Data Processing Agreement (DPA) — Template
Last updated: 2026-05-01
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Master Service Agreement, Terms of Service, or other written or electronic agreement between the parties ("Principal Agreement") under which Cadences.work provides services to the Customer.
Between:
Nozemans Software Pte. Ltd., a private company limited by shares incorporated in Singapore (UEN 202507332E) with registered office at 160 Robinson Road #14-04, Singapore Business Federation Center, Singapore 068914 (referred to in this DPA as "Cadences", the "Processor"),
and
[CUSTOMER LEGAL NAME], with registered office at [CUSTOMER ADDRESS] (the "Customer", the "Controller"),
each a "Party" and together the "Parties".
1. Definitions
Capitalized terms used in this DPA but not defined here have the meaning given in the Principal Agreement or, where applicable, in the GDPR.
- "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation) and any national legislation implementing or supplementing it.
- "Personal Data" has the meaning given in Article 4(1) GDPR.
- "Customer Personal Data" means Personal Data that the Customer or its Authorised Users submit to or generate within the Cadences.work service in the course of using it.
- "Sub-processor" means any third party engaged by Cadences to process Customer Personal Data on its behalf.
- "SCCs" means the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2. Subject matter, duration and roles
2.1. The Customer acts as Controller and Cadences acts as Processor with respect to Customer Personal Data, as further described in Annex I.
2.2. This DPA applies for the duration of the Principal Agreement and survives until all Customer Personal Data has been deleted or returned in accordance with §11.
2.3. Where the Customer is itself acting as a Processor for a third-party Controller (e.g. its own customer), the Customer represents that it has the authority to instruct Cadences as a Sub-processor under that Controller's instructions, and Cadences will act as Sub-processor accordingly.
3. Customer instructions
3.1. Cadences will process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, except where required to do so by Singapore, EU or Member State law to which Cadences is subject.
3.2. The Principal Agreement, together with the use of the service in accordance with its documentation, constitutes the Customer's complete and final instructions to Cadences.
3.3. Cadences will inform the Customer if it believes an instruction violates the GDPR or other applicable data protection law.
4. Personnel and confidentiality
4.1. Cadences ensures that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
4.2. Access to Customer Personal Data within Cadences is granted on a need-to-know basis and reviewed at least quarterly.
5. Security measures
5.1. Cadences implements appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, as described in Annex II.
5.2. The TOMs may evolve to address new threats; Cadences will not materially decrease the level of protection during the term of the Principal Agreement.
6. Sub-processors
6.1. The Customer provides a general authorisation for Cadences to engage Sub-processors for the performance of the service. The current list of Sub-processors is set out in Annex III and at https://cadences.work/trust/sub-processors.
6.2. Cadences will give the Customer at least 30 days' prior notice of the intended addition or replacement of a Sub-processor processing Customer Personal Data, by email to the Customer's notified contact address and via the Sub-processors page.
6.3. The Customer may object to such addition or replacement on reasonable data-protection grounds within the notice period. The Parties will discuss in good faith. If no resolution is reached, the Customer may terminate the affected service for cause without penalty.
6.4. Cadences imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for the performance of each Sub-processor's obligations.
7. International transfers
7.1. Cadences is established in Singapore. Customer Personal Data may be transferred to and processed in Singapore and, via Sub-processors, in other countries listed in Annex III.
7.2. For transfers from the European Economic Area, the United Kingdom, or Switzerland to countries that are not subject to an adequacy decision, the Parties agree to be bound by the 2021 EU SCCs, Module Two (Controller to Processor), which are incorporated by reference into this DPA. Where the Customer acts as Processor, the Parties are bound by Module Three (Processor to Sub-processor) instead.
7.3. The choice of options within the SCCs is as follows:
- Clause 7 (Docking clause): does not apply.
- Clause 9 (Use of sub-processors): Option 2 — General written authorisation with 30 days' notice as specified in §6.2.
- Clause 11 (Redress): the optional independent dispute resolution body does not apply.
- Clause 17 (Governing law): law of the Netherlands.
- Clause 18 (Choice of forum): courts of the Netherlands.
- Annex I.A (List of Parties): as set out in Annex I.
- Annex I.B (Description of transfer): as set out in Annex I.
- Annex I.C (Competent supervisory authority): the supervisory authority of the Customer's establishment in the EEA, or — where the Customer is established outside the EEA — the supervisory authority indicated by the EU Representative.
- Annex II (TOMs): as set out in Annex II.
- Annex III (Sub-processors): as set out in Annex III.
7.4. For UK transfers, the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office is incorporated.
7.5. For Swiss transfers, the SCCs apply with the modifications set out by the Swiss Federal Data Protection and Information Commissioner.
7.6. A Transfer Risk Assessment for transfers to Singapore and the United States is available on request.
8. Assistance with data subject rights
8.1. Cadences provides self-service tools to enable the Customer to fulfil data subject rights (access, rectification, erasure, portability, restriction, objection) without Cadences's intervention.
