations,

  • Provide requested information within PDPC timelines,

  • Implement PDPC-directed remedial measures,

  • Maintain records as required for PDPC compliance verification.

4. Data Breach Notification (Data Breach Notification Obligation)

4.1 The Data Intermediary shall notify the Organisation without undue delay and no later than 24 hours after becoming aware of any Personal Data breach affecting data processed on behalf of the Organisation.

4.2 PDPC Notification Responsibilities:

  • Primary Responsibility: The Organisation bears ultimate responsibility for determining whether notification to the Personal Data Protection Commission (PDPC) is required under the PDPA.

  • Joint Notification Obligation: Where the Data Intermediary processes Personal Data beyond the Organisation’s documented instructions or where the Data Intermediary determines direct PDPC notification is required, the Data Intermediary shall notify the PDPC directly within 72 hours and simultaneously inform the Organisation.

  • Coordination Requirement: Both parties shall coordinate to ensure no duplicate notifications occur and that the PDPC receives complete and consistent information.

4.3 The Data Intermediary shall provide full cooperation and all necessary information to enable the Organisation to meet its notification obligations, including:

Detailed circumstances of breach discovery, including timeline,

  • Root cause analysis and attack vectors (where determinable),

  • Categories and approximate number of individuals affected with specificity,

  • Categories and approximate volume of Personal Data records affected,

  • Risk assessment of likely consequences to affected individuals,

  • Immediate containment measures implemented,

  • Proposed remedial actions with timelines,

  • Contact details for ongoing communication,

  • Assessment of whether PDPC notification appears necessary.

4.4 The Data Intermediary shall:

  • Maintain a comprehensive breach register with all required PDPA details,

  • Cooperate fully with PDPC investigations and provide technical expertise,

  • Implement agreed remedial measures within specified timeframes,

  • Conduct thorough post-incident reviews within 30 days,

  • Preserve forensic evidence (log data) for a minimum of 12 months or until regulatory matters conclude.

4.5 The Data Intermediary shall assist the Organisation in notifying affected individuals when required, including:

  • Providing accurate contact information for affected individuals,

  • Technical details of the breach in plain language format,

  • Recommended protective actions for individuals,

  • Ongoing monitoring and support resources.

5. Enhanced Data Subject Rights Support (Access, Correction and Other Rights)

5.1 The Data Intermediary shall provide full assistance to enable the Organisation to comply with its obligations regarding individual rights under the PDPA, including but not limited to:

Access Requests (Section 21 PDPA)

  • 10 working days to provide the requested Personal Data to enable the Organisation's 30-day compliance,

  • Automated data extraction tools were technically feasible,

  • Comprehensive system mapping showing all locations where an individual's data is processed,

  • Data lineage information showing data sources and sharing history.

Correction Requests (Section 22 PDPA)

  • 3 working days to implement corrections across all systems,

  • Real-time propagation to sub-processors and integrated systems,

  • Verification confirmation that corrections are complete and effective,

  • Historical audit trail preservation of original and corrected data.

Data Portability Requests (Sections 26C-26E PDPA, where applicable)

  • 5 working days to provide data in a structured, commonly used, machine-readable format,

  • Direct transfer capabilities to other processors where technically feasible,

  • Complete metadata and relationship mapping included,

  • Secure transfer protocols with end-to-end encryption.

Consent Withdrawal

  • Cease processing immediately upon notification of consent withdrawal,

  • Assist in identifying all processing activities reliant on the withdrawn consent,

  • Delete or anonymise data where required.

5.2 The Data Intermediary shall:

  • Designate a dedicated contact for handling data subject requests,

  • Maintain procedures for a timely response to requests,

  • Train relevant staff on handling data subject rights,

  • Keep records of all assistance provided.

5.3 The Data Intermediary shall not directly respond to data subjects but shall promptly forward any requests received to the Organisation's designated contact within 24 hours.

5.4 Notification Obligation Support: The Data Intermediary shall assist the Organisation in meeting its notification obligations under the PDPA by:

  • Providing template privacy notices for adaptation by the Organisation,

  • Supporting just-in-time notification mechanisms where applicable,

  • Maintaining comprehensive records of what personal data is collected and for what purposes,

  • Enabling the Organisation to fulfil notification requirements at or before collection,

  • Providing necessary information for the Organisation's privacy policies.

