Data Processing Agreement
Version: 1.0
Effective Date: 28 June 2026
Last Updated: 28 June 2026
1. Introduction and Scope
Section titled “1. Introduction and Scope”1.1 Parties
Section titled “1.1 Parties”This Data Processing Agreement (“DPA”) is entered into between:
[LEGAL_ENTITY_NAME] (“Service Provider,” “Processor,” or “we”), with registered office at [INSERT REGISTERED ADDRESS]; and
The Customer identified in the applicable Order Form or Terms of Service (“Customer,” “Controller,” or “you”).
1.2 Incorporation
Section titled “1.2 Incorporation”This DPA forms part of and is incorporated into the Terms of Service (“Principal Agreement”). In case of conflict regarding data protection, this DPA prevails.
1.3 Purpose
Section titled “1.3 Purpose”This DPA governs Processing of Personal Data by the Service Provider on behalf of the Customer in connection with the Newsfork platform and related services (“Services”).
1.4 Regulatory Framework
Section titled “1.4 Regulatory Framework”This DPA is designed to comply with:
- Singapore Personal Data Protection Act 2012 (PDPA)
- European Union General Data Protection Regulation (GDPR), where applicable
- Other applicable data protection laws
Where Customer is subject to GDPR, Annex A applies.
2. Definitions
Section titled “2. Definitions”| Term | Definition |
|---|---|
| Controller | The party that determines purposes and means of Processing. Customer is the Controller. |
| Customer Data | All data (including Personal Data) uploaded or transmitted to the Services by Customer. |
| Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. |
| Personal Data | Data about an identifiable natural person. |
| Processing | Any operation on Personal Data (collection, storage, use, disclosure, deletion, etc.). |
| Processor | A party that Processes Personal Data on behalf of a Controller. Service Provider is the Processor. |
| Sub-Processor | A third party engaged by Service Provider to Process Personal Data. |
3. Roles and Responsibilities
Section titled “3. Roles and Responsibilities”3.1 Customer as Controller
Section titled “3.1 Customer as Controller”Customer determines purposes and means of Processing, provides lawful basis, gives instructions, and responds to Data Subject requests (with our assistance).
3.2 Service Provider as Processor
Section titled “3.2 Service Provider as Processor”We Process Personal Data only on Customer’s instructions, implement appropriate security measures, assist with data protection obligations, and do not use Customer Data for unrelated purposes unless required by law.
4. Details of Processing
Section titled “4. Details of Processing”4.1 Subject Matter
Section titled “4.1 Subject Matter”Processing of Personal Data in connection with Newsfork API, dashboard, and related services.
4.2 Duration
Section titled “4.2 Duration”For the duration of the Principal Agreement plus 30 days for data export, unless extended for legal retention.
4.3 Nature and Purpose of Processing
Section titled “4.3 Nature and Purpose of Processing”| Purpose | Description |
|---|---|
| Service Delivery | Providing and operating the Newsfork API and platform |
| Data Storage | Storing Customer Data within the platform |
| Analytics | Usage metrics and reports requested by Customer |
| AI/RAG Features | Semantic search, classification, MCP tools (as enabled) |
| Support | Technical support and troubleshooting |
4.4 Categories of Data Subjects
Section titled “4.4 Categories of Data Subjects”- Customer’s employees and contractors
- Customer’s end users and clients
- Other individuals whose data Customer uploads or processes via the API
4.5 Types of Personal Data
Section titled “4.5 Types of Personal Data”| Category | Examples |
|---|---|
| Identity Data | Names, job titles, user IDs |
| Contact Data | Email addresses, phone numbers |
| Usage Data | API logs, timestamps, IP addresses |
| Communications | Support tickets, feedback |
Customer determines what Personal Data to process. We do not require sensitive personal data unless Customer chooses to upload it.
5. Instructions and Compliance
Section titled “5. Instructions and Compliance”We Process Personal Data only per Customer’s documented instructions, as necessary to provide the Services, or as required by law (with notice where permitted).
If we believe an instruction infringes applicable law, we will promptly notify Customer.
