# SG-SG sub-processor flow-down — payroll vendor's contract with a third-party tax software provider > **Sample document — not legal advice.** This document is one of a library of sample legal drafts published by LawCrew at `lawcrew.ai/samples`. It illustrates how the LawCrew agent team approaches a common Singapore DPA scenario. **It is not legal advice and is not tailored to any specific transaction.** > > LawCrew is a legal-technology service, not a law firm. For your own matter, run an intake through the product and engage an independent Singapore-qualified lawyer to review before signing. > > *Sample DPA #05 · Hand-authored pending specialist roll-out · Published 2026-05-22* --- # Sub-processor Data Processing Addendum This Sub-processor Data Processing Addendum (this **"Addendum"**) is entered into as of 1 January 2026 (the **"Effective Date"**) between: **(1) Pulau Tekong Payroll Services Pte Ltd**, a company incorporated in Singapore [UEN: 201506214H] with its registered office at 80 Robinson Road, #11-00, Singapore 068898 (the **"Main Processor"**); and **(2) Mount Faber Tax Engines Pte Ltd**, a company incorporated in Singapore [UEN: 202209875L] with its registered office at 30 Cecil Street, #19-08, Prudential Tower, Singapore 049712 (the **"Sub-processor"**). The Main Processor and the Sub-processor are each a **"Party"** and together the **"Parties"**. ## Recitals (A) The Main Processor provides outsourced payroll, statutory contribution and tax-filing services to a portfolio of customers (each, an **"End Customer"**), each of which is a data controller in respect of Personal Data Processed by the Main Processor. (B) The Main Processor has entered into a master services agreement with the Sub-processor dated 1 January 2026 (the **"Principal Agreement"**) for the use of the Sub-processor's tax computation and electronic filing platform (the **"Services"**) in connection with the Main Processor's delivery of services to End Customers. (C) The Sub-processor will Process Personal Data on behalf of the Main Processor for the purposes of providing the Services, and the Main Processor in turn Processes that Personal Data on behalf of the End Customers. (D) The Main Processor has commitments to its End Customers in respect of the Processing of their Personal Data, including under the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (the **"PDPA"**). The Parties enter into this Addendum to flow those commitments down to the Sub-processor. ## 1. Definitions and the processing chain 1.1 In this Addendum: (a) **"End Customer Personal Data"** means Personal Data of employees, contractors and other individuals of an End Customer that is Processed by the Sub-processor in connection with the Services. (b) **"Onward Sub-processor"** means any person engaged by the Sub-processor to Process End Customer Personal Data on behalf of the Sub-processor. (c) **"Personal Data"** has the meaning given in section 2(1) of the PDPA. (d) **"Personal Data Breach"** has the meaning given in section 26A of the PDPA. (e) **"Process"**, **"Processing"** and **"Processed"** mean any operation or set of operations performed on Personal Data, including collection, recording, organisation, storage, use, disclosure, transmission and erasure. (f) **"Upstream DPA Standard"** means the data protection standard that the Main Processor is required to apply, or to procure the application of, in respect of End Customer Personal Data under its agreements with End Customers, as further described in Schedule 5 (Summary of upstream commitments). 1.2 The Processing chain is: End Customer (Controller) → Main Processor (Processor) → Sub-processor (Sub-processor under section 4(3) of the PDPA, acting as data intermediary to the Main Processor). 1.3 Terms used but not defined have the meanings given in the Principal Agreement. ## 2. Roles, scope and the no-less-protective floor 2.1 The Sub-processor acts as a data intermediary on behalf of the Main Processor in respect of End Customer Personal Data. The Sub-processor does not Process End Customer Personal Data on behalf of any End Customer directly. 2.2 This Addendum applies to all Processing of End Customer Personal Data by the Sub-processor in connection with the Services. Schedule 1 sets out the subject matter, nature and purpose of the Processing, the categories of End Customer Personal Data and the categories of data subjects. 2.3 **No-less-protective standard.** The obligations imposed on the Sub-processor by this Addendum (taken together with the Principal Agreement and the security measures in Schedule 2) are intended to be no less protective than the Upstream DPA Standard. To the extent that any obligation owed by the Main Processor to an End Customer in respect of End Customer Personal Data is more protective than an obligation expressly imposed on the Sub-processor by this Addendum, the Sub-processor shall comply with that more protective obligation as if it had been set out in this Addendum, provided that: (a) the Main Processor has given the Sub-processor written notice of that more protective obligation; and (b) the more protective obligation is consistent with the nature of the Services and does not require the Sub-processor to alter the architecture of its multi-tenant platform. 