Critical Mass Cloud
Data Processing Addendum
Last updated: 31 May 2026. This addendum forms part of the Terms of Service and applies whenever Critical Mass Cloud processes personal data on Customer's behalf under the Singapore PDPA 2012. Recommend legal review before production use.1. Roles
Customer is the data controller of personal data of its employees, customers, vendors and signers stored in the workspace. Critical Mass Cloud (Epyphite Pte Ltd) is the data intermediary (PDPA term equivalent to "processor"), processing that data only to provide the Service.
2. Categories of personal data processed
On Customer's behalf, the Service processes:
HR: employee NRIC/FIN, name, contact, salary, CPF, payroll and tax records.
Accounting: customer/vendor names and contact, invoice line items, payment data.
Sign: signer names, emails, IPs and signature audit trail.
Account: administrator login credentials and access tokens for the Service.
3. Sub-processors
We engage the following sub-processors under written confidentiality terms:
Postgres-managed hosting provider (database, SG region).
MinIO / S3-compatible object storage (Sign documents, encrypted backups).
Stripe Payments Singapore Pte Ltd (billing only - no workspace data shared).
Peppol access point partner (when InvoiceNow e-invoicing is enabled - invoice payload only).
Transactional email provider (account confirmation, magic-link delivery).
We will provide 14 days' notice of any new sub-processor; you may terminate without penalty if you object before the change takes effect.
4. Security measures
We apply at minimum: TLS in transit; per-tenant database schema isolation; salted password hashing (PBKDF2); optional second-factor authentication; rate limiting on auth endpoints; encrypted-at-rest backups (AES-256, GPG symmetric); encrypted Data Protection key ring (X.509 cert); brute-force lockout on PIN attempts; audit logging of security-relevant actions.
5. Data subject requests
Customer may exercise data-subject rights for its own users via the self-service page at /account/data (export and erasure). For requests received from Customer's data subjects directly, we will assist Customer in fulfilling them.
6. Breach notification
We will notify Customer of a personal-data breach affecting the workspace within 72 hours of confirmation, with the information needed for Customer to meet its own PDPA notification obligations (PDPC + affected individuals where the breach is likely to result in significant harm).
7. Return / deletion on termination
Within 30 days of termination, Customer may export workspace data; thereafter we hard-delete it per the configured RetentionDays unless Customer requests retention in writing or statutory record-keeping requires it.
8. Cross-border transfers
Primary data residency is Singapore. Sub-processors that operate outside Singapore are bound by terms requiring a standard of protection comparable to the PDPA.
9. Audits
Once per year, on reasonable notice, Customer may request a written summary of our security controls; on-site audits may be conducted under a separate NDA at Customer's expense.