Back to Trust

Data Processing Agreement

Effective: 2026-04-11

Template DPA. This is a standardised template suitable for most customer agencies. For a counter-signed copy, jurisdiction-specific addenda, or Standard Contractual Clauses for cross-border transfers, contact security@socianote.com.

1. Parties

This Data Processing Agreement ("DPA") is between the customer organisation that subscribes to Socianote (the "Controller") and Better Future Holdings Pte Ltd, a company incorporated in Singapore and the operator of the Socianote service (the "Processor").

Socianote is a product of Better Future Holdings Pte Ltd. References to “Socianote” in this DPA refer to the service; the legal entity contracting with the Controller is Better Future Holdings Pte Ltd.

2. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller solely to provide the Socianote service. Processing continues for the duration of the Controller's active subscription, plus a 30-day post-termination period for data export.

3. Nature and purpose of processing

Storage, retrieval, and presentation of participant case management data, including: participant profiles, case notes, support records, document attachments, and audit logs. No automated decision-making. No profiling for advertising or analytics.

4. Categories of data subjects and personal data

  • Data subjects: participants (individuals served by the Controller), staff members of the Controller.
  • Personal data: name, contact details, demographic information, consent records, support history. May include special category data (health, ethnicity) where the Controller chooses to record it under their own lawful basis.

5. Obligations of the Processor

The Processor will:

  1. Process Personal Data only on documented instructions from the Controller, including the act of using the Service.
  2. Limit staff access to authorised personnel only. Socianote personnel may access Personal Data solely as necessary to (a) provide and operate the Service, (b) respond to Controller support requests, (c) investigate security incidents or bugs, (d) comply with legal obligations. All personnel with access are bound by written confidentiality agreements. There is no casual or routine access — each access is tied to a specific operational reason. Database-level access is logged. Personnel will not use Personal Data for any secondary purpose (marketing, profiling, analytics, AI training, etc.).
  3. Implement appropriate technical and organisational measures to ensure security appropriate to the risk, including: encryption at rest and in transit, row-level access control, audit logging, role-based access, secure authentication.
  4. Assist the Controller in responding to data subject requests.
  5. Notify the Controller without undue delay (and within 72 hours) on becoming aware of a Personal Data breach affecting the Controller's data.
  6. On termination, return or delete all Personal Data within 30 days unless legal hold applies.
  7. Make available all information necessary to demonstrate compliance with Article 28 GDPR.

6. Subprocessors

The Controller authorises the Processor to engage the following subprocessors:

  • SupabaseDatabase, authentication, file storage, realtime
  • VercelApplication hosting, edge runtime, CDN
  • ResendTransactional email (invites, password resets, notifications)
  • CloudflareDNS, CDN, DDoS protection — routes traffic; IP address metadata only

The Processor will notify the Controller of any intended changes to the subprocessor list, giving the Controller the opportunity to object. Full list with data locations: /trust/subprocessors.

7. International transfers

Personal Data is hosted in Singapore (Supabase ap-southeast-1) by default. EU residency is available for enterprise customers on request. Cross-border transfers (e.g. to US-based email infrastructure) are governed by Standard Contractual Clauses where required.

8. Audit rights

The Controller may request, on reasonable notice, evidence of the Processor's compliance with this DPA. The Processor will respond with relevant documentation within 30 days. The Controller may not conduct an on-site audit without prior agreement.

9. Liability and term

Liability is governed by the Socianote subscription terms. This DPA terminates automatically on termination of the subscription, except for clauses that survive by their nature (audit, confidentiality, breach notification).

10. Acceptance

By using Socianote, the Controller accepts the terms of this DPA. To obtain a counter-signed copy, contact security@socianote.com.

Need a counter-signed DPA or custom addendum?

Email security@socianote.com with your organisation name and jurisdiction. We typically respond within two business days.