2.4 In the event of any conflict between this Addendum and the Principal Agreement in relation to the Processing of End Customer Personal Data, this Addendum prevails. ## 3. Sub-processor's instructions 3.1 The Sub-processor shall Process End Customer Personal Data only: (a) for the purposes set out in Schedule 1; (b) in accordance with the documented instructions of the Main Processor, which include this Addendum, the Principal Agreement and any written direction subsequently given by the Main Processor; and (c) as required by any law applicable to the Sub-processor, in which case the Sub-processor shall, to the extent permitted by that law, notify the Main Processor before Processing. 3.2 The Main Processor warrants to the Sub-processor that any instruction it gives in respect of End Customer Personal Data is consistent with the instructions and authorisations given to the Main Processor by the relevant End Customer. 3.3 The Sub-processor shall promptly inform the Main Processor if, in its opinion, an instruction infringes the PDPA. The Sub-processor is not required to assess or audit the lawfulness of End Customer instructions passed through by the Main Processor. 3.4 The Sub-processor shall not sell, rent or otherwise commercialise End Customer Personal Data, and shall not use End Customer Personal Data for behavioural advertising, for training generally available machine-learning models or for any purpose unrelated to the Services. ## 4. Confidentiality 4.1 The Sub-processor shall treat all End Customer Personal Data as confidential information and shall not disclose End Customer Personal Data to any person other than: (a) employees, contractors and agents of the Sub-processor who have a need to access End Customer Personal Data in order to perform the Services and who are bound by written confidentiality obligations; (b) Onward Sub-processors engaged in accordance with Clause 6; (c) the relevant tax authority (the Inland Revenue Authority of Singapore), where electronic filings are made in the ordinary course of providing the Services; or (d) any other person to whom disclosure is required by law. 4.2 Confidentiality obligations imposed on personnel under Clause 4.1(a) shall survive the termination of their engagement for not less than three (3) years. ## 5. Security measures 5.1 The Sub-processor shall implement and maintain appropriate technical and organisational measures to protect End Customer Personal Data, having regard to the nature of the data (which includes tax identifiers, salary information and contribution data) and the harm that would result from a Personal Data Breach. These measures are set out in Schedule 2 and shall at all times satisfy the no-less-protective standard in Clause 2.3. 5.2 The Sub-processor shall maintain ISO/IEC 27001 certification at all times during the term of this Addendum and shall provide the Main Processor with the current Statement of Applicability on request. 5.3 The Sub-processor shall not make any change to the measures in Schedule 2 that materially reduces the level of protection without the prior written consent of the Main Processor, except where required by law or by a generally accepted security standard to which the Sub-processor is certified. ## 6. Onward sub-processing 6.1 The Sub-processor shall not engage any Onward Sub-processor in respect of End Customer Personal Data without the prior specific written consent of the Main Processor. General authorisations of the kind described in Article 28(2) GDPR are not granted under this Addendum. 6.2 Where consent is given: (a) the Sub-processor shall enter into a written contract with the Onward Sub-processor on terms imposing obligations no less protective than those imposed on the Sub-processor by this Addendum, including in respect of the no-less-protective standard in Clause 2.3, security, breach notification, audit, return and deletion; (b) the Sub-processor shall provide the Main Processor with a copy of the data protection provisions of that contract on request, subject to reasonable confidentiality undertakings; and (c) the Sub-processor remains fully liable to the Main Processor for the acts and omissions of the Onward Sub-processor as if they were its own. 6.3 The Onward Sub-processors approved as at the Effective Date are listed in Schedule 3. ## 7. Assistance with data subject rights and End Customer requests 7.1 The Sub-processor shall, taking into account the nature of the Processing, provide reasonable assistance to the Main Processor by appropriate technical and organisational measures, insofar as this is possible, to enable the Main Processor to comply with: (a) the Access and Correction Obligations under the PDPA in respect of End Customer Personal Data; and (b) the Main Processor's contractual obligations to End Customers to facilitate the equivalent obligations of those End Customers. 7.2 If the Sub-processor receives any request, complaint or communication from an individual, an End Customer, the Personal Data Protection Commission (the **"PDPC"**) or any other regulator that relates to End Customer Personal Data, the Sub-processor shall: (a) not respond on its own initiative beyond confirming that the request should be addressed to the Main Processor or, where appropriate, the relevant End Customer through the Main Processor; and (b) notify the Main Processor without undue delay and in any event within three (3) Business Days of receipt. 