DATA PROCESSING ADDENDUM
Company Flow Pte. Ltd. (t/a work.flowers) · UEN 202442050M · Last Updated: Feb 20, 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Master Services Agreement ("MSA") published by work.flowers. It applies automatically where work.flowers processes Personal Data on behalf of a Client in the course of providing the Services under a Statement of Work. This DPA takes effect on the effective date of the applicable SOW. The parties are identified in the applicable SOW. In the event of a conflict between this DPA and the MSA, this DPA prevails in respect of data protection matters. This DPA is governed by the laws of Singapore (Personal Data Protection Act 2012).
1. Definitions
In this DPA:
"Controller" means the party that determines the purposes and means of processing Personal Data. For this DPA, the Controller is the Client.
"Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Data Subject" means an identifiable individual to whom Personal Data relates.
"Personal Data" means any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access, as defined in the Personal Data Protection Act 2012 of Singapore ("PDPA") and, where applicable, under any other data protection law that applies to a party.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, alignment, restriction, erasure, or destruction.
"Processor" means the party that processes Personal Data on behalf of the Controller. For this DPA, the Processor is work.flowers.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on the Processor's behalf.
Terms defined in the MSA have the same meaning in this DPA unless otherwise defined here.
2. Roles and Scope of This DPA
When this DPA applies: This DPA applies only where work.flowers processes Personal Data belonging to the Client's customers, employees, or other individuals in the course of delivering the Services. It does not apply where work.flowers processes its own operational data (for example, the Client's contact details for invoicing purposes), which work.flowers handles as a Controller in its own right under its privacy policy.
2.1 The parties acknowledge that, in relation to any Personal Data processed by work.flowers in the course of delivering the Services: (a) the Client is the Controller; and (b) work.flowers is the Processor.
2.2 work.flowers will process Personal Data only on the documented instructions of the Controller (as set out in the applicable SOW) and for no other purpose, unless required to do so by applicable law.
2.3 If work.flowers is required by law to process Personal Data for a purpose other than in accordance with the Controller's instructions, work.flowers will inform the Controller before the processing takes place, unless the law prohibits such notification.
3. Controller's Obligations
3.1 The Controller warrants and represents that it has a lawful basis to collect and process the Personal Data, and that it has provided all required notices to Data Subjects, in each case as required by applicable data protection laws.
3.2 The Controller will ensure that its instructions to work.flowers are lawful and comply with applicable data protection laws.
3.3 The Controller is responsible for ensuring it has the appropriate rights to provide Personal Data to work.flowers for processing under this DPA.
4. Processor's Obligations
4.1 work.flowers will:
- (a) process Personal Data only on the Controller's documented instructions, unless otherwise required by applicable law;
- (b) ensure that personnel authorised to process the Personal Data are subject to appropriate confidentiality obligations;
- (c) implement and maintain reasonable and appropriate technical and organisational security measures to protect Personal Data against a Data Breach (see clause 6);
- (d) not engage any Sub-Processor without first complying with clause 5;
- (e) assist the Controller in responding to Data Subject requests (see clause 7), to the extent technically feasible and commercially reasonable;
- (f) notify the Controller of any Data Breach in accordance with clause 8;
- (g) delete or return Personal Data on termination or expiry of the relevant SOW in accordance with clause 10; and
- (h) provide the Controller with reasonable information and assistance to allow it to demonstrate compliance with applicable data protection laws.
5. Sub-Processors
work.flowers' current sub-processors: work.flowers uses the third-party platforms listed in Annex B to deliver its services. By entering into the MSA, the Controller provides general written authorisation for work.flowers to use these sub-processors. work.flowers will notify the Controller of any changes before they take effect.
5.1 By entering into the MSA, the Controller grants work.flowers general written authorisation to engage the Sub-Processors listed in Annex B for the purposes and activities described therein.
5.2 work.flowers will give the Controller at least 14 days' written notice before adding a new Sub-Processor or replacing an existing one. If the Controller reasonably objects to a proposed change and can demonstrate that the change creates a material risk of non-compliance with applicable data protection law, the parties will work together in good faith to resolve the concern. If they cannot resolve it within 30 days, the Controller may terminate the relevant SOW on 30 days' written notice.
5.3 work.flowers will impose data protection obligations on Sub-Processors that are equivalent in substance to those in this DPA, and work.flowers remains responsible for its Sub-Processors' compliance.
6. Security Measures
6.1 work.flowers will implement and maintain technical and organisational measures appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
6.2 These measures include, as appropriate:
- (a) access controls limiting access to Personal Data to personnel who need it to perform the Services;
- (b) use of encrypted connections (TLS/HTTPS) for data transmission;
- (c) strong authentication (including multi-factor authentication where available) for systems holding Personal Data;
- (d) regular reviews of access rights; and
- (e) use of reputable, security-assessed third-party platforms listed in Annex B.
6.3 work.flowers does not warrant that its security measures will be impenetrable or that no Data Breach will ever occur. The Controller is responsible for ensuring that its own systems and controls are adequate.
