Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

• Customer — the entity using the Relay service under the Relay Terms of Service (the "Customer", "you"), acting as Data Controller in respect of personal data of leads, prospective clients, customers, and any other data subjects whose data the Customer forwards to or processes through Relay; and
• Relay — the operator of the Relay service at tryrelay.pro ("Relay", "we", "us"), acting as Data Intermediary processing personal data on the Customer's behalf.

This DPA forms part of, and is subject to, the Relay Terms of Service. In the event of any conflict, this DPA prevails for matters concerning the processing of personal data.

Capitalised terms in this DPA have the meaning given to them in the Singapore Personal Data Protection Act 2012 (the "PDPA"), unless defined elsewhere here. "Customer Personal Data" means personal data the Customer (or any user authorised by the Customer) submits to Relay for processing. "Sub-processor" means a third party Relay engages to process Customer Personal Data on Customer's behalf.

The subject matter of processing is the operation of the Relay service: parsing forwarded portal lead emails, drafting AI-assisted replies, scoring lead quality, tracking pipeline milestones, and the related operational features described in the Terms of Service. Duration: for as long as the Customer's account is active, plus any post-termination retention required by Section 11.

Relay processes Customer Personal Data only:

• To provide the Relay service to the Customer.
• To meet legal obligations under the PDPA and other Singapore law.
• On documented instructions from the Customer (the Customer's use of the Relay service constitutes such instruction for routine operations).

Relay does not use Customer Personal Data, voice samples, or forwarded lead content to train third-party foundation models, for advertising, for resale, or for any purpose outside the scope of the service.

Data subjects: the Customer's end leads, clients, prospective clients, viewing attendees, and any individuals whose data the Customer forwards via portal enquiry emails or enters into Relay.

Categories of personal data: name, contact details (email, phone), enquiry text and conversation history, listing preferences, transaction context (citizenship, decision-maker status, budget signal), and any optional fields the Customer chooses to record (e.g. CDD notes, OTP milestones).

The Customer warrants that:

• It has a lawful basis under the PDPA (consent or deemed consent) for the processing of any personal data it submits to Relay.
• It has provided the notices required by section 20 of the PDPA to its data subjects.
• It will respond to access, correction, and withdrawal-of-consent requests from its data subjects, and may use Relay's data export tools to do so.
• It will keep its agent account credentials and CEA registration details accurate.
• It will comply with the CEA Code of Ethics and Professional Client Care, the Estate Agents Act 2010, and all applicable Practice Circulars when using Relay.

Relay will:

• Process Customer Personal Data only on the Customer's documented instructions.
• Implement appropriate technical and organisational security measures, as described in the Security page and the Data Residency page, including TLS 1.2+ in transit, AES-256 at rest, application-layer encryption of sensitive tokens, and Row-Level Security on every table.
• Make available the information necessary to demonstrate compliance with this DPA, on reasonable request.
• Notify the Customer without undue delay (and in any event within 72 hours of awareness, save where the breach is unlikely to result in significant harm) of any personal data breach affecting Customer Personal Data, with the information required by section 26D of the PDPA.
• Assist the Customer, on reasonable request, in responding to data subject requests and to enquiries from the Personal Data Protection Commission (PDPC).
• Restrict access to Customer Personal Data to personnel who require it for the performance of the service, under written confidentiality obligations.

The Customer authorises Relay to engage the sub-processors listed below. Relay will notify the Customer at least 14 days before adding or replacing a sub-processor (by email to the registered billing contact and on this page). The Customer may object to a new sub-processor on reasonable grounds; if the parties cannot resolve the objection, the Customer may terminate the relevant Order Form.

Each sub-processor is bound by data-protection commitments materially equivalent to those in this DPA.

Where Customer Personal Data is transferred outside Singapore (notably to Anthropic and Resend in the United States), Relay relies on the recipient's contractual safeguards equivalent to the PDPA Transfer Limitation Obligation under section 26 of the PDPA. The Customer is responsible for any additional cross-border notification obligations applicable to its own regulated industry.

Relay maintains an incident response runbook. On becoming aware of a personal data breach affecting Customer Personal Data, Relay will:

• Notify the Customer without undue delay, and in any event within 72 hours, with: (a) the nature of the breach, (b) the categories and approximate volume of data subjects and records concerned, (c) the likely consequences, and (d) the measures taken or proposed.
• Co-operate with the Customer on any notification to the PDPC required under section 26D of the PDPA. The Customer remains responsible for that notification as Data Controller.
• Document the breach and remediation in the internal audit log retained for at least 5 years.

On termination of the Relay service, the Customer may export all Customer Personal Data via the dashboard's CSV export tools. Relay will delete remaining Customer Personal Data within 30 days of account closure, except for: (a) billing and tax records retained for 5 years under Singapore law, and (b) the audit log retained for 5 years under CEA Practice Circulars 02/2024 and 03/2024.

Relay will respond, within reasonable timeframes, to written information requests from the Customer regarding Relay's processing of Customer Personal Data. Where the Customer has a regulatory or contractual obligation to perform an audit, the parties will agree commercially reasonable scope and timing in writing. Relay may satisfy audit obligations by sharing current third-party assurance reports (when and once available) or written responses to standard security questionnaires.

Each party's liability arising out of or related to this DPA is subject to the exclusions and limitations of liability in the Relay Terms of Service.

This DPA is governed by the laws of Singapore. The parties submit to the exclusive jurisdiction of the courts of Singapore.

If there is a conflict between this DPA and the Terms of Service, this DPA prevails on personal data matters. If there is a conflict between this DPA and a separately signed enterprise order form referencing this DPA, the order form prevails.

To execute this DPA, email [email protected] with:

• Customer registered legal name and Singapore UEN.
• Authorised signatory name, title, and email.
• Any requested redlines.

We will return a counter-signed PDF copy. A printable version of this template is available at tryrelay.pro/legal/dpa (use your browser's print-to-PDF).