1. Purpose
This Data Processing Agreement (“DPA”) governs the processing of personal data by the Data Processor on behalf of the Data Controller in connection with the provision of the SenseWell mental wellness screening mobile application and web portal (“Services”).

2. Definitions
• “Personal Data” means any information relating to an identified or identifiable individual, including but not limited to names, mobile numbers, and mental wellness screening results.
• “Data Protection Laws” means the Singapore Personal Data Protection Act (PDPA) and any other applicable data protection laws.
• “Data Controller” means the organization that has entered into this DPA and determines the purposes and means of processing Personal Data
• “Data Processor” means Opsis Pte. Ltd., which processes Personal Data on behalf of the Data Controller.

3. Obligation of the Data Processor
• The Data Processor shall ensure that all personnel handling Personal Data are bound by confidentiality obligations.
• The Data Processor shall process Personal Data solely for the purposes specified in this DPA and shall not sell, rent, or otherwise disclose Personal Data to third parties without the Controller’s prior written consent, except as required by law.
• The Data Processor shall process Personal Data only as necessary to provide the Services described in this DPA and in accordance with applicable Data Protection Laws. The Data Processor shall not process Personal Data for any other purpose unless required by law.

4. Data Processing
• Scope of Processing: The Data Processor will process Personal Data for the purpose of providing the Services, including (i) Hosting and maintaining the SenseWell mobile app and web portal; (ii) Enabling Data Controller’s authorized users to access screening results.
• Data Security: The Data Processor shall implement appropriate technical and organizational measures to protect Personal Data, including: (i) Encryption of data in transit and at rest; (ii) Access controls and authentication; (iii) Regular security testing and vulnerability assessments.
• Data Breach Notification: In the event of a confirmed data breach, the Data Processor shall notify the Data Controller without undue delay and provide all necessary information to assist the Data Controller in fulfilling its obligations under Data Protection Laws.

5. Sub-Processing
The Data Processor may engage sub-processors (e.g., cloud hosting providers) to assist in providing the Services. The Data Processor shall ensure that sub-processors are bound by the same data protection obligations as set out in this DPA.

6. Data Retention
The Data Processor shall retain Personal Data in accordance with its Privacy Policy and Terms of Service, as agreed upon by the Individual User. The Data Controller acknowledges that Individual Users have consented to retain their screening results for up to five (5) years. However, the Data Processor shall comply with any legally valid requests for deletion, including (i) withdrawal of consent by an Individual User, or (ii) a legal requirement under applicable data protection laws.

7. Data Transfers
If Personal Data is transferred outside Singapore, the Data Processor shall ensure compliance with cross-border data transfer requirements under PDPA or GDPR.

8. Audit Rights
The Data Controller has the right to conduct audits to verify the Data Processor’s compliance with this Agreement. The Processor shall provide reasonable cooperation for such audits.

9. Termination
This DPA shall terminate automatically upon the termination of the agreement between the Data Controller and the Data Processor for the provision of the Services

10. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Singapore. Any disputes arising under this DPA shall be resolved in the courts of Singapore.