Data processing addendum

Capitalised terms used but not defined in this DPA have the meanings given in the Principal Agreement. The following definitions apply:

• Applicable Data Protection Law— the data-protection laws applicable to a party as a controller or processor in respect of the personal data processed under this DPA, including (without limitation) Singapore's Personal Data Protection Act, Indonesia's Personal Data Protection Law, Vietnam's Personal Data Protection Decree, the UK GDPR, and the EU GDPR where applicable.
• Controller, Processor, Personal Data, Processing, Data Subject — have the meanings given in Applicable Data Protection Law.
• Sub-processor — any third party engaged byTanah to process Customer Personal Data, listed at /subprocessors.
• Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

For the purposes of this DPA, with respect to Customer Personal Data, Customer is the Controller and Tanah is the Processor. Each party will comply with the obligations applicable to it under Applicable Data Protection Law.

Tanah processes its own internal data — staff records, security logs, payment records, etc. — as a controller in its own right. That processing is governed by /privacy, not this DPA.

• Subject matter. Provision of the Tanahplatform under the Principal Agreement.
• Duration. The term of the Principal Agreement plus any retention period required to comply with Applicable Data Protection Law and the security and audit obligations of this DPA.
• Nature and purpose. Hosting, transmission, analysis, and presentation of Customer Personal Data to deliver advisory, valuation, underwriting, treasury, and related services.
• Types of personal data. Identification data of authorised users, contact data, role and entitlement data, authentication data, audit-log data, and (where the Customer or their counterparties submit it) personal data embedded in financial documents, identity documents, and corporate records.
• Categories of data subjects.Authorised users of the Customer; representatives of the Customer's counterparties; signatories on documents submitted to the platform; beneficial owners disclosed under know-your-customer obligations.

Customer authorises Tanah to engage Sub-processors to process Customer Personal Data, subject to the conditions in this section. The current list of Sub-processors is published at /subprocessors.

• Tanah will impose data-protection terms on each Sub-processor that are no less protective than those of this DPA.
• Tanahwill give Customer at least thirty days' notice before adding or replacing a Sub-processor that processes Customer Personal Data of confidential or restricted classification.
• Customer may object to a proposed Sub-processor on reasonable grounds related to data protection. Where the objection cannot be resolved, the parties will discuss in good faith the alternatives, including suspension of the relevant processing or termination of the affected services.

Tanahwill assist Customer, by appropriate technical and organisational measures and taking into account the nature of the processing, to fulfil Customer's obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.

Where Tanah receives a request directly from a data subject in connection with Customer Personal Data, Tanahwill, unless prohibited by law, redirect the data subject to the Customer and notify Customer.

Tanah maintains the technical and organisational measures described at /security, including encryption in transit and at rest, role-based access control, multi-factor authentication for staff, audit logging, dependency scanning, secret scanning, backup, and incident response. Tanah reviews these measures periodically and adjusts them in line with evolving threats and the customer base.

Tanah will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe — to the extent known at the time — the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures Tanah has taken or proposes to take to address the breach.

Customer remains responsible for any onward notifications to regulators or data subjects required under Applicable Data Protection Law.

On reasonable prior written notice and no more than once per twelve-month period (except where required by Applicable Data Protection Law or in response to a Personal Data Breach),Tanah will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. That information may take the form of relevant audit reports, summaries of penetration tests (when available), or a written response to a focused audit questionnaire.

To the extent Tanahor a Sub-processor processes Customer Personal Data outside the jurisdiction in which Customer is established, the parties will rely on a transfer mechanism permitted under Applicable Data Protection Law, including (as applicable) standard contractual clauses, adequacy decisions, or other approved mechanisms. The transfer mechanism applicable to a particular processing activity is specified in the relevant Sub-processor's listing at /subprocessors.

This DPA continues for the term of the Principal Agreement. On termination of the Principal Agreement, Tanahwill, at Customer's election, return or delete Customer Personal Data within ninety days, except to the extent retention is required by law or by the security and audit obligations of this DPA.

This DPA is governed by, and construed in accordance with, the governing-law provision of the Principal Agreement.

Information on this site is provided for general informational purposes only and does not constitute an offer, solicitation, financial advice, or a recommendation to enter into any transaction. Tanah is not currently licensed by any financial regulator. Joining the waitlist is a request to be notified — it is not an offer of any regulated product. Capital is at risk; past performance is not indicative of future results.