Annex A — Data Processing Addendum
A1. Roles & Scope.
For Customer Data that is personal data under PDPA, the Customer is the data user/controller and TEERA.AI acts as data processor. This DPA applies to TEERA.AI’s processing of such personal data solely to provide the Services and on documented instructions from Customer, unless otherwise required by law.
A2. Customer Instructions.
TEERA.AI will process personal data only on Customer’s documented instructions (including via the Agreement and configuration of the Services), unless required by law. TEERA.AI will promptly inform Customer if an instruction infringes PDPA or other applicable law.
A3. Confidentiality.
TEERA.AI ensures personnel with access to personal data are bound by confidentiality obligations.
A4. Security.
TEERA.AI implements appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, including (as appropriate) encryption in transit and at rest, access controls, logging/monitoring, secure development practices, and vulnerability management.
A5. Sub-processors.
Customer authorizes TEERA.AI to engage sub-processors to support the Services (e.g., cloud hosting, email/SMS, analytics, payments). TEERA.AI will maintain a list of current sub-processors upon request and will impose data-protection obligations no less protective than those in this DPA.
A6. International Transfers.
Where personal data is transferred outside Malaysia, TEERA.AI will ensure appropriate safeguards consistent with PDPA (e.g., contractual clauses with recipients) and will remain responsible for sub-processors.
A7. Assistance.
Taking into account the nature of processing, TEERA.AI will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer’s obligations to respond to data-subject requests and to comply with security, breach notification, impact assessments, and consultations with authorities.
A8. Breach Notification.
TEERA.AI will notify Customer without undue delay and within 72 hours after confirming a personal-data breach. The notice will include, where available, the nature of the breach, categories/approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.
A9. Return & Deletion.
Upon termination/expiry of the Services, TEERA.AI will, at Customer’s choice where feasible, return or make available an export of personal data for 7 days, and will delete or irreversibly anonymize personal data by day 14, subject to legal retention.
A10. Audit.
Upon written request no more than annually and subject to confidentiality, TEERA.AI will provide available third-party compliance reports or summaries and will reasonably cooperate with Customer’s data-protection inquiries. Any onsite audits require prior written agreement on scope, timing, and cost.
A11. Liability.
DPA liability is governed by the limitation in Section 15 of the Terms.