6. Security Measures
Section titled “6. Security Measures”We implement appropriate technical and organizational measures including:
| Category | Measures |
|---|---|
| Access Control | Role-based access, MFA, least privilege |
| Encryption | TLS 1.2+ in transit; encryption at rest |
| Infrastructure | Cloud providers with SOC 2 / ISO 27001 |
| Monitoring | Logging, alerting, incident response |
| Business Continuity | Backups and disaster recovery |
Customer is responsible for secure credentials, access configuration, and secure transmission to the Services.
7. Sub-Processors
Section titled “7. Sub-Processors”Customer authorizes use of Sub-Processors. Current categories include:
| Category | Purpose | Example Providers |
|---|---|---|
| Cloud Infrastructure | Hosting, storage, compute | Cloudflare |
| Payment Processing | Billing | Stripe |
| Email Services | Transactional email | Resend, SendGrid |
| AI Services | RAG, embeddings, MCP features | Cloudflare Workers AI (as applicable) |
| Analytics | Service analytics (anonymized) | Google Analytics (with consent) |
We ensure Sub-Processors are bound by equivalent data protection obligations. New Sub-Processors will be notified at least 30 days in advance where practicable. Customer may object on reasonable data protection grounds.
8. Data Breach Notification
Section titled “8. Data Breach Notification”We will notify Customer without undue delay and within 72 hours of becoming aware of a Data Breach affecting Customer Data, with available details and remedial measures.
Customer determines regulatory and Data Subject notifications; we provide reasonable assistance.
9. Data Subject Rights
Section titled “9. Data Subject Rights”Customer is responsible for responding to Data Subject requests. We will forward direct requests to Customer and provide reasonable assistance within 10 business days.
10. Data Retention and Deletion
Section titled “10. Data Retention and Deletion”Customer Data is retained for the duration of the Principal Agreement. Upon termination, Customer may export data within 30 days. Thereafter, we delete production data within 30 days and backup data within 90 days, except where retention is required by law.
11. International Data Transfers
Section titled “11. International Data Transfers”Customer Data may be Processed in Singapore, the United States, the European Union, and Asia-Pacific regions.
We implement appropriate safeguards including contractual clauses and SCCs for GDPR-subject data (Annex A).
12. Audit and Compliance
Section titled “12. Audit and Compliance”Upon reasonable written request (no more than once per year), we provide security documentation, certification summaries, and questionnaire responses. On-site audits may be conducted with 30 days’ notice at Customer’s expense.
13. Confidentiality
Section titled “13. Confidentiality”Personnel authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate training.
14. Liability
Section titled “14. Liability”Liability under this DPA is subject to the limitations in the Principal Agreement.
15. Term and Termination
Section titled “15. Term and Termination”This DPA commences with the Principal Agreement and continues until all Personal Data has been deleted or returned.
16. General Provisions
Section titled “16. General Provisions”This DPA is governed by the laws of the Republic of Korea. Material amendments will be communicated with at least 30 days’ notice.
Contact
Section titled “Contact”- Data Protection Officer: [LEGAL_ENTITY_NAME]
- Email: privacy@newsfork.com
- Address: [INSERT REGISTERED ADDRESS]
Annex A: GDPR-Specific Provisions
Section titled “Annex A: GDPR-Specific Provisions”This Annex applies where Customer is subject to GDPR.
A.1 EU Standard Contractual Clauses
Section titled “A.1 EU Standard Contractual Clauses”Where Personal Data from the EEA/UK is transferred to jurisdictions without adequate protection, EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference.
A.2 UK Addendum
Section titled “A.2 UK Addendum”For transfers from the UK, the UK Addendum to the EU SCCs is incorporated.
A.3 Data Protection Impact Assessments
Section titled “A.3 Data Protection Impact Assessments”We provide reasonable assistance for DPIAs where required under GDPR Article 35.
A.4 Prior Consultation
Section titled “A.4 Prior Consultation”We assist with prior consultation with supervisory authorities under GDPR Article 36 where required.