8.2. Where Cadences receives a data subject request directed at Customer Personal Data, it will refer the request to the Customer without undue delay and will not respond directly except to confirm the referral.
8.3. Cadences will provide reasonable assistance to the Customer for requests that cannot be self-served, at the rates set out in the Principal Agreement (or, absent such rates, at Cadences's reasonable cost).
9. Assistance with security and DPIA obligations
Cadences provides reasonable assistance to the Customer with: data protection impact assessments (Art. 35 GDPR); prior consultation (Art. 36 GDPR); compliance with security obligations (Art. 32 GDPR); and personal data breach notifications (Art. 33–34 GDPR).
10. Personal data breach notification
10.1. Cadences will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any case within 72 hours where reasonably possible.
10.2. The notification will include, to the extent known: the nature of the breach, the categories and approximate volume of data affected, the likely consequences, and the measures taken or proposed to address it.
10.3. Cadences will provide ongoing updates as the investigation progresses.
11. Return and deletion
11.1. On termination of the Principal Agreement, the Customer may, within 30 days, request export of Customer Personal Data by written request to Cadences (or, where available, via self-service export tools).
11.2. After 30 days, Cadences will delete all Customer Personal Data from active systems within 30 further days, and from backups within the standard backup-retention period (currently 30 days), unless retention is required by applicable law.
11.3. Customer Personal Data under this DPA is distinct from records the Customer provides as a Controller in its own right (e.g. billing contact details, signed contract copies). The latter may be retained by Cadences for the periods required by tax, accounting, and contract-record law in Singapore (5 years) and the Netherlands (7 years).
11.4. Cadences will, on written request, certify in writing that deletion has been completed.
12. Audits
12.1. Cadences makes available to the Customer all information necessary to demonstrate compliance with this DPA and the GDPR.
12.2. Cadences provides annually:
- a current sub-processor list,
- a description of TOMs,
- a summary of any Personal Data Breaches affecting the Customer,
- once available, the report of any third-party certification audit (e.g. ISO 27001 certificate, SOC 2 report).
12.3. The Customer may, at its own expense and with at least 30 days' prior written notice (or sooner if required by a supervisory authority), audit Cadences's compliance with this DPA, no more than once per calendar year, conducted during business hours and in a manner that does not interfere with Cadences's operations. The Parties may agree that the audit be conducted by a mutually agreed independent third party under confidentiality.
13. Liability
The liability of each Party under this DPA is subject to the liability provisions of the Principal Agreement.
14. Order of precedence
In case of conflict between this DPA and the Principal Agreement, this DPA prevails to the extent of the conflict, and the SCCs prevail over both.
15. Governing law and forum
This DPA is governed by the law of the Netherlands, and the courts of the Netherlands have exclusive jurisdiction over any dispute arising out of or in connection with it.
Annex I — Description of Processing
A. List of Parties
Data Exporter (Controller): the Customer as named on the cover page. Contact: as set out in the Customer's account in Cadences.work.
Data Importer (Processor): Nozemans Software Pte Ltd, Singapore. Contact: privacy@cadences.work. EU Representative under Art. 27 GDPR: to be appointed; details published at https://cadences.work/privacy. UK Representative under Art. 27 UK GDPR: to be appointed; details published at https://cadences.work/privacy. Singapore Data Protection Officer: Lauren ten Hoor, privacy@cadences.work.
B. Description of transfer
| Item | Detail |
|---|---|
| Categories of data subjects | Customer's employees, contractors, and business contacts who are end-users of the service; persons identified within feedback content (e.g. peers being reviewed); persons named in time-tracking entries |
| Categories of personal data | Identification (name, email, role, employer); profile data (manager / direct-report relationships, organisational structure); feedback content (free-text qualitative assessments, ratings, peer comments); time-tracking data (hours worked, tasks, project allocation); authentication data (single-use magic-link / OTP tokens, SSO assertions where the Customer has configured SSO, session and refresh tokens; no end-user passwords stored by default); usage logs (IP address, device, timestamps) |
| Sensitive categories | None expected by design. The Customer must not submit special-category data (Art. 9 GDPR) into free-text fields. |
| Frequency | Continuous, for the duration of the Principal Agreement |
| Nature of the processing | Storage, retrieval, organisation, structuring, backup, transmission via email. AI-assisted summarisation and analysis is offered as an experimental, opt-in feature: it is disabled by default and engaged only where the Customer's administrator has explicitly enabled it for the Customer's organisation. |
| Purpose | Performance management, 360° feedback, and time-tracking workflows operated by the Customer |
| Retention period | For the duration of the Principal Agreement plus 30 days, except where the Customer configures shorter retention or where law requires longer retention |
| Sub-processor transfers | As listed in Annex III |
C. Competent Supervisory Authority
The supervisory authority of the Customer's main establishment in the EEA. Where the Customer is established outside the EEA, the supervisory authority indicated by the EU Representative — by default the Autoriteit Persoonsgegevens (Netherlands) until otherwise notified.
