Data Processing Agreement

The standard processing terms when you load data into Onsight.

When a Cascade Asia customer loads personal data about third-party subjects (entities they want to monitor, individuals they're researching) into Onsight, Cascade Asia processes that data on the customer's behalf. This Data Processing Agreement ("DPA") sets the terms of that relationship — controller (you) and processor (us) — in language aligned with GDPR Article 28 and Singapore PDPA.

Effective 1 May 2026 · DPA contact privacy@cascadeasia.com

How to use this page: read it, share with your privacy team, and either (a) consider yourself bound by these terms upon use of Onsight (the default), or (b) request a countersigned PDF for your file by emailing privacy@cascadeasia.com. For enterprise customers with a signed Master Services Agreement, the DPA executed alongside that MSA controls and supersedes anything stated here.

01 — Parties

Who's the controller, who's the processor.

This DPA is between:

For data Cascade Asia holds about its own customers (account information, billing, support tickets), Cascade Asia is the Controller and our Privacy Policy applies. This DPA governs only data the Controller loads into Onsight about third-party subjects.

02 — Definitions

Words used in this DPA.

Unless otherwise defined here, terms have the meaning given to them in GDPR (for European customers), the Singapore PDPA, or applicable equivalent law. The following terms apply throughout:

Personal data — any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1) and PDPA Section 2.
Processing — any operation performed on personal data, including collection, storage, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
Customer data — personal data the Controller submits to the Onsight platform, whether by typing, uploading, importing, or commissioning. Distinguished from account data, which is information about the Controller's seats and is governed by the Privacy Policy.
Sub-processor — a third party that the Processor uses to process Customer data, as identified in Annex II.
Personal data breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer data.
Standard Contractual Clauses (SCCs) — the standard data protection clauses adopted by the European Commission (Decision 2021/914) for transfers of personal data to third countries.
03 — Subject matter, duration, nature, purpose

What we process, why, and for how long.

Subject matter

Cascade Asia processes Customer data for the purpose of providing the Onsight platform to the Controller, including: continuous monitoring of subjects, generation of intelligence findings, delivery of commissioned engagements, and routine platform operations (authentication, audit, billing).

Duration

Processing continues for the duration of the Controller's subscription to Onsight, plus a 90-day post-termination export window. Data deletion follows the schedule in Privacy → Retention.

Nature and purpose

Processing operations include: storage of subject records, enrichment with public-source data, indexing for search, computation of integrity index scores, generation of alerts and notifications, capture of evidence with cryptographic timestamping, and export at the Controller's request.

Categories of data subjects

Subjects researched by the Controller, who may be: corporate entities, beneficial owners, directors, officers, key managers, related individuals named in corporate filings or adverse media, and any other natural persons whose data is loaded into the platform by the Controller.

Categories of personal data

Identification data (names, native-script names, aliases, dates of birth where lawfully obtained), professional information (titles, employers, business addresses), corporate-relationship data (shareholdings, directorships, ownership chains), risk-relevant public information (sanctions hits, adverse media, regulatory actions), and any other personal data the Controller chooses to load.

Cascade Asia does not intentionally process special-category data (racial / ethnic origin, political opinion, religious belief, trade-union membership, genetic / biometric, health, sexual orientation) and excludes such categories from the platform's intended scope. If special-category data is loaded by the Controller, the Controller is solely responsible for the lawful basis.

04 — Processor obligations

What Cascade Asia commits to do (and not do).

