# SG-EU controller-to-processor — EU customers' data routed through SG vendor

> **Sample document &mdash; not legal advice.** This document is one of a library of sample legal drafts published by LawCrew at `lawcrew.ai/samples`. It illustrates how the LawCrew agent team approaches a common Singapore DPA scenario. **It is not legal advice and is not tailored to any specific transaction.**
>
> LawCrew is a legal-technology service, not a law firm. For your own matter, run an intake through the product and engage an independent Singapore-qualified lawyer to review before signing.
>
> *Sample DPA #03 &middot; Hand-authored pending specialist roll-out &middot; Published 2026-05-22*

---


# Data Processing Addendum

This Data Processing Addendum (this **"Addendum"**) is entered into as of 1 January 2026 (the **"Effective Date"**) between:

**(1) Helvetica Retail GmbH**, a company incorporated under the laws of Germany with company number HRB 234 901 and its registered office at Maximilianstraße 35, 80539 Munich, Germany (the **"Controller"**); and

**(2) Orchard Insights Pte Ltd**, a company incorporated in Singapore [UEN: 202103456J] with its registered office at 1 Raffles Quay, #28-02, North Tower, Singapore 048583 (the **"Processor"**).

The Controller and the Processor are each a **"Party"** and together the **"Parties"**.

## Recitals

(A) The Parties have entered into a master subscription agreement dated 1 January 2026 (the **"Principal Agreement"**), under which the Processor provides a customer analytics and personalisation platform (the **"Services"**) to the Controller.

(B) The Controller is established in the European Union and the data subjects whose Personal Data is Processed under the Services are predominantly located in the European Economic Area (the **"EEA"**).

(C) The Processor will Process Personal Data on behalf of the Controller from Singapore and from such other locations as are set out in this Addendum.

(D) The Parties enter into this Addendum to record their respective obligations under (i) Regulation (EU) 2016/679 (the **"GDPR"**), and (ii) the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (the **"PDPA"**), in respect of the Processing of Personal Data and the transfer of Personal Data from the EEA to Singapore.

## 1. Definitions

1.1 In this Addendum:

  (a) **"Applicable Data Protection Law"** means the GDPR, the PDPA and any other law relating to the protection of personal data that applies to the Processing of Personal Data under this Addendum.

  (b) **"EU SCCs"** means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

  (c) **"Personal Data"** means personal data (as defined in Article 4(1) GDPR) and personal data (as defined in section 2(1) of the PDPA) that is Processed by the Processor on behalf of the Controller in connection with the Services.

  (d) **"Personal Data Breach"** means a personal data breach as defined in Article 4(12) GDPR and includes any event that would constitute a "data breach" under section 26A of the PDPA.

  (e) **"Process"**, **"Processing"** and **"Processed"** have the meaning given in Article 4(2) GDPR.

  (f) **"Sub-processor"** means any third party engaged by the Processor to Process Personal Data on its behalf in connection with the Services.

  (g) **"Supervisory Authority"** means a competent supervisory authority under Article 51 GDPR.

1.2 Other capitalised terms used but not defined have the meanings given in the Principal Agreement, the GDPR or the PDPA, as the context requires.

## 2. Roles, scope and relationship between regimes

2.1 The Controller is the controller (within the meaning of Article 4(7) GDPR) of the Personal Data and the Processor is a processor (within the meaning of Article 4(8) GDPR) acting on behalf of the Controller. For the purposes of the PDPA, the Processor acts as a data intermediary in respect of the Personal Data.

2.2 This Addendum applies to all Processing of Personal Data by the Processor under the Principal Agreement. Annex I.B (set out as part of Schedule 4) describes the categories of data subjects and Personal Data, the purposes of Processing and the duration.

2.3 Where the GDPR and the PDPA impose differing standards in relation to the same matter, the standard that affords the higher level of protection to data subjects applies, and a Party's compliance with that higher standard shall be deemed compliance with both regimes in respect of that matter.