5.5 The Data Intermediary shall maintain capabilities to support:

  • Deemed consent scenarios are recognised under the PDPA,

  • Legitimate interests assessments, where applicable,

  • Clear identification of legal bases for each processing activity.

6. Engagement of Other Sub-processors

6.1 The Organisation grants the Data Intermediary permission in advance to engage sub-processors to fulfil the obligations under the Addendum, subject to the condition that the Data Intermediary notifies the Organisation of any intended changes regarding the addition or replacement of sub-processors. The Organisation may object to an intended change within 10 working days after the notification. The Organisation will not object on unreasonable grounds. If the Data Intermediary does not accept the Organisation's objection, the Data Intermediary may terminate the Agreement without providing notice.

6.2 The sub-processors engaged by the Data Intermediary to perform the Addendum are listed in Annex 1.

6.3 If the Data Intermediary instructs another sub-processor to perform specific processing activities for the benefit of the Organisation, then the Data Intermediary shall ensure that the same obligations regarding data protection are imposed on the sub-processor as are imposed in the present Data Processing Addendum. The obligations shall be agreed in written form. The Data Intermediary shall provide the Organisation with copies of the Data Processing Agreement (DPA) between the Data Intermediary and sub-processors upon request. However, commercially sensitive information may be deleted from these copies.

6.4 If the sub-processor fails to comply with its obligations regarding data protection, the Data Intermediary remains liable to the Organisation for compliance with the obligations of the sub-processor.

7. Confidentiality

7.1 The Parties will not make the personal data available to anyone other than their own employees and/or third parties that have a legitimate reason for inspection thereof. The Parties guarantee that the persons authorised to process the personal data have undertaken to observe confidentiality or are bound by an appropriate statutory duty of confidentiality.

7.2 If a Data Intermediary receives a request or an order from a Singapore government authority or law enforcement agency in relation to personal data, that Data Intermediary will notify the Organisation accordingly within 14 days, if and as far as permitted by law. The Data Intermediary will take account of all instructions from the Organisation when dealing with the request or order, and the Data Intermediary will also cooperate as fully as is reasonably required with the Organisation.

7.3 If the Data Intermediary is prohibited by law from meeting its obligations under Clause 7.2, the Data Intermediary will nonetheless protect the reasonable interests of the Organisation. This includes, in any event, the following:

  • The Data Intermediary will assess (i) how far the Data Intermediary is legally obliged to comply with the request or order, and (ii) how far the Data Intermediary is actually prohibited from complying with its obligations towards the Organisation under Clause 7.2.

  • The Data Intermediary will only cooperate with the request or order if it is legally obliged to do so.

  • The Data Intermediary will not pass on any more personal data than is strictly necessary to comply with the request or order.

8. Liability

8.1 The liability provisions outlined in Section 1.8 of the General Conditions (Liability) shall apply in their entirety to this Data Processing Agreement, including but not limited to limitations of liability, exclusions, and insurance arrangements detailed therein.

9. Term and Termination

9.1 Document Hierarchy and Commencement

9.1.1 This Data Processing Addendum forms an integral part of the contractual framework consisting of:

  • The Service Agreement between the Parties (the "Agreement"),

  • The General Conditions attached to and forming part of the Principal Agreement (the "General Conditions"), and

  • This Data Processing Addendum (the "DPA").

9.1.2 This Data Processing Addendum shall enter into force simultaneously with the Principal Agreement and General Conditions, regardless of the order of execution or signing by the Parties. The commencement date shall be the date when all three documents become legally binding between the Parties.

9.1.3 The term of this Data Processing Addendum shall be coterminous with and cannot exceed the term of the Principal Agreement as extended or renewed from time to time in accordance with the General Conditions. Any automatic renewal provisions in the Principal Agreement shall apply equally to this Data Processing Addendum.

9.2 Termination Coordination

9.2.1 This Data Processing Addendum shall terminate automatically upon termination of the Principal Agreement, regardless of the reason for such termination (including termination for convenience, material breach, insolvency, or expiry).

9.2.2 This Data Processing Addendum cannot be terminated independently of the Principal Agreement, as the data processing activities governed herein are inherently linked to the SaaS services provided under the Principal Agreement. Any attempt to terminate this Data Processing Addendum separately shall be void and of no effect.

