Data Processing Addendum

This Data Processing Addendum (the "DPA") is entered into between Tyto Labs Pte. Ltd. [UEN: 202621053Z], a Singapore company, doing business as PropPal Executive Assistant ("PropPal EA"), referred to in this DPA as "Tyto Labs"; and the customer who has accepted the Terms of Service (the "Customer"). Tyto Labs and the Customer are each a "Party" and together the "Parties".

1. Background and incorporation

1.1 The Parties have entered into the Terms of Service published at proppalcrm.com/terms/ (the "Agreement") under which Tyto Labs provides the Service to the Customer.

1.2 In the course of providing the Service, Tyto Labs processes Personal Data on the Customer's behalf. This DPA sets out the terms on which Tyto Labs processes that Personal Data.

1.3 This DPA forms part of, and is incorporated by reference into, the Agreement. By accepting the Agreement, the Customer accepts this DPA. In the event of a conflict between this DPA and the Agreement in respect of the processing of Personal Data, this DPA prevails.

1.4 A counter-signed PDF version of this DPA is available on request to [email protected].

2. Definitions

2.1 Capitalised terms not defined in this DPA have the meanings given in the Agreement.

2.2 In this DPA:

1. "Personal Data" means personal data, as defined in the Singapore Personal Data Protection Act 2012 (the "PDPA") (or under analogous laws), that is contained in User Content and processed by Tyto Labs on behalf of the Customer in connection with the Service.
2. "Data Subject" means an individual to whom Personal Data relates, including a Lead.
3. "Lead" has the meaning given in the Agreement.
4. "Sub-processor" means a third party engaged by Tyto Labs to process Personal Data on behalf of the Customer in connection with the Service. A current list is published at proppalcrm.com/subprocessors/.
5. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
6. "Applicable Data Protection Law" means the PDPA and any other data protection or privacy law that applies to the processing of Personal Data under the Agreement.
7. "PDPC" means the Personal Data Protection Commission of Singapore.

3. Scope and roles

3.1 Roles. In respect of Personal Data processed under this DPA:

1. the Customer is the organisation under the PDPA (and the controller / business under analogous laws); and
2. Tyto Labs is the data intermediary under the PDPA (and the processor / service provider under analogous laws).

3.2 Subject matter, nature, purpose, and duration. A description of the processing is set out in Annex A. The duration of processing is the term of the Agreement, plus any additional period required for return / deletion of Personal Data under Section 12.

3.3 Customer's role. The Customer determines the purposes and means of processing Personal Data, including which Leads' Personal Data is provided to Tyto Labs and how PropPal EA is configured.

4. Customer instructions

4.1 Tyto Labs will process Personal Data only on documented instructions from the Customer. The Agreement, this DPA, the Privacy Policy, and the Customer's use of the Service constitute the Customer's complete and final instructions to Tyto Labs at the time of acceptance of the Agreement.

4.2 Additional instructions may be issued by the Customer through the Service settings, or in writing to [email protected]. Tyto Labs may charge for additional instructions that are outside the standard functionality of the Service.

4.3 If Tyto Labs reasonably considers that an instruction from the Customer would breach Applicable Data Protection Law, Tyto Labs will inform the Customer without undue delay.

5. Confidentiality of personnel

5.1 Tyto Labs will ensure that any personnel authorised to process Personal Data are bound by appropriate written confidentiality obligations and have received appropriate training on their data protection responsibilities.

5.2 Access to Personal Data by Tyto Labs personnel is limited to those who need access to perform their duties in providing the Service.

6. Security measures

6.1 Tyto Labs will implement and maintain appropriate technical and organisational measures designed to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The current security measures are described in Annex C and in Section 15 of the Privacy Policy.

6.2 Tyto Labs may update its security measures from time to time, provided that the updated measures provide a level of protection no less than that described in Annex C.

7. Sub-processors

7.1 General authorisation. The Customer provides general authorisation for Tyto Labs to engage Sub-processors to process Personal Data, subject to this Section 7. The current list of Sub-processors is set out in Annex B and at proppalcrm.com/subprocessors/.

7.2 Notice of changes. Tyto Labs will provide at least 7 days' advance notice on the Sub-processors page before adding or replacing a Sub-processor that processes Personal Data.

