Transfer Risk Assessment — Singapore
Subject: Transfers of Customer Personal Data from the EEA / UK / Switzerland to Nozemans Software Pte Ltd in Singapore. Importer role: Processor under GDPR Article 28. Transfer mechanism: 2021 EU SCCs Module 2 (Controller → Processor). Last reviewed: 2026-04-30. Owner: Lauren ten Hoor (DPO, Nozemans Software Pte Ltd). Review cadence: annually, or on any material change to Singapore surveillance law.
This document records our Transfer Impact / Risk Assessment as required by the EDPB Recommendations 01/2020 (post-Schrems II) and Clause 14 of the 2021 SCCs.
1. Description of the transfer
| Item | Detail |
|---|---|
| Data exporter | EEA-based Customer (Controller) |
| Data importer | Nozemans Software Pte Ltd, Singapore (Processor) |
| Purposes | Performance management (360° feedback), AI summarisation, time-tracking |
| Categories of data subjects | Customer's employees, contractors, business contacts |
| Categories of personal data | Identification, organisational role, qualitative feedback, time entries, authentication metadata. No special-category data (Art. 9) by design. |
| Transfer mechanism | 2021 EU SCCs Module 2 |
| Onward transfers | Sub-processors per Annex III of the DPA |
| Format | Encrypted in transit (TLS 1.2+) and at rest (AES-256) |
2. Legal regime in Singapore
2.1 Personal Data Protection Act 2012 (PDPA)
Singapore's PDPA imposes consent, purpose limitation, accuracy, retention, and security obligations on private-sector organisations. Enforced by the Personal Data Protection Commission (PDPC). Cross-border transfer rules require the transferring organisation to ensure comparable protection — generally satisfied by contractual provisions like SCCs.
The PDPA was substantially updated in 2020 to add mandatory data-breach notification, financial penalties up to 10% of annual local turnover, and an enhanced right of private action.
2.2 Government access laws relevant to surveillance
The principal Singapore laws under which government bodies may compel disclosure of stored personal data are:
- Criminal Procedure Code (CPC), s.20: allows the police to require any person to produce documents that are relevant to a criminal investigation. Subject to proportionality and judicial oversight.
- Internal Security Act (ISA), 1960: broad executive powers in the interest of national security; disclosure orders are possible but rare in commercial contexts. Subject to high-court judicial review of detention but the Act itself constrains review of the substantive determination.
- Computer Misuse Act (CMA), 1993: provides investigatory powers for cybercrime offences; subpoenas typically require a warrant.
- Income Tax Act, Goods and Services Tax Act: routine financial-records access for tax purposes. Not relevant to performance feedback content.
- Telecommunications Act, s.58: allows interception in narrow circumstances, requires Ministerial authorisation.
- Banking Act / Securities and Futures Act: sectoral; not applicable to Cadences.work.
Singapore is not a member of the Five Eyes and does not participate in the same intelligence-sharing arrangements as the United States. Singapore also does not have a generalised mass-surveillance regime equivalent to FISA Section 702 in the US.
3. Practical assessment of risk
3.1 Likelihood of a public-authority access request
Cadences.work processes employee performance data and time-tracking data on behalf of EU-based corporate customers. Such data is unlikely to be of intelligence interest to Singapore authorities, and we have not received any access request from a Singapore authority in the company's history (n=0 to date).
3.2 Routes of access
Any access by a Singapore authority would proceed via the legal channels in §2.2 above, each of which has documented procedural safeguards (proportionality, judicial or ministerial oversight, the right to challenge). There is no informal back-channel known to operate against private cloud services in Singapore.
3.3 Encryption and effective control
Customer Personal Data sits at rest on Supabase infrastructure in Ireland (eu-west-1), not in Singapore. The Singapore-based importer (Cadences) accesses this data only via authenticated API calls over TLS, and never stores customer data on equipment located in Singapore. A Singapore authority compelling Lauren ten Hoor or Nozemans Software Pte Ltd would obtain the credentials needed to access the EU-resident database; this is the exposure that needs supplementary measures.
4. Supplementary measures in place
In line with EDPB Recommendations 01/2020 §76:
| Measure | Status |
|---|---|
| Encryption in transit with up-to-date protocols | Implemented (TLS 1.2+) |
| Encryption at rest with keys held by the cloud provider | Implemented (Supabase AES-256) |
| Pseudonymisation where possible | Partial — names and emails are stored to provide the service; AI prompts use minimal identifiers |
| Contractual measures — full SCCs, additional commitments to challenge unlawful requests, transparency on requests received, prompt notification of any access request | Implemented via DPA §10 and SCC Module 2 Clauses 14–15 |
| Organisational measures — privacy policy, restricted access, audit logs, training | Implemented |
| Transparency report of any government access requests received | Will publish first transparency report at https://cadences.work/trust/transparency once the company has a 12-month reporting period |
5. Conclusion
Taking into account:
- Singapore's PDPA establishes a recognised data-protection regime,
- the absence of a US-style FISA-702 equivalent,
- the limited likelihood that performance-management data is of interest to Singapore authorities,
- the encryption and contractual supplementary measures listed in §4,
- Customer Personal Data is physically resident in the EU on Supabase Ireland (
eu-west-1) rather than in Singapore,
we assess that the transfer to Singapore can be carried out in compliance with the SCCs and the GDPR. Cadences will:
- Promptly notify the data exporter of any binding request from a Singapore public authority (SCCs Clause 15.1(a));
- Challenge any request that is overbroad or unlawful (Clause 15.2);
- Re-run this assessment on any material change to Singapore surveillance law or company circumstance.
6. Sign-off
| Role | Name | Date |
|---|---|---|
| Data Protection Officer | Lauren ten Hoor | 2026-04-30 |
| Director | Lauren ten Hoor | 2026-04-30 |