9.2.3 Notwithstanding clause 9.2.2, either Party may terminate this Data Processing Addendum with immediate effect if:

  • The other Party materially breaches its data protection obligations hereunder and fails to remedy such breach within 10 working days of written notice, or

  • Continuation of the data processing arrangement would result in a violation of applicable data protection laws. Such termination shall automatically trigger review of the Principal Agreement's viability.

9.3 Survival of Obligations

9.3.1 Upon termination of this Data Processing Addendum for any reason, the following obligations shall survive termination and remain in full force:

  • Audit and compliance verification rights under Article 3

  • Confidentiality obligations under Article 7,

  • Liability provisions under Article 8,

  • Data return and disposal obligations under clause 9.4,

  • Any indemnification obligations that have accrued before termination.

These surviving obligations continue until all personal data has been returned or securely disposed of and all potential claims have been resolved.

9.3.2 The survival period for the obligations specified in clause 9.3.1 shall be five (5) years from the date of termination, or such more extended period as may be required by applicable law or ongoing legal proceedings.

9.4 Data Return and Disposal

9.4.1 Within fourteen (14) days of termination of this Data Processing Addendum, the Data Intermediary shall, at the Organisation's written election:

  • Return all Personal Data to the Organisation in a structured, commonly used, and machine-readable format, or

  • Securely dispose of all Personal Data in accordance with the Disposal Obligation under Section 25 of the PDPA and provide written certification of such disposal. The Organisation must specify its election within fourteen (14) days of the termination notice.

9.4.2 The Organisation shall bear all reasonable costs associated with data return and/or disposal, including but not limited to data extraction, formatting, transfer, secure destruction, and certification processes. The Data Intermediary shall provide a detailed cost estimate within seven (7) days of the Organisation's election under clause 9.4.1.

9.4.3 The provisions of clause 9.4.1 shall not apply where Singapore law prohibits the return or disposal of Personal Data. In such circumstances, the Data Intermediary shall:

  • Immediately notify the Organisation in writing of the legal impediment,

  • Continue to process the Personal Data solely to the extent necessary to comply with such legal obligations,

  • Implement additional security measures to protect the retained data, and

  • Provide annual written reports to the Organisation regarding the status of the retained data.

9.5 Technical Limitations and Remedial Measures

9.5.1 If the Data Intermediary is unable to return or dispose of Personal Data for technical reasons, it shall immediately notify the Organisation in writing with a detailed explanation of the technical impediment and proposed remedial timeline. The Data Intermediary shall implement all technically feasible measures to approximate complete data return or disposal and render any remaining Personal Data permanently inaccessible for further processing.

9.5.2 In circumstances described in clause 9.5.1, the Data Intermediary shall provide monthly progress reports to the Organisation and engage qualified third-party technical specialists if internal capabilities prove insufficient. The Data Intermediary shall bear all costs associated with such remedial measures unless the technical limitation arises from the Organisation's system requirements or specifications.

9.6 Relationship with General Conditions

9.6.1 The termination provisions in the General Conditions shall govern procedural aspects of termination (including notice requirements, cure periods, and termination for cause), whilst this Article 9 regulates the specific data protection consequences of termination. In case of any conflict between termination procedures, the more stringent data protection requirements shall prevail.

9.6.2 Any post-termination obligations regarding confidentiality and intellectual property specified in the General Conditions shall operate concurrently with, and not in substitution of, the data protection survival obligations specified in this Article 9. Where there is overlap, the provisions that provide the highest level of data protection shall apply.

10. Enhanced Transfer Limitation Compliance (Transfer Limitation Obligation)

10.1 The Data Intermediary acknowledges that personal data may be transferred from Singapore to locations where the Data Intermediary or its sub-processors operate.

10.2 If the Data Intermediary must provide personal data to any third party based on a legal obligation applicable in European or Singaporean regulations, the Data Intermediary will verify the basis of the request and the identity of the requester. The Data Intermediary will immediately notify the Organisation in this regard before provision, unless the law prohibits this for important reasons of general interest.

11. Costs

11.1 The costs of the processing of data that are inherent to the normal performance of the Agreement are deemed included in the fees already payable under the Agreement.

11.2 Any support or any other additional service provision that the Data Intermediary shall provide under this Data Processing Addendum, or that is requested by the Organisation, including all requests for further information, will be charged to the Organisation at the usual rates.

