Skip to content
FirmWorks

Data Processing Addendum

Data Processing Addendum

Version 1.0 · Last updated: 30 April 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between FirmWorks Pte. Ltd. (“FirmWorks”, “Processor”) and the customer organization that signed up for the Service (“Customer”, “Controller”) under our Terms of service. It governs Processing of Personal Data carried out by FirmWorks on Customer’s behalf in providing the Service.

This DPA is designed to satisfy our obligations as a Processor under GDPR Article 28, the UK GDPR, the Singapore PDPA, and the Thailand PDPA. Where local law imposes stricter obligations on Customer’s side, those obligations remain Customer’s responsibility.

By accepting our Terms of service, Customer accepts this DPA. A counter-signed PDF copy is available on request — see Signature at the end.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of service or applicable data-protection law.

  • Personal Data means any information relating to an identified or identifiable natural person that Customer or its Authorized Users put into the Service.
  • Processingmeans any operation performed on Personal Data — storage, retrieval, transmission, deletion, etc.
  • Data Subject means the natural person the Personal Data relates to.
  • Sub-processor means a third party engaged by FirmWorks to Process Personal Data in connection with the Service.
  • Personal Data Breach means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Roles and subject matter

Customer is the Controller of the Personal Data Processed under this DPA. FirmWorks is the Processor, acting on Customer’s documented instructions.

Subject matter: Processing of Personal Data necessary to provide the Service to Customer and its Authorized Users.

Duration:for the term of Customer’s subscription, plus the post-termination retention windows in Section 10 below.

3. Nature, purpose, and categories

Nature and purpose: hosting, transmitting, displaying, indexing, and otherwise enabling Customer to use the documents, HR, projects, chat, notes, boards, and billing features of the Service.

Categories of Data Subjectstypically include: Customer’s personnel, contractors, contacts, suppliers, customers, and any other individuals Customer chooses to record in the Service.

Categories of Personal Data typically include: name, email, organization, role, contact details, employment metadata (start/end date, department, leave records), document content, financial-document metadata (invoice line items, tax IDs, amounts), project and task assignments, chat and note content, and uploaded files.

FirmWorks does not request, and does not knowingly Process, special-category Personal Data (e.g. health, biometrics, political opinions, religious beliefs). If Customer chooses to put such data into the Service, Customer is solely responsible for the legal basis to do so under applicable law.

4. Customer instructions

FirmWorks Processes Personal Data only on Customer’s documented instructions, which are:

  • The features of the Service that Customer uses.
  • Configuration choices Customer makes (e.g. invite-domain allowlist, roles).
  • Reasonable written instructions Customer sends to legal@firmworks.com.

FirmWorks will inform Customer if, in our opinion, an instruction violates applicable data-protection law, and may decline to act on it until the issue is resolved.

5. Confidentiality

FirmWorks ensures that personnel authorised to Process Personal Data are bound by written confidentiality obligations and receive role-appropriate training. Access to production data is limited to personnel who need it to operate the Service.

6. Security measures

FirmWorks implements technical and organisational measures appropriate to the risk, including:

  • TLS 1.2+ for all transit; encryption at rest for primary database and backups.
  • Salted password hashes via Better Auth — we never see or store plaintext passwords.
  • Multi-tenant isolation enforced server-side on every database query, with cross-tenant integration tests in CI.
  • Database-mode rate limiting on credential endpoints and Vercel BotID on every auth endpoint.
  • Per-organization audit log of administrative actions, viewable by org owners and admins.
  • OpenTelemetry tracing for incident response; Sentry error capture when configured.
  • Daily encrypted backups taken by our database provider, retained 30 days, with point-in-time recovery available within the retention window.

See /security for the full list of controls FirmWorks ships in production. FirmWorks may update these measures from time to time, provided the level of protection is not materially decreased.

FirmWorks does not currently hold a SOC 2 Type II report or ISO/IEC 27001 certification. We do not claim certifications we have not completed. Customers requiring formal attestations should email security@firmworks.com before procurement.

7. Sub-processors

Customer authorises FirmWorks to engage the Sub-processors listed below to Process Personal Data in connection with the Service. Each Sub-processor is bound by data-protection obligations no less protective than this DPA.

