How to use this page: read it, share with your privacy team, and either (a) consider yourself bound by these terms upon use of Onsight (the default), or (b) request a countersigned PDF for your file by emailing privacy@cascadeasia.com. For enterprise customers with a signed Master Services Agreement, the DPA executed alongside that MSA controls and supersedes anything stated here.
Who's the controller, who's the processor.
This DPA is between:
- The Controller — the customer organization that has signed up for Onsight or is using it under a trial. Identified by the email and organization details on the customer's primary account.
- The Processor — Cascade Asia, a Singapore-registered company operating the Onsight platform at cascadeasia.com.
For data Cascade Asia holds about its own customers (account information, billing, support tickets), Cascade Asia is the Controller and our Privacy Policy applies. This DPA governs only data the Controller loads into Onsight about third-party subjects.
Words used in this DPA.
Unless otherwise defined here, terms have the meaning given to them in GDPR (for European customers), the Singapore PDPA, or applicable equivalent law. The following terms apply throughout:
What we process, why, and for how long.
Subject matter
Cascade Asia processes Customer data for the purpose of providing the Onsight platform to the Controller, including: continuous monitoring of subjects, generation of intelligence findings, delivery of commissioned engagements, and routine platform operations (authentication, audit, billing).
Duration
Processing continues for the duration of the Controller's subscription to Onsight, plus a 90-day post-termination export window. Data deletion follows the schedule in Privacy → Retention.
Nature and purpose
Processing operations include: storage of subject records, enrichment with public-source data, indexing for search, computation of integrity index scores, generation of alerts and notifications, capture of evidence with cryptographic timestamping, and export at the Controller's request.
Categories of data subjects
Subjects researched by the Controller, who may be: corporate entities, beneficial owners, directors, officers, key managers, related individuals named in corporate filings or adverse media, and any other natural persons whose data is loaded into the platform by the Controller.
Categories of personal data
Identification data (names, native-script names, aliases, dates of birth where lawfully obtained), professional information (titles, employers, business addresses), corporate-relationship data (shareholdings, directorships, ownership chains), risk-relevant public information (sanctions hits, adverse media, regulatory actions), and any other personal data the Controller chooses to load.
Cascade Asia does not intentionally process special-category data (racial / ethnic origin, political opinion, religious belief, trade-union membership, genetic / biometric, health, sexual orientation) and excludes such categories from the platform's intended scope. If special-category data is loaded by the Controller, the Controller is solely responsible for the lawful basis.
What Cascade Asia commits to do (and not do).
- Process only on documented instructions. Cascade Asia will process Customer data only on the documented instructions of the Controller (those instructions being: provide the Onsight service per its published functionality), including with regard to international transfers, except as required by Singapore or applicable law.
- Confidentiality. Cascade Asia ensures that personnel authorized to process Customer data are bound by appropriate confidentiality obligations.
- Security. Implement the technical and organizational measures described in Annex I (and the public Security page at cascadeasia.com/cascade-security.html), reviewed and updated periodically.
- Sub-processors. Engage sub-processors only with general written authorization, identified in Annex II. Cascade Asia notifies the Controller at least 30 days before adding or replacing a sub-processor that handles Customer data; the Controller may object on reasonable grounds.
- Data-subject requests. Cooperate with the Controller in responding to data-subject access, correction, deletion, restriction, objection, and portability requests, by providing tools, information, and reasonable assistance.
- Breach notification. Notify the Controller without undue delay (and no later than 72 hours) of any personal data breach affecting Customer data; assist the Controller with downstream regulatory notifications as required.
- Assistance. Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities to the extent reasonably required.
- Audit. Make available all information necessary to demonstrate compliance with this DPA and contribute to audits as set out in section 10.
- Deletion or return. At the Controller's choice, delete or return all Customer data to the Controller after the end of services, except where Singapore or applicable law requires retention. See retention schedule.
- Inform. Promptly inform the Controller if, in Cascade Asia's opinion, an instruction infringes applicable data-protection law.
Who we use, what they see, where they operate.
The Controller authorizes Cascade Asia to engage the sub-processors listed in Annex II and on the publicly maintained list at cascadeasia.com/cascade-security.html#sub-processors. Cascade Asia ensures each sub-processor is contractually bound to data protection obligations no less protective than those of this DPA.
Cascade Asia notifies the Controller of any intended changes to the sub-processor list (additions or replacements that handle Customer data) at least 30 calendar days in advance, by email to the Controller's primary account address and by an in-platform notice. The Controller may object on reasonable grounds within those 30 days; if the parties cannot resolve the objection, the Controller may terminate the affected service with a prorated refund.
The technical and organizational protections.