7. Data Subject Rights
7.1 The Controller is responsible for receiving and responding to requests from Data Subjects exercising their rights under applicable data protection law (including rights of access, correction, and withdrawal of consent under the PDPA).
7.2 If work.flowers receives a request from a Data Subject purporting to exercise any such right, it will forward the request to the Controller within 5 business days without taking any action on it.
7.3 work.flowers will provide the Controller with reasonable assistance in fulfilling Data Subject requests, to the extent technically feasible and having regard to the nature of the processing.
8. Data Breach Notification
8.1 If work.flowers becomes aware of a confirmed Data Breach affecting Personal Data processed under this DPA, it will notify the Controller without undue delay and in any event within 72 hours of becoming aware.
8.2 The notification will include, to the extent available at the time:
- (a) a description of the nature of the Data Breach, including the categories and approximate number of individuals and records affected;
- (b) the name and contact details of work.flowers' responsible contact;
- (c) a description of the likely consequences of the Data Breach; and
- (d) a description of the measures taken or proposed to address the Data Breach.
8.3 Where all information required under clause 8.2 is not available within 72 hours, work.flowers may provide the information in phases without undue delay.
8.4 The Controller is responsible for notifying the relevant regulatory authorities and Data Subjects as required by applicable law. work.flowers will provide reasonable cooperation and assistance.
9. International Data Transfers
Singapore and cross-border transfers: The PDPA permits transfers of personal data outside Singapore only where the recipient country provides a comparable standard of protection, or where other safeguards apply. work.flowers uses several US-based platforms (see Annex B). These are operated by organisations that comply with internationally recognised standards and contractual frameworks. If the Client is subject to GDPR or other regional laws, the parties should agree additional transfer safeguards in writing.
9.1 work.flowers may transfer Personal Data to Sub-Processors located outside Singapore as listed in Annex B, provided it has implemented appropriate safeguards in accordance with the PDPA and any other applicable data protection law.
9.2 If the Controller or any Data Subject is located in a jurisdiction with specific transfer restrictions (including the European Economic Area under GDPR), the parties will agree appropriate additional safeguards in writing before any transfer takes place.
10. Retention and Deletion
10.1 work.flowers will retain Personal Data only for as long as necessary to perform the Services under the relevant SOW, or as required by applicable law.
10.2 Upon termination or expiry of the relevant SOW (or upon the Controller's written request during the SOW term), work.flowers will — at the Controller's choice — either: (a) return all Personal Data to the Controller in a common machine-readable format; or (b) securely delete or destroy all Personal Data, and provide written confirmation of deletion within 30 days.
10.3 Nothing in this clause requires work.flowers to delete Personal Data that it is required to retain by law, provided it continues to protect that data in accordance with this DPA.
11. Audit Rights
11.1 The Controller may, not more than once per 12-month period and on at least 30 days' written notice, request an audit of work.flowers' data processing activities relating to this DPA. The Controller will bear the cost of any such audit.
11.2 In lieu of a direct audit, work.flowers may provide the Controller with documentation (such as security policies or relevant third-party certifications) that is reasonably sufficient to demonstrate compliance with this DPA, unless the Controller reasonably requires a direct audit to address a specific concern.
12. Term
12.1 This DPA comes into effect on the effective date of the applicable SOW and continues for as long as work.flowers processes Personal Data on behalf of the Controller under any SOW.
12.2 Clauses 6, 8, and 10 of this DPA survive termination.
13. General
13.1 This DPA is governed by the laws of Singapore. The parties submit to the non-exclusive jurisdiction of the courts of Singapore for any dispute arising under this DPA.
13.2 If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in force.
13.3 This DPA supplements and does not replace the confidentiality obligations in clause 5 of the MSA. In the event of any conflict regarding Personal Data, this DPA prevails.
Annex A — Processing Details
The details of processing under this DPA — including the subject matter, duration, nature and purpose of processing, categories of Personal Data, and categories of Data Subjects — are set out in the Data Processing Details section of the applicable SOW. Where no personal data is processed under a particular SOW, Annex A is not applicable to that engagement.
Annex B — Approved Sub-Processors
The following third-party sub-processors are currently engaged by work.flowers to deliver its services. Each is contractually bound to data protection obligations equivalent in substance to those in this DPA. work.flowers will notify the Controller of any additions or replacements in accordance with clause 5.2.
Sub-Processor | Entity | Country | Processing Activity | DPA / Data Terms |
Zapier | Zapier Inc. | USA | Automation workflow execution; may process personal data in transit during workflow runs | |
Google Cloud (BigQuery) | Google LLC | USA / global | Data warehousing and analytics; storage and querying of structured data | |
Google Workspace | Google LLC | USA / global | Document collaboration, email, and project tooling | |
Notion | Notion Labs Inc. | USA | Project management and documentation; may contain client-related notes or records | |
Anthropic (Claude) | Anthropic PBC | USA | AI-assisted analysis and content generation, where applicable to the engagement | |
Linear | Linear Orbit, Inc. | USA | Project and task management for client engagements; may contain engagement notes and client-related task details |