7.3 Assistance under this Clause 7 is included in the Service fees up to the volume of assistance ordinarily contemplated by the Principal Agreement. Where the volume or complexity of assistance materially exceeds that contemplated volume, the Sub-processor may charge its standard professional services rates on prior written notice. ## 8. Personal Data Breach 8.1 The Sub-processor shall notify the Main Processor of any Personal Data Breach affecting End Customer Personal Data without undue delay and in any event within twenty-four (24) hours of becoming aware of it. The notification timeframe is shorter than the seventy-two (72) hour PDPC notification window in order to give the Main Processor adequate time to (i) assess severity, (ii) notify End Customers, and (iii) coordinate any notifiable-data-breach notification under sections 26C and 26D of the PDPA. 8.2 The notification shall include, to the extent then known: (a) the nature of the Personal Data Breach, including the categories and approximate number of individuals and records concerned and the End Customers affected; (b) the likely consequences; (c) the measures taken or proposed to address the Personal Data Breach and to mitigate its adverse effects; and (d) a single point of contact at the Sub-processor for further information. 8.3 The Sub-processor shall provide such further information and assistance as the Main Processor reasonably requires to enable the Main Processor and the affected End Customers to discharge their respective Notification Obligations. 8.4 The Sub-processor shall not notify any End Customer, individual, the PDPC or any other regulator of a Personal Data Breach affecting End Customer Personal Data without the prior written consent of the Main Processor, save where required by law applicable to the Sub-processor. The Sub-processor shall not make any public communication concerning such a Personal Data Breach without the prior written consent of the Main Processor. ## 9. International transfers 9.1 The Sub-processor shall Process and store End Customer Personal Data within Singapore. 9.2 The Sub-processor shall not transfer End Customer Personal Data outside Singapore without the prior written consent of the Main Processor. Where consent is given, the Sub-processor shall ensure that the recipient is bound by legally enforceable obligations providing a standard of protection comparable to the PDPA, in accordance with the Transfer Limitation Obligation, and that those obligations are no less protective than the Upstream DPA Standard for cross-border transfers. 9.3 Clause 9.1 does not prevent the Sub-processor from providing remote technical support from outside Singapore, provided that such access is read-only, logged, time-bounded and does not result in the storage of End Customer Personal Data outside Singapore. ## 10. Audit and information rights 10.1 The Sub-processor shall, on reasonable written request, make available to the Main Processor all information necessary to demonstrate compliance with this Addendum, including: (a) the most recent ISO/IEC 27001 certificate and Statement of Applicability; (b) the most recent SOC 2 Type II report (or equivalent third-party attestation); and (c) summary results of the annual penetration test. 10.2 The Main Processor may, on not less than thirty (30) days' prior written notice and not more than once in any twelve (12) month period (except following a Personal Data Breach or where required by the PDPC, by another regulator with jurisdiction over the Main Processor or an End Customer, or by the terms of an upstream agreement with an End Customer), conduct an audit of the Sub-processor's compliance with this Addendum. The audit shall: (a) be conducted by the Main Processor or by an independent auditor of recognised standing appointed by the Main Processor and not being a competitor of the Sub-processor; (b) take place during normal business hours on dates agreed in advance; (c) be subject to reasonable confidentiality undertakings; and (d) not unreasonably interfere with the Sub-processor's business operations or compromise the confidentiality of other customers' data. 10.3 **Audit rights pass-through.** The Sub-processor acknowledges that the Main Processor may be contractually required to enable an End Customer (or that End Customer's auditor) to audit the Sub-processor's Processing of that End Customer's Personal Data. The Sub-processor agrees that, in such circumstances, the Main Processor may exercise its rights under Clause 10.2 on behalf of and in coordination with the relevant End Customer, and the Sub-processor shall reasonably cooperate, subject to the conditions in Clauses 10.2(a)–(d). 