Indexed Pte Ltd is in the process of being incorporated in Singapore. Pending completion of incorporation, Indexed* is operated by Han Studios (Phnom Penh, Cambodia). References to "Indexed" in this Addendum refer to the current operator and its incorporated successor interchangeably.
This Data Processing Addendum (the "DPA") supplements the Terms of Service between Indexed Pte Ltd ("Indexed", "Processor") and the Client ("Controller") and governs the Processing of Personal Data of the Controller's end-customers (the "Customer Data") by Indexed in the course of delivering the Service.
This DPA applies whenever the Controller is subject to a data protection law that requires a written processor agreement, including but not limited to the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018, and (where applicable, as data intermediary) Singapore's Personal Data Protection Act 2012 ("PDPA").
If there is any conflict between this DPA and the Terms in respect of the Processing of Customer Data, this DPA prevails.
1. Definitions
Terms defined in the Terms or in the GDPR have the meanings given there. The following additional terms apply:
- Applicable Data Protection Law — all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the PDPA, and any other equivalent law.
- Customer Data — Personal Data of the Controller's end-customers Processed by Indexed on behalf of the Controller in connection with the Service (e.g. contact form submissions).
- Data Subject — an identified or identifiable natural person whose Personal Data is Processed under this DPA.
- Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored, or otherwise Processed.
- Sub-processor — a third party engaged by Indexed to Process Customer Data on the Controller's behalf.
2. Roles of the Parties
The parties acknowledge that, in respect of Customer Data:
(a) The Controller determines the purposes and means of Processing and acts as data controller (or, under the PDPA, the organisation);
(b) Indexed Processes Customer Data on the Controller's behalf and acts as data processor (or, under the PDPA, the data intermediary).
This DPA does not affect the parties' respective roles in respect of personal data of the Controller's representatives or Indexed's own business operations, which are governed by the Privacy Policy.
3. Subject Matter, Duration, Nature, and Purpose of Processing
| Item | Description |
|---|---|
| Subject matter | Customer Data submitted through the Deployed Site or otherwise generated in the course of Indexed delivering the Service |
| Duration | Duration of the Subscription, plus the retention period in Section 13.3 of the Terms (90 days post-cancellation), plus any legal retention obligations |
| Nature and purpose | Receiving, storing, routing, and forwarding Customer Data to the Controller; analytics and operational monitoring; security and fraud prevention |
| Types of Personal Data | Name, email address, phone number, message content, IP address, browser/device data, any other data the Controller chooses to collect via the Deployed Site |
| Categories of Data Subject | End-customers, prospects, and other individuals who submit information through the Deployed Site |
| Special category data | None expected. The Controller must not collect special category data (health, biometric, race, religion, etc.) through the Service without prior written agreement with Indexed |
4. Indexed's Obligations
Indexed will:
(a) Process Customer Data only on documented instructions from the Controller, including those set out in the Terms and this DPA, except as required by applicable law (in which case Indexed will inform the Controller of the legal requirement before Processing, unless the law prohibits this notification);
(b) Ensure that personnel authorised to Process Customer Data are bound by confidentiality obligations;
(c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Section 10;
(d) Assist the Controller, taking into account the nature of Processing and the information available to Indexed, in fulfilling the Controller's obligations to respond to Data Subject requests under Section 6 and to comply with security, breach notification, impact assessment, and prior consultation obligations under Sections 11 and 12;
(e) On termination of the Service, delete or return all Customer Data under Section 13;
(f) Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits under Section 9.
5. Controller's Obligations and Warranties
The Controller will:
(a) Comply with Applicable Data Protection Law in its capacity as data controller;
(b) Establish a lawful basis (consent, contract, legitimate interest, or other) for the collection and Processing of Customer Data;
(c) Provide all required notices to Data Subjects, including a privacy notice on the Deployed Site that accurately describes the use of Customer Data and identifies Indexed as a processor;
(d) Respond to Data Subject requests under Section 6;
(e) Not provide Indexed with any Customer Data in violation of Applicable Data Protection Law;
(f) Indemnify Indexed against any claim arising out of the Controller's breach of this Section 5 (this indemnity is subject to the liability provisions of Section 16 of the Terms).
6. Data Subject Requests
If Indexed receives a request from a Data Subject to exercise rights under Applicable Data Protection Law in respect of Customer Data (including rights of access, rectification, erasure, restriction, portability, or objection), Indexed will:
(a) Promptly notify the Controller, providing a copy of the request where lawful to do so;
(b) Not respond to the request itself except on documented instructions from the Controller or as required by law;
(c) Provide reasonable assistance to the Controller, at the Controller's cost, in fulfilling its obligation to respond to the request.
7. Sub-processors
7.1 General authorisation
The Controller authorises Indexed to engage Sub-processors to assist in delivering the Service, subject to this Section 7.
7.2 List of Sub-processors at the date of this DPA
The categories and identities of Sub-processors at the date of this DPA are:
| Sub-processor | Service | Location of processing |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, domain registrar, analytics, email routing | Global edge (US, EU, APAC) |
| Stripe, Inc. | Payment processing | United States, Ireland |
| Airtable, Inc. | Operational database | United States |
| Anthropic, PBC | AI content generation (Claude models) | United States |
| OpenAI, L.L.C. | AI content generation (GPT models) | United States |
| Google LLC | AI translation, AI research (Gemini models) | United States, Singapore |
| Telegram FZ-LLC | Operational messaging and notifications | United Arab Emirates |
An up-to-date list will be made available on request and via the legal page on beindexed.ai.
