Data Processing Agreement
Last updated: June 11, 2026
Introduction
Template — not yet in force. This document is the standard Data Processing Agreement that Scam Snap offers to enterprise customers. It takes legal effect only when incorporated into an executed Enterprise Agreement between your organization and Scam Snap. The consumer game does not collect the employee personal data described here.
This Data Processing Agreement (DPA) applies to enterprise customers of Scam Snap and supplements the Enterprise Agreement between your organization and Scam Snap.
Key Definitions
- Controller:Your organization (Customer)
- Processor:Scam Snap
- Data Subjects:Your employees using Scam Snap for training
Scope of Processing
Purpose
Providing scam detection and fraud awareness training to your employees through the Scam Snap platform.
Data Types Processed
- •Employee display names
- •Email addresses (for account setup and notifications)
- •Gameplay data and training interactions
- •Training scores and completion records
- •Progress and assessment data
Processing Activities
- •Account provisioning and user management
- •Training content delivery
- •Performance analytics and reporting
- •Customer support and troubleshooting
Scam Snap's Obligations as Processor
Instruction-Based Processing
Scam Snap processes personal data only on your documented instructions and for the purposes specified in the Enterprise Agreement.
Confidentiality Obligations
All Scam Snap personnel with access to your data are contractually bound by confidentiality agreements and process data only as instructed.
Security Measures
We implement appropriate technical and organizational security measures to protect your data against unauthorized access, alteration, and loss.
Sub-Processor Controls
Scam Snap will not engage sub-processors without your prior written consent. We notify you of any sub-processor changes with 30 days' notice.
Data Subject Rights
We assist you in fulfilling data subject access requests, deletion requests, and other rights under applicable data protection laws.
Data Handling on Termination
Upon termination of the Enterprise Agreement, we will delete or return all personal data as instructed by you, with certification available upon request.
Audit Rights
You have the right to audit our data handling practices, and we will contribute to and cooperate with your compliance audits.
Security Measures
Scam Snap implements the following technical and organizational security measures:
Encryption
AES-256 encryption at rest and TLS 1.3 encryption in transit for all data.
Access Controls
Row-level security on all tenant data, role-based access, and the principle of least privilege.
Security Assessments
Regular security reviews and automated testing, with provider-level certifications via our sub-processors (Supabase SOC 2, Cloudflare ISO 27001). Independent penetration testing will be scheduled as agreed in the Enterprise Agreement.
Incident Response
Continuous automated monitoring via our infrastructure providers, documented response procedures, and the breach notification commitments below.
Data Minimization
We collect and retain only the minimum personal data necessary for the stated purposes.
Sub-Processors
Scam Snap currently uses the following sub-processors to support our service delivery:
Supabase
Database and backend services
Cloudflare
Platform hosting and CDN services
Anthropic
AI processing (anonymized prompts only)
Sub-Processor Notification
We provide you with 30 days' written notice before engaging new sub-processors. You have the right to object to new sub-processors on reasonable grounds. Objections must be submitted in writing to contact@scam-snap.com.
Data Breach Notification
In the event of a confirmed data breach, Scam Snap will:
Notify Within 48 Hours
Notify you immediately, and no later than 48 hours after confirming the breach.
Detailed Information
Include the nature of the breach, affected data, measures taken to mitigate impact, and our remediation plan.
Full Cooperation
Cooperate fully with your investigation and provide all necessary information for your regulatory reporting.
Data Transfers
Primary Storage
Your employee training data is stored primarily in Singapore/APAC regions via Supabase.
AI Processing
Limited AI processing may occur in the United States (via Anthropic), but only for anonymized, aggregate prompts with no personal data transmitted. Employee identifiers and email addresses are never sent to AI processors.
Cross-Border Safeguards
All cross-border transfers are protected by appropriate safeguards and comply with PDPA requirements for international data transfers.
Data Retention
Training Data Retention
Employee training data (names, emails, scores, gameplay data) is retained for the duration of the Enterprise Agreement plus 90 days.
Aggregated Analytics
Aggregated and anonymized analytics data may be retained indefinitely for service improvement and compliance purposes.
Early Deletion
You may request early deletion of any personal data at any time by contacting contact@scam-snap.com.
PDPA Compliance
Both you and Scam Snap are committed to compliance with the Personal Data Protection Act (PDPA) 2012 of Singapore.
Your Responsibility
As the data controller, you are responsible for obtaining appropriate consent from your employees and ensuring lawful basis for processing.
Our Support
Scam Snap provides consent management tools and documentation to assist you in fulfilling your PDPA obligations.
Term & Termination
Effective Period
This DPA is effective for the duration of the Enterprise Agreement and terminates automatically upon termination of that agreement.
Data Deletion
Upon termination, all personal data will be deleted within 30 days, unless longer retention is required by law.
Certification
A written certification of data deletion is available upon request following termination.
Data Protection Officer
For questions about this Data Processing Agreement, data handling practices, or to exercise data subject rights:
contact@scam-snap.com