Cascade Asia implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the controls described in Annex I. Highlights:
- Encryption of Customer data in transit (TLS 1.2+) and at rest (AES-256, managed by AWS KMS via Supabase).
- Authentication with two-factor (TOTP) available for all roles and required for the Cascade Asia admin role.
- Access control via row-level security in PostgreSQL, plus per-role security definer RPCs for privileged operations.
- Audit logging of admin actions and read events; logs retained per the schedule in the Privacy Policy.
- Backups with 30-day point-in-time recovery; quarterly drill verifies restore.
- Personnel bound by confidentiality, with access on a least-privilege basis; access reviewed quarterly.
- Incident response with documented escalation, notification within 72 hours of confirmed breach.
- Vulnerability management with a public responsible-disclosure program and timely patching of dependencies.
The full security posture is published at cascadeasia.com/cascade-security.html and updated as our practices evolve.
Helping the Controller respond to subject requests.
To the extent legally permitted, Cascade Asia will promptly notify the Controller of any data-subject request received by Cascade Asia regarding Customer data, and will not respond to such requests directly unless authorized by the Controller (or required by law).
Cascade Asia provides the following tools to assist the Controller in responding to data-subject requests:
- Access — full data export per data subject available via the platform's export tools.
- Correction — admin tools to amend subject records.
- Deletion — admin tools to delete subject records, subject to Cascade Asia's retention obligations and to the public-record / public-interest exceptions documented in the Privacy Policy.
- Restriction — admin tools to mark subject records as restricted (suppressed from new processing) without deletion.
- Portability — CSV / JSON export of subject data.
For data subjects who contact Cascade Asia directly, Cascade Asia routes the request to the controlling Customer where identifiable, and otherwise responds per the public Right-of-Reply process at onsight-reply.html.
What happens if something goes wrong.
If Cascade Asia becomes aware of a personal data breach affecting Customer data, Cascade Asia will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware. Notification is sent to the Controller's primary account email and any backup contacts the Controller has designated.
- Provide the information needed for the Controller to comply with its own notification obligations under GDPR Article 33 / 34 or equivalent law: the nature of the breach (categories and approximate number of subjects and records affected), the likely consequences, the measures taken or proposed, and the contact for further information.
- Assist with downstream supervisory-authority and data-subject notifications to the extent reasonably required.
- Document the breach internally and produce a post-incident review for shared with affected Controllers within 14 days for any Critical or High severity incident.
Notification is not an admission of fault by Cascade Asia. Cascade Asia commits to good-faith disclosure even where investigation is incomplete; subsequent updates may correct earlier statements as facts develop.
Singapore primary; SCCs where transfers cross borders.
Cascade Asia stores Customer data in Singapore (AWS ap-southeast-1). Some sub-processors operate in other jurisdictions (see Annex II); transfers of Customer data to those sub-processors are international transfers for GDPR purposes.
Where the Controller is established in the European Economic Area, the United Kingdom, or Switzerland, the parties enter into the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor) by reference, with the following module choices and free-text fields:
- Module Two (controller-to-processor) applies.
- Clause 7 (docking) — does not apply.
- Clause 9(a) — sub-processor authorization — option 2 (general written authorization). Notice period for changes: 30 days, as set in section 5 above.
- Clause 11(a) — independent dispute resolution — does not apply.
- Clause 17 — governing law — Singapore law to the extent permitted; Irish law for SCC purposes where Singapore law is not available.
- Clause 18(b) — choice of forum — Singapore International Arbitration Centre (SIAC).
- Annex I.A (parties), I.B (description of processing), and I.C (competent supervisory authority) are filled by reference to this DPA's Annexes and the Controller's designated supervisory authority.
- Annex II (technical and organizational measures) — see Annex I below.
- Annex III (sub-processors) — see Annex II below.
For UK-originating transfers, the parties incorporate the UK International Data Transfer Addendum to the SCCs. For Swiss-originating transfers, references to "GDPR" should be read as the Swiss FADP where the FADP applies.
How the Controller verifies compliance.
Cascade Asia makes available to the Controller, on reasonable notice, all information necessary to demonstrate compliance with this DPA, in the following ways:
- Standard documentation — current Security page, sub-processor list, SOC 2 report (when achieved), penetration-test summary (when conducted), most recent restore-drill log. Provided on request.
- Standard questionnaires — Cascade Asia returns standard vendor security questionnaires (Vanta, Drata, OneTrust, custom) within 5 business days of receipt.
- On-site or remote audit — once per 12-month period, at the Controller's reasonable cost, on at least 30 days' notice. Audit scope is limited to compliance with this DPA. Findings are confidential.