7.3 New Sub-processors
Indexed will give the Controller no less than 14 days' notice (by email or on the legal page on beindexed.ai) before engaging any new Sub-processor that Processes Customer Data.
If the Controller reasonably objects on legitimate data-protection grounds within the notice period, the parties will work in good faith to resolve the objection. If a solution cannot be reached, the Controller may terminate the affected portion of the Service on written notice. Termination under this Section 7.3 is the Controller's sole remedy.
7.4 Indexed's responsibility
Indexed will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable to the Controller for any failure by a Sub-processor to fulfil those obligations.
8. International Transfers
Customer Data may be transferred to and Processed in countries outside the country in which it was collected, including the United States, European Union, United Arab Emirates, Cambodia, and other regions where our infrastructure providers operate.
For each transfer, Indexed and its Sub-processors rely on one or more of the following transfer mechanisms, as applicable:
(a) The European Commission Standard Contractual Clauses for Processor-to-Processor and Controller-to-Processor transfers, or the UK International Data Transfer Addendum, as incorporated into the relevant Sub-processor agreement;
(b) The Sub-processor's compliance with an applicable adequacy decision;
(c) Other lawful transfer mechanisms available under Applicable Data Protection Law.
Where the Controller is subject to the GDPR or UK GDPR and the Standard Contractual Clauses are required for the Controller-to-Indexed transfer, those clauses are deemed incorporated into this DPA, with Indexed acting as data importer / processor and the Controller as data exporter / controller. The Controller may request a signed copy at any time.
9. Audit Rights
Indexed will, on no less than 30 days' written notice and no more than once per 12-month period (or more frequently where required by a data-protection authority or following a Personal Data Breach), make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including:
(a) Indexed's then-current security policies and audit reports (e.g. SOC 2, ISO 27001) of Indexed or its Sub-processors, where available;
(b) Responses to a reasonable written questionnaire from the Controller.
Any on-site audit must be conducted at the Controller's cost, during business hours, with reasonable safeguards for Indexed's confidential information and other clients' data. The Controller will minimise disruption and will not access any data of other clients.
10. Security
Indexed implements technical and organisational measures appropriate to the risk, including:
| Domain | Measures |
|---|---|
| Encryption | TLS in transit for all Customer Data; encrypted storage for sensitive fields |
| Access control | Role-based access; least privilege; audit logging; password hashing with industry-standard algorithms |
| Network security | Cloudflare WAF, DDoS mitigation, rate limiting, bot management |
| Personnel | Confidentiality obligations; access on need-to-know basis |
| Vendor management | Sub-processor due diligence; written data-protection terms with each Sub-processor |
| Incident response | Documented breach response procedure with notification timelines (Section 11) |
| Business continuity | Daily Cloudflare-native replication; regular backup verification for Airtable-resident data |
Indexed will, taking into account the state of the art and the cost of implementation, regularly review and update these measures to ensure they remain appropriate to the risk.
11. Personal Data Breach Notification
If Indexed becomes aware of a Personal Data Breach affecting Customer Data, Indexed will:
(a) Notify the Controller without undue delay and in any case within 72 hours of becoming aware;
(b) Provide reasonable information available to Indexed about the nature, scope, and likely consequences of the breach;
(c) Describe the measures taken or proposed to address the breach and mitigate its effects;
(d) Cooperate reasonably with the Controller's investigation, regulatory notifications, and Data Subject communications, at the Controller's cost.
The notification by Indexed of a Personal Data Breach is not an acknowledgement of fault or liability.
12. Data Protection Impact Assessments and Prior Consultation
Indexed will, on reasonable request and at the Controller's cost, provide reasonable assistance to the Controller in:
(a) Conducting data protection impact assessments under Article 35 of the GDPR or equivalent;
(b) Prior consultation with supervisory authorities under Article 36 of the GDPR or equivalent.
13. Return and Deletion of Customer Data
On termination or expiration of the Subscription, the Controller may request, within 30 days of termination, the return of all Customer Data in a commonly used machine-readable format. Indexed will provide an export within 30 days of the request.
Following the earlier of (a) the Controller's confirmation that no return is required, or (b) 90 days after termination, Indexed will delete all Customer Data from its systems within a reasonable period, except where retention is required by law or to defend a legal claim, in which case the deletion obligation is suspended in respect of the relevant Customer Data only.
Indexed will not be obliged to delete or return Customer Data that has been (a) aggregated and de-identified, or (b) backed up to immutable backup media, in which case Indexed will protect such Customer Data in line with this DPA until the backup is overwritten in the ordinary course.
14. Liability
The liability of each party under this DPA is subject to the limitations and exclusions in Section 16 of the Terms.
15. Order of Precedence
In the event of conflict between this DPA and any other agreement between the parties in respect of the Processing of Customer Data, this DPA prevails. In all other respects, the Terms continue to apply.
16. Changes
Indexed may amend this DPA from time to time. Material amendments will be notified at least 30 days in advance. If an amendment materially reduces the Controller's rights under this DPA, the Controller may terminate the affected portion of the Service on written notice, as its sole remedy.
17. Language and Governing Law
This DPA is made in English. It is governed by the laws of the Republic of Singapore and subject to the dispute resolution provisions of Section 29 of the Terms.
18. Contact
- Data Protection Officer: privacy@beindexed.ai
- Legal: legal@beindexed.ai