11.3 The previous provision does not apply if the work relates to a substantial failure of the Data Intermediary under this Data Processing Addendum. The work will, in that event, be carried out free of charge (without prejudice to the Organisation's right to recover the actual damage from the Data Intermediary).

12. Miscellaneous

12.1 This Data Processing Addendum forms an integral part of the General Conditions. All rights and obligations under the General Conditions, including the provisions on liability, therefore also apply to this Data Processing Addendum. In the event of conflict between the provisions of this Data Processing Addendum and the General Conditions regarding the protection of personal data, the provisions of this Data Processing Addendum will prevail.

12.2 In the event of future changes in Singapore laws and regulations on the protection of personal data, the Parties will change this Data Processing Addendum insofar as this is necessary to comply with such new laws and regulations.

12.3 Changes in this Data Processing Addendum are only valid if agreed in writing and accepted by both Parties.

12.4 This Data Processing Addendum shall be governed by the laws of Singapore.

12.5 Accountability and Data Protection Officer: The Data Intermediary maintains:

  • A designated Data Protection Officer responsible for PDPA compliance,

  • Comprehensive data protection policies and procedures,

  • Regular staff training on data protection obligations,

  • Internal audit programs to ensure ongoing compliance.

12.6 Jurisdiction and Enforcement: The Parties agree that:

  • The courts of Singapore shall have exclusive jurisdiction over any disputes.

  • The Data Intermediary recognises and will comply with PDPC enforcement powers.

  • The Data Intermediary will maintain appropriate local representation for regulatory matters.

  • Both parties commit to resolving disputes through good-faith negotiations before litigation.

12.7 Conflict of Laws: Where there is any conflict between PDPA requirements and other applicable laws:

  • PDPA requirements shall take precedence for processing activities within Singapore.

  • The Parties will work together to achieve compliance with all applicable laws.

  • The Data Intermediary will notify the Organisation of any compliance conflicts immediately.

ANNEX 1 - ENHANCED PROCESSING SPECIFICATIONS

1. Subject Processing and Types of Personal Data

The processing of personal data relates to the use of the "Intranet" application (a social intranet) and the "LMS" application (an online training platform). Personal data of the user is stored in this application. Ultimately, the users decide for themselves which personal data they make available for processing in the application. The platform's functionality only requires users to provide an email address, first name, and last name. Input of other fields in the user profile can be made mandatory by the Organisation. Administrators can also invite users anonymously in the application.

The processing of personal data depends on what the Organisation includes in the application, but will, in most cases, consist of the processing of:

  • Name (first name, last name),

  • Email address,

  • Job title and department,

  • Profile information voluntarily provided by users,

  • Activity logs and usage data within the platform,

  • Training records and completion status (for LMS),

  • Content created and shared by users.

2. Legal Bases for Processing

The Data Intermediary acknowledges that processing shall only occur based on valid legal bases under the PDPA:

  • Consent: Where individuals have given explicit consent for specific purposes,

  • Contractual Necessity: Where required for employment or service contracts,

  • Legal Obligation: Where required by Singapore law,

  • Legitimate Interests: Where applicable and appropriately assessed,

  • Deemed Consent: In scenarios recognised under the PDPA.

For each processing activity, the specific legal basis is documented and available for compliance verification.

3. Duration and Retention Policy

The Data Intermediary commits to:

  • Retain personal data only as long as necessary for the stated purposes,

  • Implement automated retention controls where technically feasible.

Specific retention periods:

  • System logs: 12 months, unless a more extended period is required for security purposes,

  • Backup data: Maximum 6 weeks.

4. Nature and Purpose

The Data Intermediary performs the following processing of personal data for the Organisation:

  • Storage, collection and presentation of personal data within the application(s),

  • Providing related additional services, such as technical support at the request of the Organisation,

  • System maintenance and security monitoring,

  • Backup and disaster recovery services.

The purposes for which the personal data will be processed:

  • Providing collaboration and knowledge-sharing services between users,

  • Facilitating internal communication within the Organisation,

  • Delivering online training and tracking learning progress,

  • Technical support and system administration.

5. Data Source and Sharing

Sources of Personal Data

  • Direct collection from individuals through the platform,

  • Organisation's HR systems (for employee data),

  • User-generated content within the applications,

  • System-generated data (logs, analytics).

Third-Party Sharing

  • Sub-processors listed in this Annex, paragraph 6 (for technical services only),

  • No sharing for marketing or commercial purposes,

  • Law enforcement/regulatory bodies only when legally required.