  1. Process only on documented instructions. Cascade Asia will process Customer data only on the documented instructions of the Controller (those instructions being: provide the Onsight service per its published functionality), including with regard to international transfers, except as required by Singapore or applicable law.
  2. Confidentiality. Cascade Asia ensures that personnel authorized to process Customer data are bound by appropriate confidentiality obligations.
  3. Security. Implement the technical and organizational measures described in Annex I (and the public Security page at cascadeasia.com/cascade-security.html), reviewed and updated periodically.
  4. Sub-processors. Engage sub-processors only with general written authorization, identified in Annex II. Cascade Asia notifies the Controller at least 30 days before adding or replacing a sub-processor that handles Customer data; the Controller may object on reasonable grounds.
  5. Data-subject requests. Cooperate with the Controller in responding to data-subject access, correction, deletion, restriction, objection, and portability requests, by providing tools, information, and reasonable assistance.
  6. Breach notification. Notify the Controller without undue delay (and no later than 72 hours) of any personal data breach affecting Customer data; assist the Controller with downstream regulatory notifications as required.
  7. Assistance. Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities to the extent reasonably required.
  8. Audit. Make available all information necessary to demonstrate compliance with this DPA and contribute to audits as set out in section 10.
  9. Deletion or return. At the Controller's choice, delete or return all Customer data to the Controller after the end of services, except where Singapore or applicable law requires retention. See retention schedule.
  10. Inform. Promptly inform the Controller if, in Cascade Asia's opinion, an instruction infringes applicable data-protection law.
05 — Sub-processors

Who we use, what they see, where they operate.

The Controller authorizes Cascade Asia to engage the sub-processors listed in Annex II and on the publicly maintained list at cascadeasia.com/cascade-security.html#sub-processors. Cascade Asia ensures each sub-processor is contractually bound to data protection obligations no less protective than those of this DPA.

Cascade Asia notifies the Controller of any intended changes to the sub-processor list (additions or replacements that handle Customer data) at least 30 calendar days in advance, by email to the Controller's primary account address and by an in-platform notice. The Controller may object on reasonable grounds within those 30 days; if the parties cannot resolve the objection, the Controller may terminate the affected service with a prorated refund.

06 — Security measures

The technical and organizational protections.

Cascade Asia implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the controls described in Annex I. Highlights:

The full security posture is published at cascadeasia.com/cascade-security.html and updated as our practices evolve.

07 — Data-subject rights

Helping the Controller respond to subject requests.

To the extent legally permitted, Cascade Asia will promptly notify the Controller of any data-subject request received by Cascade Asia regarding Customer data, and will not respond to such requests directly unless authorized by the Controller (or required by law).

Cascade Asia provides the following tools to assist the Controller in responding to data-subject requests:

For data subjects who contact Cascade Asia directly, Cascade Asia routes the request to the controlling Customer where identifiable, and otherwise responds per the public Right-of-Reply process at onsight-reply.html.

08 — Personal data breach

What happens if something goes wrong.

If Cascade Asia becomes aware of a personal data breach affecting Customer data, Cascade Asia will:

  1. Notify the Controller without undue delay and in any event within 72 hours of becoming aware. Notification is sent to the Controller's primary account email and any backup contacts the Controller has designated.
  2. Provide the information needed for the Controller to comply with its own notification obligations under GDPR Article 33 / 34 or equivalent law: the nature of the breach (categories and approximate number of subjects and records affected), the likely consequences, the measures taken or proposed, and the contact for further information.
  3. Assist with downstream supervisory-authority and data-subject notifications to the extent reasonably required.
  4. Document the breach internally and produce a post-incident review for shared with affected Controllers within 14 days for any Critical or High severity incident.

Notification is not an admission of fault by Cascade Asia. Cascade Asia commits to good-faith disclosure even where investigation is incomplete; subsequent updates may correct earlier statements as facts develop.

09 — International transfers

Singapore primary; SCCs where transfers cross borders.

Cascade Asia stores Customer data in Singapore (AWS ap-southeast-1). Some sub-processors operate in other jurisdictions (see Annex II); transfers of Customer data to those sub-processors are international transfers for GDPR purposes.

Where the Controller is established in the European Economic Area, the United Kingdom, or Switzerland, the parties enter into the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor) by reference, with the following module choices and free-text fields:

For UK-originating transfers, the parties incorporate the UK International Data Transfer Addendum to the SCCs. For Swiss-originating transfers, references to "GDPR" should be read as the Swiss FADP where the FADP applies.