2.4 In the event of any conflict between (a) the body of this Addendum, (b) the EU SCCs and (c) the Principal Agreement, the order of precedence is (b), (a), (c).

## 3. Processor's obligations and instructions

3.1 The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to Process by EU or Member State law to which the Processor is subject (or, for the PDPA layer, by Singapore law), in which case the Processor shall, to the extent permitted by that law, inform the Controller of that legal requirement before Processing.

3.2 The instructions set out in this Addendum, the Principal Agreement and Schedule 1 constitute the Controller's complete and final instructions to the Processor as at the Effective Date. Any additional or alternative instructions must be agreed in writing.

3.3 The Processor shall promptly notify the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

3.4 The Processor shall not sell, rent or otherwise commercialise the Personal Data, and shall not use Personal Data for its own purposes (including profiling, training generally available machine-learning models, or behavioural advertising) save for limited internal purposes of providing, securing and improving the Services in a manner that does not identify any individual and does not contravene Article 28(3)(a) GDPR.

## 4. Confidentiality

4.1 The Processor shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Confidentiality obligations imposed on personnel shall survive the termination of their engagement for not less than three (3) years.

## 5. Security measures

5.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the likelihood and severity of risk to data subjects. These measures are set out in Annex II (incorporated as Schedule 2).

5.2 The Processor's measures shall also satisfy the Protection Obligation under section 24 of the PDPA in relation to the same Personal Data.

5.3 The Processor shall not make any change to the measures in Schedule 2 that materially reduces the level of protection without the prior written consent of the Controller, except where required by law or by a generally accepted security standard to which the Processor is certified.

## 6. Sub-processors

6.1 The Controller grants the Processor a general written authorisation (within the meaning of Article 28(2) GDPR) to engage Sub-processors, subject to this Clause 6.

6.2 The Processor shall maintain an up-to-date list of Sub-processors at a URL notified to the Controller and shall give the Controller not less than thirty (30) days' prior written notice before adding or replacing a Sub-processor. The current list as at the Effective Date is set out in Annex III (Schedule 3).

6.3 The Controller may object on reasonable grounds relating to data protection by giving written notice within the thirty (30) day notice period. If the Parties cannot agree on a resolution within a further fifteen (15) days, the Controller may terminate the affected portion of the Services without liability for early-termination fees in respect of that portion.

6.4 The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this Addendum and Article 28(3) GDPR. The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations.

6.5 Where the engagement of a Sub-processor entails a transfer of Personal Data outside the EEA to a country in respect of which the European Commission has not made an adequacy decision under Article 45 GDPR, the Processor shall ensure that an appropriate transfer mechanism under Article 46 GDPR is in place between the Processor and the Sub-processor, and shall make the relevant agreement available to the Controller on request.

## 7. Assistance with data subject rights and Controller obligations

7.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for the exercise of data subject rights under Chapter III GDPR and under the Access and Correction Obligations of the PDPA.

7.2 The Processor shall provide reasonable assistance to the Controller in ensuring compliance with the Controller's obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessment and prior consultation) and the equivalent obligations under the PDPA, taking into account the nature of Processing and the information available to the Processor.

7.3 If the Processor receives a request, complaint or communication from a data subject, a Supervisory Authority or the Personal Data Protection Commission (the **"PDPC"**) that relates to the Controller or the Personal Data, the Processor shall:

  (a) not respond to the request, complaint or communication on its own initiative beyond confirming that the request should be addressed to the Controller; and

  (b) notify the Controller without undue delay and in any event within two (2) Business Days of receipt.

7.4 The Processor's reasonable costs of providing the assistance described in this Clause 7 are included in the Service fees, save where the volume or complexity of the assistance materially exceeds the assistance contemplated by the Principal Agreement, in which case the Processor may charge its standard professional services rates on prior written notice.

## 8. Personal Data Breach

8.1 The Processor shall notify the Controller of a Personal Data Breach without undue delay and in any event within forty-eight (48) hours of becoming aware of it. The notification shall enable the Controller to comply with its obligations under Articles 33 and 34 GDPR and under sections 26C and 26D of the PDPA.