10.4 Each Party shall bear its own audit costs, save that where the audit reveals a material breach, the Sub-processor shall reimburse the Main Processor's reasonable audit costs (including the costs of any audit conducted on behalf of an End Customer under Clause 10.3). ## 11. Return and deletion 11.1 On termination or expiry of the Principal Agreement, or at any earlier time on the written instruction of the Main Processor, the Sub-processor shall, at the option of the Main Processor, return or securely delete all End Customer Personal Data, and securely delete all existing copies, except to the extent that retention is required by applicable law. 11.2 Notwithstanding Clause 11.1, the Sub-processor may retain End Customer Personal Data: (a) to the extent required by section 67 of the Income Tax Act 1947 (or any successor record-retention requirement under Singapore tax law) — typically not exceeding five (5) years from the relevant year of assessment; (b) to the extent required by other applicable law; or (c) where the Main Processor instructs in writing that retention is necessary to satisfy an upstream commitment to an End Customer. 11.3 End Customer Personal Data retained pursuant to Clause 11.2 shall be Processed solely to the extent and for the period necessary to comply with that legal or contractual requirement, and shall remain subject to this Addendum for so long as it is retained. 11.4 The Sub-processor shall, on request, provide a written certificate of deletion within ninety (90) days of the date of deletion (other than for data retained under Clause 11.2). ## 12. Liability 12.1 **Back-to-back liability.** The Parties acknowledge that the Main Processor's liability to its End Customers in respect of a Personal Data Breach or other failure to comply with the Upstream DPA Standard is materially greater than a fees-based cap and may include direct claims by End Customers for losses caused by the Sub-processor's breach. Accordingly, and notwithstanding any general limitation of liability in the Principal Agreement, the Sub-processor's liability to the Main Processor for losses arising out of or in connection with: (a) a breach of this Addendum by the Sub-processor or any Onward Sub-processor; (b) any Personal Data Breach affecting End Customer Personal Data caused or contributed to by the Sub-processor or any Onward Sub-processor; or (c) any administrative fine or compensation order imposed on the Main Processor or an End Customer by the PDPC under section 48J or section 48O of the PDPA to the extent so caused or contributed to, is back-to-back with the Main Processor's liability to the affected End Customer(s) for the same matter, and is not subject to the general liability cap in the Principal Agreement. 12.2 Clause 12.1 does not exclude the operation of any insurance requirement set out in the Principal Agreement, and the Sub-processor shall maintain at all times cyber-liability and professional indemnity insurance to such reasonable levels as the Main Processor requires. ## 13. Term and termination 13.1 This Addendum takes effect on the Effective Date and continues for so long as the Sub-processor Processes End Customer Personal Data, notwithstanding the termination or expiry of the Principal Agreement. 13.2 A material breach of this Addendum that is not remedied within thirty (30) days of written notice shall constitute a material breach of the Principal Agreement. ## 14. General 14.1 **Governing law.** This Addendum is governed by and construed in accordance with the laws of Singapore. 14.2 **Jurisdiction.** The dispute resolution and jurisdiction provisions of the Principal Agreement apply. 14.3 **Order of precedence.** The body of this Addendum prevails over any Schedule unless the Schedule expressly states otherwise. This Addendum prevails over the Principal Agreement in respect of the Processing of End Customer Personal Data. 14.4 **No third-party rights.** End Customers are not parties to this Addendum and do not acquire direct contractual rights against the Sub-processor under it. Nothing in this Clause 14.4 affects the Main Processor's ability to pursue, on its own behalf and for losses recoverable from it by End Customers, any claim against the Sub-processor under this Addendum. 14.5 **Variation.** This Addendum may only be varied by written agreement signed by an authorised representative of each Party. 14.6 **Severability.** If any provision is held invalid or unenforceable, the remaining provisions remain in force. --- **Signed for and on behalf of Pulau Tekong Payroll Services Pte Ltd** Name: ______________________________ Title: ______________________________ Date: ______________________________ **Signed for and on behalf of Mount Faber Tax Engines Pte Ltd** Name: ______________________________ Title: ______________________________ Date: ______________________________ --- ## Schedule 1 — Processing details | Item | Description | |---|---| | **Subject matter** | Provision of a tax computation and electronic filing platform used by the Main Processor in connection with the delivery of payroll services to End Customers, including IR8A / IR21 / IR8S preparation and IRAS Auto-Inclusion Scheme filings. | | **Duration** | The term of the Principal Agreement, plus any retention period required by Clause 11.2. | | **Nature and purpose** | Computation of tax liabilities and statutory contributions; preparation of electronic filings; submission of filings to the Inland Revenue Authority of Singapore via the Auto-Inclusion Scheme or other prescribed channels; generation of related reports for use by the Main Processor and End Customers. | | **Types of End Customer Personal Data** | Full name; NRIC / FIN / passport number; date of birth; residential address; employment details (job title, start and end dates, status); income components (base salary, bonus, allowances, benefits-in-kind); CPF contributions; SDL; foreign worker levy where applicable; tax-relevant deductions; bank account details for refund disbursements. | | **Special categories** | None expected. The Services are not configured to capture data revealing health, religion, political views or other sensitive categories. | | **Categories of data subjects** | Employees and contractors of End Customers; directors of End Customers where their remuneration is processed via the Services; foreign workers and EP/SP/WP holders engaged by End Customers. | ## Schedule 2 — Technical and organisational measures **1. Hosting.