Automated Decision-Making:

  • No automated decision-making with legal or significant effects,

  • Analytics are used only for platform improvement,

  • All considerable decisions require human involvement.

6. Sub-processors

  • Data Intermediary shall, in principle, process personal data only within the jurisdiction of the European Economic Area (EEA) or Singapore, provided that such processing complies with the requirements of respectively the GDPR and the PDPA.

  • Processing in other countries is permitted only if that country ensures an adequate level of data protection as recognised by the European Commission (under the GDPR) or by the Personal Data Protection Commission (PDPC) of Singapore (under the PDPA), or if appropriate safeguards have been implemented, such as the use of Standard Contractual Clauses (SCCs).

  • The Data Intermediary warrants that it has agreed with the sub-processors it engages for AI-related functionalities that any personal data shall be used solely for the performance of this agreement and shall not be used for the training of artificial intelligence models, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

  • The Data Intermediary shall ensure that its sub-processors also comply with these requirements.

Fellow Digitals Group B.V. has engaged the following sub-processors for the provision and maintenance of its applications used by the Data Intermediary (Fellow Digitals Pte. Ltd.):

Exonet B.V.

  • Personal Data to be processed: The types of personal data processed depends on what the Organisation includes in the application, but will, in most cases, consist of: Name, Email address, Job title and department, Profile information voluntarily provided by users, Activity logs and usage data within the platform, Training records and completion status (for LMS), and Content created and shared by users.

  • Type of processing: Infrastructure and hosting services,

  • Jurisdiction of processing: Singapore,

  • Registered primary jurisdiction of sub-processor: The Netherlands (EU),

  • Address: Zevenaar, The Netherlands,

  • Exonet B.V. certifications: ISO 9001, ISO 27001 and NEN 7510,

  • Data centers used:

  1. Singapore Data Centre: Google Data Centre, 2 Jurong West Street 23, Singapore 648195,

  2. Google Data Centre certifications: ISO 27001, ISO 27017, ISO 27018, ISO 27110, ISO 27701, SOC 1, SOC 2 and SOC 3, at the time of writing.

Rapidmail GmbH

  • Personal Data to be processed: Email addresses,

  • Type of processing: Transmission and delivery of e-mails from applications. Email retention is a maximum of 10 days,

  • Jurisdiction of processing: Germany (EU),

  • Registered primary jurisdiction of sub-processor: Germany (EU),

  • Address: Freiburg im Breisgau, Germany.

Transloadit-II GmbH

  • Personal Data to be processed: Video files,

  • Type of processing: Transcoding of video files (All files will be deleted within 24 hours after processing),

  • Jurisdiction of processing: Singapore,

  • Registered primary jurisdiction of sub-processor: Germany (EU),

  • Address: Berlin, Germany.

Mistral AI

  • Personal Data to be processed: User input,

  • Type of processing: Content generation using Large Language Model (AI),

  • Jurisdiction of processing: Sweden (EU),

  • Registered primary jurisdiction of sub-processor: France (EU),

  • Address: Paris, France.

HeyGen, Inc.

  • Personal Data to be processed: User input,

  • Type of processing: Text-to-video generation,

  • Jurisdiction of processing: USA,

  • Registered primary jurisdiction of sub-processor: USA,

  • Address: Los Angeles, California, USA.

Google LLC

  • Personal Data to be processed: User input,

  • Type of processing: Translation,

  • Jurisdiction of processing: Global,

  • Registered primary jurisdiction of sub-processor: USA,

  • Address: London, Mountain View, California, USA.

  

ANNEX 2 - DETAILED TECHNICAL AND ORGANISATIONAL MEASURES

1. Customer Responsibilities (Organisation)

The Organisation shall implement the following technical and organisational security measures to protect personal data against breaches:

  • Coordination: Appointment of a designated coordinator at the Customer’s level. This ensures clear accountability and oversight of data protection activities within the Customer’s organisation.

  • Access Management: Strict prohibition on sharing user names and passwords between users. This measure prevents unauthorised access through credential sharing and maintains individual accountability.

  • Authorisation Controls: Prevention of access grants to unauthorised persons. Only individuals with legitimate business needs and proper authorisation may access personal data.

  • Session Management: Implementation of independent log-out procedures after system use. This reduces the risk of unauthorised access through unattended workstations or devices.

