Data Processing Addendum

Last updated: June 9, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Corporate Wellness Technologies Pte. Ltd. ("Asa", "we", "us") and the customer organisation that uses the Service ("Customer", "you") (the "Agreement", including our Terms of Service). It governs our processing of Personal Data on the Customer's behalf and applies where Applicable Data Protection Law requires it. If you require a counter-signed copy, contact us at support@asa.team.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement. "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Singapore Personal Data Protection Act 2012, and applicable U.S. state privacy laws. "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in the data that the Customer or its users submit to the Service. "Sub-processor" means a third party engaged by Asa to process Customer Personal Data. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to third countries.

2. Roles and Scope

For Customer Personal Data, the Customer is the Controller and Asa is the Processor. Where the Customer is itself a processor acting for a third-party controller, Asa is a sub-processor. Asa processes Customer Personal Data only to provide and support the Service and as described in Annex I. The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I.

3. Processing on Documented Instructions

Asa will process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case we will inform the Customer of that legal requirement before processing, unless the law prohibits it). The Agreement, this DPA, and the Customer's use and configuration of the Service constitute the Customer's complete documented instructions. Asa will inform the Customer if, in our opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality

Asa ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and are made aware of the confidential nature of the data. Access is limited to personnel who need it to provide the Service.

5. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, Asa implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II. These include encryption of data in transit and at rest, access controls and least-privilege permissions, authentication, logging and monitoring, and incident response procedures.

6. Sub-processors

The Customer grants Asa general authorisation to engage Sub-processors to process Customer Personal Data. A current list is maintained at asa.team/subprocessors. Asa imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for each Sub-processor's performance. We will provide notice of any intended addition or replacement of a Sub-processor at least 30 days in advance (via the sub-processors page and, on request, by email), during which the Customer may object on reasonable data-protection grounds; the parties will work in good faith to resolve any objection.

7. Assistance with Data Subject Rights

Taking into account the nature of the processing, Asa will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights (such as access, rectification, erasure, restriction, portability, and objection). Where a Data Subject contacts Asa directly regarding Customer Personal Data, we will refer them to the Customer.

8. Personal Data Breach Notification

Asa will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to us to help the Customer meet its breach-notification obligations under Applicable Data Protection Law. We will take reasonable steps to mitigate and remediate the breach.

9. Data Protection Impact Assessments

Taking into account the nature of processing and the information available to us, Asa will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities, where required under Applicable Data Protection Law.

10. International Data Transfers

Asa and its Sub-processors may process Customer Personal Data in the United States and other countries. Where Asa transfers Customer Personal Data originating in the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, the transfer is governed by appropriate safeguards, including the EU-U.S. Data Privacy Framework (and its UK Extension and Swiss-U.S. counterpart) where the recipient is certified, or the Standard Contractual Clauses together with the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed by the details in the Annexes.

11. Audits and Compliance

Asa will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are subject to reasonable advance notice, confidentiality obligations, and a frequency of no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), and must be conducted in a manner that does not disrupt our operations or compromise the security of other customers' data.

12. Return and Deletion of Customer Personal Data

On termination of the Agreement, and at the Customer's choice, Asa will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. The Service also provides self-service deletion: deleting a company recursively removes its records, including projects, tasks, timesheets, leave, mood check-ins, and Project Intelligence conversation data and signals; raw conversation buffers used by Project Intelligence are additionally retained only briefly (typically about seven days) before scheduled deletion.

13. Liability and Order of Precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA prevails; in the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Annex I — Description of Processing

PartiesController: the Customer organisation. Processor: Corporate Wellness Technologies Pte. Ltd.
Categories of Data SubjectsThe Customer's administrators, employees, team members, and other individuals whose data the Customer submits to the Service, including participants in connected conversations.
Categories of Personal DataIdentifiers and contact details (name, email, profile picture), employment and team information, projects, tasks, timesheets and clock entries, leave records, and the content of messages, commands, and files shared with Asa or in connected conversations.
Special-category dataThe Service is not intended for special-category data. Voluntary wellness or mood check-ins may, depending on context, be treated as data concerning health; the Customer determines whether to enable these features and is responsible for any resulting requirements. The Customer must not submit other special-category or regulated health data (see our Privacy Policy regarding PHI).
Nature and PurposeProcessing to provide workplace management and Project Intelligence features, including hosting, storage, generating summaries, signals, and suggestions, and providing assistant responses.
DurationFor the term of the Agreement and until deletion as described in Section 12.

Annex II — Technical and Organisational Security Measures

  • Encryption of Customer Personal Data in transit (TLS) and at rest.
  • Authentication and role-based, least-privilege access controls; access limited to authorised personnel.
  • Logical isolation of customer data within a multi-tenant environment.
  • Logging and monitoring of access and system activity, and a documented incident-response process.
  • Managed, reputable cloud infrastructure (Google Cloud Platform / Firebase) with physical and network security maintained by the provider.
  • Regular backups and resilience measures provided by the underlying platform.

Annex III — Sub-processors

The current list of authorised Sub-processors is maintained at asa.team/subprocessors and incorporated into this DPA by reference.

Contact Us

For any questions about this DPA, or to request a counter-signed copy, contact us at support@asa.team.