10 — Audit and inspection

How the Controller verifies compliance.

Cascade Asia makes available to the Controller, on reasonable notice, all information necessary to demonstrate compliance with this DPA, in the following ways:

Cascade Asia is not obligated to disclose information that would compromise other customers' confidentiality, or that constitutes Cascade Asia trade secret beyond what's necessary to demonstrate compliance.

11 — Term, return, deletion

What happens when the agreement ends.

This DPA is in force for as long as Cascade Asia processes Customer data. On termination of the underlying service agreement:

12 — Annexes

Reference attachments.

Annex I

Technical and organizational security measures

Cascade Asia implements the following measures, reviewed and updated as the platform and threat landscape evolve. The current public statement of these measures lives on the Security page.

DomainMeasure
Encryption — in transitTLS 1.2+ enforced; HTTPS-only; HSTS header on all production responses.
Encryption — at restAES-256 at the storage layer (Supabase Postgres, file storage). Application-level PII encryption planned (see Privacy Policy).
AuthenticationBcrypt-hashed passwords via Supabase Auth. TOTP MFA available for all roles, required for Cascade Asia admin.
Access controlRow-level security on all tables holding Customer data. Per-role security-definer RPCs for privileged operations. Service-role key never exposed to browser.
Personnel accessLeast-privilege; access reviewed quarterly; offboarding within 24 hours of departure.
Audit loggingAppend-only admin-action log; append-only read-event log. Both retained per Privacy Policy retention schedule.
Backup and recovery30-day continuous point-in-time recovery via Supabase. Quarterly restore drill (RTO < 4h, measured RTO < 30min as of last drill).
HostingAWS ap-southeast-1 (Singapore). No customer-data replication outside region.
Vulnerability managementPublic responsible-disclosure program. Dependency monitoring. Critical patches within 30 days; high within 90 days.
Incident responseDocumented escalation path; 4-hour acknowledgment for Critical incidents; 72-hour notification of confirmed breach to affected customers.
ConfidentialityAll Cascade Asia personnel under written confidentiality obligations.
Sub-processor managementEach sub-processor under a written agreement with terms no less protective than this DPA; reviewed annually.
Annex II

Authorized sub-processors

The current authorized sub-processor list is published at cascadeasia.com/cascade-security.html#sub-processors and reproduced here for reference. Notice of changes follows section 5 above.

Sub-processorService providedRegionCustomer data shared
SupabaseDatabase, auth, storage, edge functionsAWS ap-southeast-1 (Singapore)All Customer data
Amazon Web ServicesUnderlying cloud infrastructure (mediated by Supabase)ap-southeast-1 (Singapore)All Customer data, encrypted at rest
ResendTransactional email delivery (notifications)United States, multi-regionRecipient email + email subject + body
StripeInvoice payment + webhook reconciliationUnited States, European UnionOrg name, contact email, invoice amount
BrowserlessPublic-source webpage capture for evidenceEuropean UnionPublic URLs only — no Customer data
OpenTimestamps calendar poolCryptographic timestamping (Bitcoin-anchored)Public network (decentralized)Hashes only — no readable data
Google / Cloudflare DNSDNS resolution for cascadeasia.comGlobal anycastNone (DNS records only)

A signed Data Processing Agreement is in place with each sub-processor that receives Customer data.

Annex III

Description of processing

For SCC purposes, this annex provides the description that is otherwise scattered through the body of this DPA, in one place:

Signature

If you require a countersigned PDF copy of this DPA for your records, email privacy@cascadeasia.com with your organization name and the executing signatory's title. We countersign within 3 business days. For enterprise customers under a signed Master Services Agreement, the DPA executed alongside that MSA controls.

For the Controller
[Customer organization]
Authorized signatory
For the Processor
Cascade Asia
Authorized signatory