2. Data Intermediary Responsibilities (Fellow Digitals)

A. Technical Security Measures

Fellow Digitals, as part of Fellow Group B.V. and Fellow Group B.V. itself, are ISO 27001, ISO 27701 and NEN 7510 certified. This means that information security is an integral part of its business processes, and all processes and procedures meet the requirements in the standards mentioned above. The security measures that the Processor will take include, as a minimum:

  • (Password) security,

  • Encryption (HTTPS),

  • Annual preventive security assessments performed by external security specialists,

  • Internal agreements/procedures regarding access.

Detailed procedures and instructions regarding these topics are described in the internal Privacy Information Management System (PIMS). 

B. Organisational Security Measures

Governance Structure

  • Designated Data Protection Officer: Serge Christiaans (privacy@fellowdigitals.com), ensuring regulatory compliance oversight,

  • Security Officer within the organisation, ensuring focused cybersecurity leadership,

  • Regular security review meetings, maintaining regular security governance,

  • Annual management reviews provide strategic security oversight.

Personnel Security

  • Background checks for all personnel, ensuring trustworthy staff,

  • Confidentiality agreements (NDA) are mandatory for all employees,

  • Security awareness training for all employees, ensuring current security knowledge,

  • Clean desk policy enforcement prevents information exposure,

  • Code of Conduct obligations for all employees, establishing behavioural expectations.

Incident Management

  • Incident response team ensuring round-the-clock security coverage,

  • Documented escalation procedures providing clear response protocols,

  • Forensic investigation capabilities enabling thorough incident analysis,

  • Post-incident review process ensures continuous improvement.

Business Continuity

  • RPO: 24 hours / RTO: 8 hours, ensuring minimal data loss and rapid recovery,

  • Geographically distributed backups protect against regional incidents,

  • Annual DR testing ensures recovery procedures remain effective,

  • Redundant infrastructure providing multiple layers of protection.

Secure Development

  • Security by design principles ensure cybersecurity is built into systems from inception,

  • OWASP Top 10 compliance protects against common web application vulnerabilities,

  • Security testing in the CI/CD pipeline, ensuring automated security validation,

  • Third-party library scanning identifies vulnerabilities in external components.

Singapore-Specific Compliance

  • NRIC Handling: Strict controls on the collection and use of NRIC numbers per PDPC guidelines, ensuring compliance with local identification number regulations,

  • Do Not Call Registry: Integration capabilities if marketing features are enabled, ensuring compliance with telecommunications regulations,

  • Data Protection Trustmark: Working towards DPTM certification, demonstrating commitment to Singapore's data protection excellence framework,

  • Local Representation: Designated Singapore representative for regulatory matters, ensuring local regulatory compliance,

  • PDPC Cooperation: Established procedures for regulatory inquiries, ensuring responsive regulatory engagement.

3. Hosting Responsibilities (Exonet B.V.)

Data storage/centre

  • Storage is redundant so that the VM can start on different hardware in case of a hardware failure,

  • Suitable encryption of storage at disk level.

Backup facilities

  • Backup with snapshot technology, located in a separate data centre; frequency and retention defined in SLA,

  • Redundant replicated disks,

  • Backups are stored outside the data centre,

  • The backup facility runs on separate hardware from production.

Infrastructure

  • Secured connections using HTTPS/TLS,

  • DDoS protection in place (Google Cloud DDoS protection),

  • Network segmentation through the use of VLANs. The Google Firewall accepts traffic and then routes it into the internal VLAN and the server,

  • Standard firewall and antivirus protection are implemented on all servers, including ongoing monitoring.

Access control

  • Logical access based on password policy and/or VPN keys, access lists for access of IP addresses on information systems, firewalls, possibility of central logging of information systems and detection systems for specific unauthorised changes,

  • Logging is enabled and sent to a remote data centre (Exonet, Ede, The Netherlands).

Organisation

  • Exonet B.V.: ISO 9001, ISO 27001 and NEN 7510 certification for full service provision,

  • Duty of confidentiality of all employees, Code of Conduct obligation for all employees, no temporary staff,

  • Security officer within the organisation, security awareness training for all employees,

  • Daily operating system security updates; additional updates in the event of serious security risks and leaks,

  • An overview of the degree of compliance offerings of the data centre: https://cloud.google.com/security/compliance/offerings.