Data Processing Addendum

This Data Processing Addendum ("DPA") applies where HuntSales, operated by BizGrants Consulting Pte Ltd ("Processor"), processes personal data on behalf of a customer ("Controller") in the course of providing the service. The Controller determines the purposes and means of processing; the Processor processes personal data only on the Controller's documented instructions.

• Subject matter: provision of the HuntSales outreach CRM.
• Duration: the term of the customer's subscription, plus any retention period set out below.
• Types of data: business contact data (names, roles, companies, business emails and phone numbers), campaign content, and related engagement records uploaded or generated by the Controller.
• Data subjects: the Controller's prospects, contacts, and recipients.

• Process personal data only on the Controller's instructions.
• Ensure personnel authorised to process personal data are bound by confidentiality.
• Implement appropriate technical and organisational security measures (see clause 5).
• Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment obligations.

The Controller authorises the Processor to engage sub-processors (for example, cloud hosting, database, email-delivery, and payment providers) to support the service. The Processor remains responsible for its sub-processors' performance and imposes data-protection obligations on them no less protective than this DPA. A current list of sub-processors is available on request.

The Processor maintains industry-standard safeguards including encryption of data in transit, encrypted storage of credentials, row-level security isolating each customer's data, access controls, and regular security reviews.

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will provide information reasonably required for the Controller to meet its own notification obligations.

Where personal data is transferred outside Singapore or the data subject's jurisdiction, the Processor ensures a comparable standard of protection through appropriate safeguards (such as contractual clauses) consistent with the PDPA and, where applicable, the GDPR.

On termination of the service, the Processor will, at the Controller's choice, delete or return the Controller's personal data, and delete existing copies unless retention is required by law. Rolling encrypted backups are purged on their normal cycle (typically within 30 days).

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and scheduling.

To request the sub-processor list, raise a data-protection matter, or execute a counter-signed copy of this DPA, contact enquiries@bizgrants.consulting. This DPA is governed by the laws of Singapore and supplements our Terms and Privacy Policy.