8.2 The notification shall include, to the extent then known:

  (a) the nature of the Personal Data Breach, including the categories and approximate number of data subjects and records concerned;

  (b) the name and contact details of the Processor's data protection contact;

  (c) the likely consequences of the Personal Data Breach; and

  (d) the measures taken or proposed to be taken to address the Personal Data Breach and to mitigate its adverse effects.

8.3 Where it is not possible to provide all of the information at the same time, the Processor may provide it in phases without undue further delay.

8.4 The Processor shall not notify any Supervisory Authority, the PDPC or any data subject of a Personal Data Breach concerning Personal Data Processed on behalf of the Controller without the prior written consent of the Controller, except where required to do so by law applicable to the Processor.

## 9. International transfers

9.1 The Controller acknowledges that Personal Data is transferred from the EEA to Singapore for the purposes of providing the Services.

9.2 The transfer described in Clause 9.1 is made on the basis of Module Two (Controller to Processor) of the EU SCCs, which are incorporated into this Addendum by reference and completed by the Parties as set out in Schedule 4.

9.3 In respect of the same flows of Personal Data, the Parties also rely on contractual safeguards under the Transfer Limitation Obligation of the PDPA to the extent that any onward processing within Singapore is governed by that obligation.

9.4 Where the Processor transfers Personal Data from the EEA, or onwards from Singapore, to a Sub-processor located in a country in respect of which no adequacy decision is in force, the Processor shall:

  (a) ensure that the transfer is subject to the EU SCCs or another appropriate transfer mechanism under Article 46 GDPR; and

  (b) ensure that the recipient is bound by legally enforceable obligations providing a standard of protection comparable to the PDPA.

9.5 The Processor confirms that, as at the Effective Date, it has carried out a transfer impact assessment of the laws and practices of Singapore and any other relevant jurisdiction, and that the safeguards in this Addendum, together with the EU SCCs, are sufficient to ensure essentially equivalent protection of Personal Data. The Processor shall provide a copy of that assessment to the Controller on request, redacted for confidentiality where necessary.

## 10. Audit and information rights

10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Addendum and with Article 28 GDPR, including:

  (a) the most recent ISO/IEC 27001 certificate and Statement of Applicability;

  (b) the most recent SOC 2 Type II report;

  (c) summary results of the annual penetration test; and

  (d) summary outputs of the Processor's transfer impact assessment.

10.2 The Controller may, on not less than thirty (30) days' prior written notice and not more than once in any twelve (12) month period (except following a Personal Data Breach affecting the Controller's data, or where required by a Supervisory Authority or the PDPC), conduct an audit. The audit shall:

  (a) be conducted by the Controller or by an independent auditor of recognised standing appointed by the Controller and not being a competitor of the Processor;

  (b) take place during normal business hours on dates agreed in advance;

  (c) be subject to reasonable confidentiality undertakings;

  (d) not unreasonably interfere with the Processor's business operations; and

  (e) not extend to other customers' data or to the Processor's source code.

10.3 Where a Supervisory Authority or the PDPC mandates an audit of the Processor in respect of the Controller's Personal Data, the Processor shall cooperate with that audit.

## 11. Return and deletion

11.1 At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of Services relating to Processing, and shall delete existing copies unless EU or Member State law (or, in respect of the PDPA layer, Singapore law) requires storage of the Personal Data.

11.2 Personal Data retained pursuant to Clause 11.1 shall be Processed solely to the extent and for the period necessary to comply with that legal requirement, and shall remain subject to this Addendum.

11.3 The Processor shall, on request, provide a written certificate of deletion signed by an authorised officer of the Processor within ninety (90) days of the date of return or deletion.

## 12. Term and termination

12.1 This Addendum takes effect on the Effective Date and continues for so long as the Processor Processes Personal Data on behalf of the Controller, notwithstanding termination or expiry of the Principal Agreement.

