AgentSure
← Back to Legal
AgentSure Legal · v0.1

Data Processing Agreement

Effective 2026-05-13 · AgentSure Pte. Ltd. (UEN 202620442W)

This Data Processing Agreement ("DPA") supplements the Terms of Serviceor any signed Master Services Agreement between AgentSure Pte. Ltd. ("Processor" / "AgentSure") and you ("Controller" / "Customer"), reflecting obligations under the Singapore PDPA, EU GDPR, and MAS Notice 658.

1. Roles and subject matter

1.1 Roles

You are the Data Controller. AgentSure is the Data Processor. Where AgentSure independently determines purposes and means of processing aggregated, anonymised technical data to improve the Quantify Test Suites, AgentSure acts as an Independent Controller for that limited purpose only.

1.2 Categories of data subjects

  • Your authorised users (AgentSure portal accounts)
  • Your end-users — only to the extent Personal Data appears incidentally in prompts/responses submitted by you or generated during Assessment. You warrant no PII is submitted without prior written notice (see §3.4)

1.3 Categories of personal data

  • Authorised user credentials (email, name, role)
  • Assessment metadata (Job IDs, timestamps, hashed IP addresses)
  • Customer-supplied API credentials (Processor processes but does not retain plaintext — see Annex A)
  • Prompts/outputs submitted during testing (where you choose to include real data; default is synthetic test data)

1.4 Special categories

The Services are not designed to process special-category data (GDPR Art. 9). You must not submit such data without prior written agreement and separate processing terms.

2. Processor obligations

  • Processing instructions: we process Personal Data only on your documented instructions, including those in this DPA and the Terms / SoW. If we believe an instruction violates applicable data protection law, we notify you promptly.
  • Confidentiality: all personnel are bound by written confidentiality obligations.
  • Security: we implement appropriate technical and organisational measures (Annex B).
  • No use beyond instructions: we will not use Personal Data for any purpose other than providing the Services, except (i) anonymised, aggregated benchmark data to improve the Quantify Test Suites and (ii) compliance with legal obligations.

We recommend you submit only synthetic or anonymised prompts and outputs. You warrant that any Personal Data intentionally submitted is for legitimate Assessment purposes and has lawful basis under applicable law.

3. Subprocessors

You grant general authorisation to engage subprocessors. The current list is at /legal/subprocessors.

We will provide 30 days' prior notice of any new or replaced subprocessor. You may object on reasonable data-protection grounds within 14 days; if we cannot accommodate, you may terminate the affected Services on 30 days' notice without penalty.

Subprocessors are bound by data protection obligations no less protective than this DPA. We remain liable for subprocessor compliance.

LLM-as-judge specific: for Moonshot runs, the default judge model is AWS Bedrock Claude (Singapore region) for MAS-licensed customers. DeepSeek (CN host) is available as opt-in lower-cost tier requiring explicit click-through acknowledgement. No DeepSeek calls occur unless you affirmatively enable this tier.

4. Cross-border transfers

4.1 Singapore customers (PDPA s.26)

Where Personal Data is transferred outside Singapore, we ensure recipients are bound by legally enforceable obligations to provide a standard of protection comparable to PDPA. Subprocessor-specific arrangements:

  • Supabase: SCC-equivalent terms, SG-region data residency
  • Railway: standard MSA terms; SG region migration in progress (current status at /legal/subprocessors)
  • DeepSeek: explicit opt-in only; not used for MAS-licensed customers unless specifically requested

4.2 EU/UK customers (GDPR Chapter V)

We incorporate by reference the EU Standard Contractual Clauses 2021/914 (Module 2: Controller-to-Processor):

  • Docking clause: Yes
  • Sub-processing: Option 2 (general authorisation)
  • Onward transfers: Option 1 (approved adequacy / SCCs)
  • Governing law: Republic of Singapore (or relevant EU member state law where mandated)

5. Retention and deletion

  • Account data: while your account is active + 90 days after closure
  • Assessment Reports and audit log: 7 years (target; subject to legal-hold)
  • Customer API credentials: 90 days post-Assessment, then automatic purge
  • Backups: up to 35 days post-deletion, then overwritten on rotation

Within 30 days of termination we will export to you (machine-readable form) Assessment Reports and Customer Data. Within 90 days we will delete or anonymise all Personal Data except aggregated benchmark data already anonymised.

6. Personal Data Breach

We will notify you within 24 hours of becoming aware of a Personal Data Breach, with reasonable detail (nature, categories and approximate number of affected data subjects, likely consequences, measures taken or proposed).

For breaches that may trigger PDPA s.26D notifiable-breach obligations (significant harm or scale ≥500 individuals), we cooperate with your PDPC notification within 72 hours of breach discovery. For GDPR Article 33, we assist your 72-hour notification to relevant supervisory authority.

We will not directly notify a regulator on your behalf unless legally compelled or with your written authorisation.

7. Audit rights

  • Information: on reasonable written request (no more than once per calendar year unless required by regulator or following a Breach), we will make available the most recent third-party audit reports (SOC 2 Type II when available; SOC 2 Type I in interim) and respond to reasonable security questionnaires.
  • On-site audit: on at least 60 days' written notice, you or your nominated auditor (subject to confidentiality) may conduct an on-site audit at our facilities during business hours, no more than once per 24 months, at your expense.
  • MAS audit power: for MAS-licensed customers, MAS may conduct audits per its statutory authority; we will cooperate.

8. Data subject rights

We assist you in fulfilling data-subject requests (access, correction, erasure, portability, restriction, objection) under PDPA Part IV or GDPR Articles 12-22, by providing technical mechanisms via the AgentSure portal or, where necessary, manual support.

9. Liability

The liability provisions of the Terms of Service / MSA apply equally to this DPA.

Annex A — Customer API credential handling

  • At rest: AES-256-GCM encryption. Plaintext never written to disk or logs.
  • In transit: TLS 1.3 minimum.
  • Access: only assessment worker process during active Assessment.
  • Retention: 90 days post-Assessment, then automatic purge.
  • Customer obligation: set spend cap ≤ USD 500 before Assessment; rotate within 7 days post-Assessment.

Annex B — Security measures

See /legal/security for the current security white paper. Key controls:

  • Access control: SAML/OAuth (Supabase Auth), RLS on 10 tenant tables, scope guard at application layer
  • Encryption: TLS 1.3 in transit; AES-256-GCM at rest for API keys
  • Audit logging: immutable trigger-protected audit_log table; 7-year retention target
  • Backup: Supabase PITR (7-day recovery)
  • Monitoring: Sentry + BetterStack + Supabase Logs
  • Incident response: 24-hour notification, runbook documented
  • Subprocessor due diligence: annual review
  • Personnel: confidentiality agreements; least-privilege access; immediate offboarding on departure

Contact

Data Protection Officer: dpo@agentsure.tech

AgentSure Pte. Ltd. · UEN 202620442W · 160 Robinson Road #14-04 SBFC, Singapore 068914

Questions: legal@agentsure.tech

Version v0.1 · Last updated 2026-05-13