- Mandated audits — where supervisory authority compels an audit, Cascade Asia cooperates without the 12-month limit.
Cascade Asia is not obligated to disclose information that would compromise other customers' confidentiality, or that constitutes Cascade Asia trade secret beyond what's necessary to demonstrate compliance.
What happens when the agreement ends.
This DPA is in force for as long as Cascade Asia processes Customer data. On termination of the underlying service agreement:
- The Controller has 90 days to export Customer data using the platform's export tools.
- After the export window, Cascade Asia deletes Customer data within a further 90 days, except where retention is required by Singapore or applicable law (tax, audit, regulatory). Retained data is segregated and access-restricted.
- On the Controller's reasonable written request, Cascade Asia provides confirmation of deletion.
- Cascade Asia's audit logs of the relationship itself (admin actions, read audit) are retained per the public retention schedule, with personal identifiers replaced by stable anonymized tokens after account closure.
Reference attachments.
Technical and organizational security measures
Cascade Asia implements the following measures, reviewed and updated as the platform and threat landscape evolve. The current public statement of these measures lives on the Security page.
| Domain | Measure |
|---|---|
| Encryption — in transit | TLS 1.2+ enforced; HTTPS-only; HSTS header on all production responses. |
| Encryption — at rest | AES-256 at the storage layer (Supabase Postgres, file storage). Application-level PII encryption planned (see Privacy Policy). |
| Authentication | Bcrypt-hashed passwords via Supabase Auth. TOTP MFA available for all roles, required for Cascade Asia admin. |
| Access control | Row-level security on all tables holding Customer data. Per-role security-definer RPCs for privileged operations. Service-role key never exposed to browser. |
| Personnel access | Least-privilege; access reviewed quarterly; offboarding within 24 hours of departure. |
| Audit logging | Append-only admin-action log; append-only read-event log. Both retained per Privacy Policy retention schedule. |
| Backup and recovery | 30-day continuous point-in-time recovery via Supabase. Quarterly restore drill (RTO < 4h, measured RTO < 30min as of last drill). |
| Hosting | AWS ap-southeast-1 (Singapore). No customer-data replication outside region. |
| Vulnerability management | Public responsible-disclosure program. Dependency monitoring. Critical patches within 30 days; high within 90 days. |
| Incident response | Documented escalation path; 4-hour acknowledgment for Critical incidents; 72-hour notification of confirmed breach to affected customers. |
| Confidentiality | All Cascade Asia personnel under written confidentiality obligations. |
| Sub-processor management | Each sub-processor under a written agreement with terms no less protective than this DPA; reviewed annually. |
Authorized sub-processors
The current authorized sub-processor list is published at cascadeasia.com/cascade-security.html#sub-processors and reproduced here for reference. Notice of changes follows section 5 above.
| Sub-processor | Service provided | Region | Customer data shared |
|---|---|---|---|
| Supabase | Database, auth, storage, edge functions | AWS ap-southeast-1 (Singapore) | All Customer data |
| Amazon Web Services | Underlying cloud infrastructure (mediated by Supabase) | ap-southeast-1 (Singapore) | All Customer data, encrypted at rest |
| Resend | Transactional email delivery (notifications) | United States, multi-region | Recipient email + email subject + body |
| Stripe | Invoice payment + webhook reconciliation | United States, European Union | Org name, contact email, invoice amount |
| Browserless | Public-source webpage capture for evidence | European Union | Public URLs only — no Customer data |
| OpenTimestamps calendar pool | Cryptographic timestamping (Bitcoin-anchored) | Public network (decentralized) | Hashes only — no readable data |
| Google / Cloudflare DNS | DNS resolution for cascadeasia.com | Global anycast | None (DNS records only) |
A signed Data Processing Agreement is in place with each sub-processor that receives Customer data.
Description of processing
For SCC purposes, this annex provides the description that is otherwise scattered through the body of this DPA, in one place:
- Categories of data subjects: see section 3 above.
- Categories of personal data: see section 3 above.
- Special categories of data: none intentionally processed; Controller-loaded special-category data is at Controller's lawful-basis risk.
- Frequency of transfer: continuous, on each Customer interaction with the platform.
- Nature of processing: see section 3 above.
- Purpose of processing: provision of the Onsight platform.
- Retention period: for the duration of the Controller's subscription plus 90 days export window plus 90 days deletion window, except where law requires longer retention.
- For onward transfers to sub-processors: as described in Annex II.
Signature
If you require a countersigned PDF copy of this DPA for your records, email privacy@cascadeasia.com with your organization name and the executing signatory's title. We countersign within 3 business days. For enterprise customers under a signed Master Services Agreement, the DPA executed alongside that MSA controls.