** Production environment hosted in a Singapore region of a Tier 1 cloud provider; multi-zone deployment within the Singapore region. **2. Tenant segregation.** Logical segregation per Main Processor at the application, API and database layers; the Sub-processor does not co-mingle End Customer Personal Data across the Main Processor's tenant boundary. **3. Encryption.** TLS 1.2 or higher in transit; AES-256 at rest with keys managed in a FIPS 140-2 Level 3 hardware security module. NRIC / FIN numbers are tokenised at the application layer. **4. Access control.** Role-based access control on a least-privilege, need-to-know basis; multi-factor authentication for all production access; quarterly access reviews; logged time-bounded just-in-time elevation for production data access. **5. Network security.** Web application firewall; intrusion detection; network segmentation between application, database and management tiers. **6. Vulnerability management.** Continuous dependency scanning; monthly internal vulnerability scans; annual external penetration test by an independent CREST-accredited tester; critical vulnerabilities remediated within seven (7) days. **7. Logging and monitoring.** Application, system and security logs retained for not less than twelve (12) months in a tamper-evident store; twenty-four-by-seven security monitoring. **8. Personnel.** Background screening to the extent permitted by law; mandatory annual PDPA and security training; written confidentiality obligations surviving termination by not less than three (3) years. **9. Business continuity.** Documented RTO of four (4) hours and RPO of one (1) hour; restoration drills tested at least annually. **10. Secure development.** Secure SDLC with mandatory code review, static analysis and pre-deployment security review for changes affecting the handling of End Customer Personal Data. **11. Certifications.** ISO/IEC 27001; SOC 2 Type II (or equivalent attestation). ## Schedule 3 — Approved Onward Sub-processors | Onward Sub-processor | Function | Location of Processing | |---|---|---| | Bukit Timah Cloud Infrastructure Pte Ltd | Production cloud hosting | Singapore | | Tampines Backup & Archive Pte Ltd | Encrypted backup storage and long-term archive | Singapore | | Queenstown Observability Pte Ltd | Application performance monitoring on pseudonymised telemetry; no End Customer Personal Data fields | Singapore | Any addition or replacement of an Onward Sub-processor requires prior specific written consent in accordance with Clause 6.1. ## Schedule 4 — Cross-border transfer mechanism (where applicable) No cross-border transfers are anticipated as at the Effective Date. End Customer Personal Data is Processed and stored within Singapore under Clause 9.1. If a future engagement requires cross-border Processing (for example, a regional support function operated from outside Singapore), the Parties shall complete a transfer impact assessment and execute an amendment to this Schedule before any such transfer takes place. The amendment shall identify (a) the recipient jurisdictions, (b) the contractual safeguards relied upon, (c) any End Customer approval pre-conditions imposed by the upstream agreements, and (d) the no-less-protective standard applied under Clause 2.3. ## Schedule 5 — Summary of upstream commitments This Schedule summarises, for the Sub-processor's benefit, the commitments that the Main Processor has typically made to End Customers in its data processing addenda. This Schedule is illustrative and is not a complete statement of the Main Processor's upstream obligations; the Main Processor will give written notice under Clause 2.3 of any more protective obligation that is to be applied. | Topic | Typical upstream commitment to End Customers | |---|---| | Processing instructions | Process only on documented instructions of the End Customer (passed through by the Main Processor). | | Sub-processor engagement | Specific written authorisation for each Sub-processor (which is why Clause 6 of this Addendum is specific-authorisation, not general). | | Personal Data Breach notification | Notify the End Customer within seventy-two (72) hours; provide all information needed for the End Customer to discharge its Notification Obligation. | | Audit | Allow the End Customer to audit on reasonable notice, subject to confidentiality. | | Cross-border | Process within Singapore unless the End Customer has consented in writing to a specific cross-border arrangement. | | Return and deletion | Return or securely delete on termination, subject to legal retention. | | Liability | The Main Processor is liable for the acts and omissions of its sub-processors as if they were its own. |