12.2 A material breach of this Addendum that is not remedied within thirty (30) days of written notice shall constitute a material breach of the Principal Agreement.

12.3 The Controller may terminate the Principal Agreement, in whole or in part, in accordance with Clause 16 of the EU SCCs (Non-compliance with the Clauses and termination).

## 13. General

13.1 **Liability.** Liability under this Addendum is subject to the limitations of liability in the Principal Agreement. Nothing in this Addendum limits or excludes a data subject's rights under Clause 12 of the EU SCCs or under Applicable Data Protection Law. Administrative fines imposed on the Controller by a Supervisory Authority under Article 83 GDPR, or by the PDPC under section 48J of the PDPA, are direct losses recoverable from the Processor to the extent caused by a breach of this Addendum by the Processor or its Sub-processors.

13.2 **Governing law and jurisdiction.** This Addendum is governed by the laws of Singapore, save that (a) the EU SCCs are governed by, and disputes thereunder are subject to the jurisdiction of, the law and courts identified in Schedule 4 in accordance with Clauses 17 and 18 of the EU SCCs, and (b) data subjects retain the rights of action set out in Clauses 11 and 18 of the EU SCCs.

13.3 **Order of precedence.** As set out in Clause 2.4.

13.4 **Variation.** This Addendum may only be varied by written agreement signed by an authorised representative of each Party. Where the European Commission adopts updated standard contractual clauses, the Parties shall in good faith re-execute Schedule 4 to incorporate the updated clauses within the transition period afforded by the relevant Commission decision.

13.5 **Severability.** If any provision is held invalid or unenforceable, the remaining provisions remain in force.

---

**Signed for and on behalf of Helvetica Retail GmbH**

Name: ______________________________

Title: ______________________________

Date: ______________________________

**Signed for and on behalf of Orchard Insights Pte Ltd**

Name: ______________________________

Title: ______________________________

Date: ______________________________

---

## Schedule 1 — Processing details

| Item | Description |
|---|---|
| **Subject matter** | Provision of a customer analytics and personalisation platform, including identity resolution, segmentation, and recommendation generation. |
| **Duration** | The term of the Principal Agreement, plus any retention period required by applicable law. |
| **Nature and purpose** | Ingestion of clickstream and transactional events; identity resolution; computation of segments and recommendations; delivery of personalised content and analytics dashboards. |
| **Types of Personal Data** | Online identifiers (cookie ID, device ID, hashed email); first name; email address; postal address (where provided by the Controller for fulfilment); purchase history; browsing history within the Controller's properties; preferences; IP address (truncated). |
| **Special categories** | None expected. The Controller shall not configure the Services to ingest special categories of personal data (Article 9 GDPR) without prior written notice to the Processor and a documented appropriate-safeguards analysis. |
| **Categories of data subjects** | Customers, prospective customers and website visitors of the Controller, predominantly resident in the EEA. |

## Schedule 2 — Technical and organisational measures (Annex II to the EU SCCs)

**1. Hosting and segregation.** Production environment hosted in a Singapore region of a Tier 1 hyperscale cloud provider, with logical tenant segregation enforced at the application, API and database layers.

**2. Pseudonymisation and encryption.** Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 with keys managed in a FIPS 140-2 Level 3 hardware security module. Direct identifiers are pseudonymised in analytical pipelines.

**3. Confidentiality, integrity, availability and resilience.** Multi-zone deployment within the Singapore region; documented RTO of four (4) hours and RPO of fifteen (15) minutes; backup integrity verification.

**4. Restoration.** Documented restoration procedures tested at least annually.

**5. Testing and evaluation.** Continuous dependency scanning; quarterly internal vulnerability scans; annual external penetration test by a CREST-accredited tester; an annual review of the technical and organisational measures.

**6. Access control.** Role-based access control on a least-privilege, need-to-know basis; multi-factor authentication for all production access; quarterly access reviews; logged and time-bounded just-in-time elevation for production data access.

