Trust & Legal

Data Processing Agreement

Last updated: 11 May 2026

Request a signed DPA

Enterprise customers and agencies that require a countersigned DPA for their compliance records can request one by email.

Request DPA →

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Coreframes Lab ("we", "us", or "our"), the operator of MaidCopilot.

A DPA is a contract between a data controller (the Customer) and a data processor (Coreframes Lab) that describes the roles and responsibilities of each party when personal data is processed. This DPA supplements the Terms of Service and, in the event of conflict, this DPA takes precedence with respect to data processing matters.

By using MaidCopilot, you agree to this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.

2. Definitions

"Personal Data"	Any information relating to an identified or identifiable natural person, as defined under the Singapore PDPA and applicable data protection law.
"Processing"	Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction.
"Controller"	The Customer — the party that determines the purposes and means of Processing Personal Data.
"Processor"	Coreframes Lab — the party that Processes Personal Data on behalf of the Controller, under the Controller's instructions.
"Sub-processor"	Any third party engaged by Coreframes Lab to Process Personal Data in connection with providing the MaidCopilot services.
"Data Subject"	An individual whose Personal Data is Processed — including maids, employers, and contacts whose data is entered into MaidCopilot by the Customer.
"DP Law"	The Singapore Personal Data Protection Act 2012 (as amended) and any other applicable data protection legislation.
"Security Incident"	Any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

3. Roles and scope

The Customer is the Controller of Personal Data relating to maids, employers, and contacts entered into MaidCopilot. Coreframes Lab is the Processor of that data, acting only on the Customer's documented instructions.

For the Personal Data of the Customer's own staff (coordinators and owners) who access MaidCopilot, Coreframes Lab is the Controller. That processing is described in our Privacy Policy.

This DPA applies to all Personal Data processed by Coreframes Lab in connection with providing the MaidCopilot platform, including data stored in the database, documents uploaded to storage, and WhatsApp messages transmitted through the platform.

4. Coreframes Lab obligations

As Processor, Coreframes Lab will:

Process Personal Data only on documented instructions from the Customer, unless required to do so by law
Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations
Implement and maintain appropriate technical and organisational security measures (described in Section 6)
Not engage a Sub-processor without prior notice to the Customer, as set out in Section 5
Assist the Customer in responding to Data Subject access, correction, and other rights requests, to the extent technically feasible
Notify the Customer of a confirmed Security Incident within 3 business days of becoming aware
On termination of the Agreement, delete or return Customer Personal Data within 90 days, unless retention is required by law
Provide information reasonably necessary to demonstrate compliance with this DPA, on written request

5. Customer obligations

As Controller, the Customer will:

Provide only lawful instructions to Coreframes Lab regarding the Processing of Personal Data
Comply with DP Law, including ensuring an appropriate legal basis for all Processing described in this DPA
Provide all necessary notices to, and obtain all necessary consents from, Data Subjects to enable Coreframes Lab to lawfully Process Personal Data as described herein
Notify Coreframes Lab immediately if the Customer becomes aware of any unauthorised access to or disclosure of Personal Data
Ensure the Customer's own use of the platform complies with MOM Employment Agency Act requirements and applicable law

6. Security measures

Coreframes Lab implements the following technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and accidental loss, destruction, or damage:

Isolation — Row-Level Security (RLS) enforced at the database layer; each agency's data is logically isolated
Encryption in transit — TLS 1.2 or higher on all connections between clients, the application, and the database
Encryption at rest — AES-256 encryption for all stored data and uploaded documents
Authentication — Magic-link authentication; no passwords stored. Role-based access control (Owner and Coordinator roles)
Webhook integrity — HMAC-verified inbound webhooks to prevent spoofed message injection
Audit logging — All material data changes are recorded with user identity and timestamp
Access control — Production access is restricted to authorised personnel only

For more detail, see our Security page.

7. Sub-processors

The Customer consents to Coreframes Lab's use of the sub-processors listed on the Subprocessors page.

Coreframes Lab will notify the Customer by email at least 14 days before adding or replacing a Sub-processor. The Customer may object to the change in writing within that period. If we are unable to accommodate the objection, the Customer may terminate the Agreement on written notice in accordance with the Terms of Service.

Each Sub-processor is engaged under a written agreement that imposes data protection obligations no less protective than those in this DPA.

8. International data transfers

All primary Customer Personal Data is stored in AWS ap-southeast-1 (Singapore). Transfers to Sub-processors outside Singapore (including Meta for WhatsApp message delivery) are subject to contractual safeguards consistent with PDPA Section 26 requirements. See the Subprocessors page for data location details for each Sub-processor.

9. Security incidents

If Coreframes Lab becomes aware of a confirmed Security Incident affecting Customer Personal Data, we will:

Notify the Customer within 3 business days of confirming the incident
Provide a description of the nature of the incident, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address it
Cooperate with the Customer in any notification obligations the Customer has to the PDPC or affected Data Subjects

Notification of a Security Incident does not constitute an admission of fault or liability by Coreframes Lab.

10. Data subject rights

Coreframes Lab will, to the extent technically feasible, assist the Customer in fulfilling Data Subject rights requests received under DP Law, including requests for access, correction, withdrawal of consent, and data portability.

The Customer is responsible for responding to Data Subject rights requests relating to Personal Data the Customer controls. Coreframes Lab will provide reasonable cooperation and information to assist the Customer.

11. Retention and deletion

On expiry or termination of the Customer's subscription, Coreframes Lab will retain Customer Personal Data for up to 90 days to allow for data export, after which it will be deleted from production systems. Backup purges occur within 30 days of deletion from production.

The Customer may request earlier export or deletion by contacting admin@coreframeslab.com. Certain data may be retained longer where required by applicable law.

12. Governing law

This DPA is governed by the laws of Singapore. Any dispute arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

13. Contact

Questions about this DPA or to request a countersigned copy:

Data Protection Officer — Coreframes Lab

admin@coreframeslab.com

Related: Subprocessors · PDPA Policy · Privacy Policy · Security