This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Steer Platform Pte. Ltd. (“Processor”) and the Customer (“Controller”) and applies whenever we process personal data on the Customer’s behalf.
1. Subject matter
The Processor will process personal data exclusively to provide Steer Workforce in accordance with the Customer’s documented instructions.
2. Duration
This DPA remains in effect for as long as the Processor processes personal data on the Customer’s behalf.
3. Categories of data subjects and personal data
Data subjects: the Customer’s employees, contractors, and other workers configured in the Service.
Categories of personal data: identification (name, contact details, government IDs), employment information (role, compensation, status), payroll data (hours, pay components, deductions), leave records, contract documents, and supporting attachments uploaded by the Customer.
4. Sub-processors
The Processor uses the sub-processors listed at steerplatform.com/security. The Processor will give 30 days’ notice before adding a new sub-processor; the Customer may object on reasonable grounds, in which case the parties will work in good faith to resolve.
5. Security
The Processor implements appropriate technical and organizational measures including encryption in transit and at rest, role-based access control, multi-tenant isolation via PostgreSQL row-level security, and append-only audit logging. See the Security page for the current control set.
6. Personal data breach notification
The Processor will notify the Customer without undue delay (within 72 hours) of becoming aware of a personal data breach affecting Customer data, including the nature of the breach, affected categories, likely consequences, and mitigation measures.
7. Assistance
The Processor will assist the Controller in fulfilling data subject requests, conducting impact assessments, and responding to regulatory inquiries.
8. Cross-border transfers
Where personal data is transferred across borders, the Processor relies on standard contractual clauses or equivalent safeguards as required by applicable law.
9. Return or deletion
On termination, the Processor will, at the Customer’s choice, return or delete personal data within 30 days, subject to retention required by law (BIR 10-year retention applies to PH customer payroll records).
10. Audit
The Customer may, on reasonable notice and no more than once per year, request an audit of the Processor’s compliance with this DPA, conducted at the Customer’s expense by a mutually agreed independent auditor under reasonable confidentiality.
11. Liability
Liability under this DPA is subject to the limitations in the Terms of Service.
This is a draft pending review by Singapore counsel. The version published on launch day will supersede this draft.