**7. Logging and monitoring.** Application, system and security logs retained for not less than twelve (12) months in a tamper-evident store; twenty-four-by-seven security monitoring.

**8. Personnel.** Background screening to the extent permitted by law; mandatory annual training in data protection and security; written confidentiality obligations surviving termination.

**9. Sub-processor management.** Written contracts imposing flow-down obligations; due diligence prior to onboarding; ongoing monitoring; the Processor remains fully liable for Sub-processor acts and omissions.

**10. Data subject rights tooling.** Self-service and API-based functionality for the Controller to fulfil access, rectification, erasure, restriction, portability and objection requests.

**11. Certifications.** ISO/IEC 27001; SOC 2 Type II.

## Schedule 3 — Approved Sub-processors (Annex III to the EU SCCs)

| Sub-processor | Function | Location of Processing | Transfer mechanism (if outside EEA) |
|---|---|---|---|
| Bukit Cloud Services Pte Ltd | Production cloud infrastructure | Singapore | EU SCCs Module Two (incorporated by reference under Clause 6.5) |
| Sungei Email Delivery Pte Ltd | Transactional email delivery | Singapore | EU SCCs Module Two (incorporated by reference under Clause 6.5) |
| Telok Ayer Observability Pte Ltd | Application performance monitoring; pseudonymised telemetry only, no Personal Data fields | Singapore | EU SCCs Module Two (incorporated by reference under Clause 6.5) |
| Frankfurt Analytics Co-operative GmbH | Aggregated benchmarking analytics, EEA-resident data only | Germany | Not applicable (within EEA) |

## Schedule 4 — Cross-border transfer mechanism: EU SCCs (Module Two)

The Parties incorporate the EU SCCs (Module Two — Controller to Processor) into this Addendum by reference and complete them as follows.

**A. Module.** Module Two (Transfer controller to processor).

**B. Annex I.A — List of Parties.**

  *Data exporter:* Helvetica Retail GmbH (the Controller), as identified at the head of this Addendum. Activities relevant to the data transferred under these Clauses: customer relationship management; e-commerce fulfilment; marketing. Role: Controller.

  *Data importer:* Orchard Insights Pte Ltd (the Processor), as identified at the head of this Addendum. Activities relevant to the data transferred under these Clauses: provision of the Services. Role: Processor.

**C. Annex I.B — Description of transfer.** As described in Schedule 1.

  Frequency of the transfer: continuous.

  Period for which the personal data will be retained: duration of the Principal Agreement plus retention required by law.

  For transfers to (sub-)processors, the subject matter, nature and duration of the processing: as described in Schedule 3.

**D. Annex I.C — Competent supervisory authority.** The Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), as the supervisory authority of the Member State in which the Controller is established. If the Controller's establishment changes during the term, the competent authority shall be updated accordingly without requiring re-execution of this Schedule.

**E. Annex II — Technical and organisational measures.** As set out in Schedule 2 of this Addendum.

**F. Annex III — List of sub-processors.** As set out in Schedule 3 of this Addendum.

**G. Clause-specific elections.**

  *Clause 7 (Docking clause):* The optional docking clause does not apply at the Effective Date but the Parties may add additional parties by written agreement in accordance with Clause 7.

  *Clause 9 (Use of sub-processors):* Option 2 (General written authorisation) applies. The time period for prior notice of sub-processor changes is thirty (30) days, as further described in Clause 6 of this Addendum.

  *Clause 11 (Redress):* The optional independent dispute resolution body does not apply.

  *Clause 17 (Governing law):* The Clauses shall be governed by the law of Germany.

  *Clause 18 (Choice of forum and jurisdiction):* The courts of Munich, Germany, with data subjects retaining the rights set out in Clause 18(c).

**H. Coordination with the PDPA layer.** The PDPA continues to apply to the Processor's Processing in Singapore as set out in the body of this Addendum. Where any obligation under the EU SCCs sets a higher standard than the equivalent obligation under the PDPA in respect of the same Personal Data, the Processor shall comply with the higher standard.