Sub-processorPurposeRegion
VercelHosting, edge functions, file storage (Vercel Blob)Singapore (ap-southeast-1)
NeonPostgres database, daily encrypted backupsSingapore (ap-southeast-1)
StripePayment processing, subscription billingGlobal
ResendTransactional email (verification, invites, invoices)United States

FirmWorks may add or replace Sub-processors. We will update this list and notify organization owners by email at least 14 days before the change takes effect. Customer may object on reasonable data-protection grounds within that window; if the objection cannot be resolved, Customer may terminate the affected portion of the Service for convenience.

8. International transfers

Primary Processing takes place in Singapore (ap-southeast-1). Limited transfers occur to Stripe (global) and Resend (United States) as listed above. Where Personal Data subject to GDPR or UK GDPR is transferred outside the EEA or UK, FirmWorks relies on the European Commission’s Standard Contractual Clauses (or the UK equivalent), incorporated by reference into Sub-processor contracts. For Singapore and Thailand transfers, FirmWorks complies with the cross-border-transfer obligations of the respective PDPAs.

9. Data subject rights

Customer is responsible for responding to Data Subject requests (access, correction, deletion, portability, objection). FirmWorks provides the following self-service tooling to help Customer respond directly:

  • In-app data export (CSV / JSON) covering documents, HR, projects, notes, and audit log.
  • In-app member-management actions for correction (edit profile) and deletion (remove member, close account).
  • Per-organization audit log accessible to org owners and admins.

For requests Customer cannot fulfil through the Service, email privacy@firmworks.com. FirmWorks will assist within 30 days, taking into account the nature of the Processing and the information available to FirmWorks.

10. Personal data breach notification

FirmWorks will notify Customer without undue delay, and in any event within 72 hoursof becoming aware of a confirmed Personal Data Breach affecting Customer’s data. The notification will include, to the extent then known:

  • The nature of the breach.
  • Categories and approximate counts of affected Data Subjects and records.
  • Likely consequences.
  • Measures taken or proposed to address the breach and mitigate harm.
  • The contact point for follow-up.

Notifications are sent to the email on file for the organization owner. Customer is responsible for keeping that contact current.

11. Audit rights

FirmWorks will make available information necessary to demonstrate compliance with this DPA. To minimise disruption to the Service, audit rights are satisfied as follows, in this order of preference:

  • FirmWorks responds to a reasonable security questionnaire within 30 days. This is the default and covers the vast majority of buyer requirements.
  • FirmWorks shares any then-current third-party attestation reports under NDA, if available.
  • On 30 days’ written notice, no more than once per 12-month period, and at Customer’s cost, Customer may engage a mutually agreed independent auditor to conduct a remote audit of agreed scope, subject to a confidentiality agreement and reasonable security controls. On-site audits are out of scope.

Regulators with statutory authority may exercise audit rights as the law requires; FirmWorks will cooperate as required.

12. Return and deletion of data

On termination or expiration of the subscription, Customer may export Personal Data from the Service for up to 30 days. After that period, FirmWorks will delete Personal Data per the retention schedule in our Privacy policy. Encrypted backups containing Personal Data are retained for up to 30 days and then overwritten in the normal backup-rotation cycle. Billing records may be retained as required by tax law for up to seven years. Audit logs are retained for one year.

13. Liability and indemnity

The aggregate liability of either party arising out of or related to this DPA is subject to the limitations of liability in the Terms of service.

14. Order of precedence

In the event of a conflict between this DPA and the Terms of service on a matter of Personal Data Processing, this DPA controls. On all other matters, the Terms of service control. If Standard Contractual Clauses or equivalent statutory clauses apply, those clauses prevail over both documents to the extent they conflict.

15. Governing law

This DPA is governed by the laws of Singapore. Disputes go before the courts of Singapore. Where mandatory data-protection law of Customer’s home jurisdiction applies, that law controls to the extent of any conflict.

16. Changes

FirmWorks may update this DPA. Material changes are emailed to organization owners and posted on this page at least 14 days before they take effect. The version number and date at the top of this page indicate the current version.

17. Signature

Customer accepts this DPA by accepting our Terms of service. If your procurement process requires a counter-signed PDF copy:

  1. Email legal@firmworks.com with your organization name and the email of the FirmWorks workspace owner.
  2. We will reply with a counter-signed PDF of this DPA at the version above, normally within 5 business days.
  3. You sign and return one copy; we keep the other on file. The PDF version supersedes this web page only for the parties named on it, and only for that version.

Contact

FirmWorks Pte. Ltd. (Singapore) · legal@firmworks.com

See also our Privacy policy, Terms of service, and Security overview.