Annex II — Technical and Organisational Measures (TOMs)
The following measures are implemented by Cadences to protect Customer Personal Data. They evolve over time; the version current as of contract signature is preserved for evidentiary purposes.
II.1 Pseudonymisation and encryption
- All data in transit is encrypted with TLS 1.2 or higher.
- All data at rest in the database is encrypted (AES-256) by Supabase.
- Backups are encrypted at rest.
- End-user authentication is passwordless by default (magic-link / email OTP via Supabase Auth) or via the Customer's SAML/OIDC identity provider where SSO is configured. Magic-link tokens are single-use and short-lived; Cadences does not store user passwords. Where any password material is held by Supabase Auth, it is hashed (bcrypt).
II.2 Confidentiality, integrity, availability and resilience
- Network: production database is reachable only from Cadences's authenticated application, not exposed to the public internet without authentication.
- Access control: role-based access control within the application; least-privilege admin roles for infrastructure.
- Multi-factor authentication required on all administrative accounts.
- Production deployments require source-code review (single-person operation: peer-AI assisted self-review until additional reviewers are added).
- Logging: platform-level access and authentication logs retained per the providers' defaults (Vercel, Supabase). An application-level audit log of personal-data access is being introduced in 2026 with a minimum retention of 365 days.
II.3 Restoring availability after incident
- Point-in-time recovery (PITR) on the database with target RPO 2 minutes, RTO ~30 minutes.
- Backups retained for 30 days minimum.
- Restore drill performed at least annually, with results recorded.
II.4 Regular testing and evaluation
- Quarterly review of access permissions across all administrative accounts.
- Automated dependency vulnerability scanning (Renovate).
- External penetration test conducted at least annually.
II.5 User identification and authorisation
- Customer-side end-user authentication is passwordless by default: a single-use magic link / email OTP issued by Supabase Auth. Where the Customer configures SAML or OIDC single sign-on for its tenant, end-users authenticate at the Customer's identity provider instead, and any factor policies (MFA, conditional access, risk-based step-up) are enforced by that IdP.
- Session tokens are short-lived and rotated by Supabase Auth; sessions expire on inactivity per the platform configuration.
- Cadences-side: MFA required on all administrative accounts (TOTP via Google Authenticator, backed by Google 2-Step Verification on the founder's Google identity for services using Google SSO).
II.6 Protection during transmission and storage
As §II.1.
II.7 Physical security
- No on-premise data centre. All infrastructure is hosted on certified providers (Vercel, Supabase) with physical security inherited from those providers.
- Founder's laptop has full-disk encryption (FileVault), automatic screen lock, and OS auto-updates enabled.
II.8 Event logging
- Vercel and Supabase platform logs retained per provider defaults; reviewed during incident investigation and on a sample basis quarterly.
- An application-level audit log of personal-data access is being introduced in 2026 with a minimum retention of 365 days.
II.9 System configuration including default
- Production environment is separate from development.
- Configuration as code (Git-managed) for infrastructure.
- Secrets managed via Vercel and Supabase environment-variable systems; never committed to source control.
II.10 Internal IT and IT security governance
- This DPA and the Information Security Policy (ISP-001) together describe internal governance.
II.11 Certification and assurance
- Sub-processor certifications: Vercel and Supabase hold SOC 2 Type II and ISO 27001 (or equivalent).
- Cadences targets ISO 27001 certification of its own; certificate will be made available once obtained.
II.12 Data minimisation
- Only data fields required for the requested service are collected.
- AI features are experimental and disabled by default; where a Customer opts in, AI processing receives only the relevant feedback text, not the full user record. Cadences does not train any model on customer data; provider-side data-handling is governed by the provider's own API terms.
II.13 Data quality and limited retention
- Customers may correct or delete data at any time via the application.
- Per-Customer configurable retention policies are on the 2026 roadmap; until then, data is retained for the duration of the Principal Agreement plus 30 days as set out in §11.
II.14 Accountability
- Personal data breach response per the Incident Response Runbook.
- Records of processing maintained internally.
II.15 Allow data portability and ensure erasure
- Customer Personal Data is exported in machine-readable format (JSON / CSV) on written request and, as self-service tooling rolls out in 2026, directly through the application.
- Erasure is performed on written request and, as self-service tooling rolls out, directly through the application with a grace period before permanent deletion.
Annex III — Sub-processors
The current list of authorised Sub-processors is set out at https://cadences.work/trust/sub-processors and reproduced as of the date of this DPA at docs/compliance/sub-processors.md.
Signed for and on behalf of the Processor:
| Name: | Lauren ten Hoor |
| Title: | Director |
| Date: | |
| Signature: |
Signed for and on behalf of the Controller:
| Name: | |
| Title: | |
| Date: | |
| Signature: |