7.3 Objection. The Customer may object to a new Sub-processor on reasonable grounds (such as a documented security concern) by notifying Tyto Labs at [email protected] within 7 days of the announcement. The Parties will discuss the objection in good faith. Where the objection cannot be resolved, the Customer may terminate the Agreement in accordance with its terms. No pro-rated refund will apply to fees already paid.

7.4 Sub-processor obligations. Tyto Labs will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Tyto Labs remains liable to the Customer for the acts and omissions of its Sub-processors in respect of Personal Data, to the extent provided in this DPA and the Agreement.

8. International transfers

8.1 Personal Data may be processed, stored, backed up, or accessed in Singapore and in other countries where Tyto Labs or its Sub-processors operate, including the United States and the European Union, as set out in Annex B and the Privacy Policy.

8.2 Where Personal Data is transferred outside Singapore, Tyto Labs will take steps intended to ensure that the recipient is subject to legally enforceable obligations to provide a standard of protection comparable to that required under the PDPA, including through contractual or other legally recognised safeguards.

8.3 The Customer instructs Tyto Labs to make such cross-border transfers as are reasonably necessary to provide the Service.

9. Data subject rights

9.1 Tyto Labs will, taking into account the nature of the processing, provide reasonable assistance to the Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, correction, withdrawal of consent, and deletion.

9.2 Where Tyto Labs receives a request directly from a Data Subject (including a Lead) relating to Personal Data processed on the Customer's behalf, Tyto Labs will:

1. refer the Data Subject to the Customer; or
2. where Tyto Labs determines (in its discretion and in accordance with Applicable Data Protection Law) that it is appropriate to do so, forward the request to the Customer and assist the Customer in responding.

9.3 Tyto Labs may charge for assistance that goes beyond the standard functionality of the Service.

10. Data breach notification

10.1 Tyto Labs will notify the Customer of a confirmed Data Breach affecting the Customer's Personal Data without undue delay and, where reasonably practicable, within 72 hours of becoming aware of the Data Breach.

10.2 The notification will include reasonably available information necessary for the Customer to assess and respond to the Data Breach, including (where known) the nature of the breach, the categories and approximate volume of Personal Data and Data Subjects affected, the likely consequences, and the measures taken or proposed to be taken.

10.3 Where a Data Breach is notifiable under section 26B of the PDPA, Tyto Labs will assist the Customer (and, where Tyto Labs is itself required to notify, will notify) the PDPC within the timelines set out in Part VIA of the PDPA, including the 3 calendar days obligation where applicable.

10.4 Tyto Labs will reasonably cooperate with the Customer in the Customer's investigation of, and response to, the Data Breach.

11. Audits and information rights

11.1 Tyto Labs will make available to the Customer such information as is reasonably necessary to demonstrate Tyto Labs's compliance with this DPA, including by responding to reasonable security and privacy questionnaires and providing relevant security documentation (such as third-party audit reports, where available).

11.2 The Customer may, at the Customer's cost and not more than once per 12 months (except where required by Applicable Data Protection Law or following a Data Breach), request a remote audit of Tyto Labs's processing activities by submitting a written request to [email protected] with at least 30 days' advance notice. The audit must:

1. be conducted during business hours and in a manner that does not interfere with Tyto Labs's normal business operations;
2. be subject to confidentiality obligations no less protective than those in the Agreement;
3. be conducted by the Customer or by an independent third-party auditor agreed in advance by Tyto Labs (Tyto Labs may reject any auditor that is a competitor of Tyto Labs or that is not bound by suitable confidentiality obligations); and
4. respect the confidentiality of other customers' data.

11.3 On-site audits at Tyto Labs's facilities will only be required where remote inspection is not sufficient and a regulator with jurisdiction has so directed, or as required by Applicable Data Protection Law.

12. Return and deletion of data

12.1 On expiry or termination of the Agreement, the Customer may request that Tyto Labs delete or return Personal Data processed on the Customer's behalf.

12.2 In the absence of an instruction to return Personal Data, Tyto Labs will, after a reasonable wind-down period and subject to the Customer's data export options within the Service, delete or de-identify Personal Data from active systems within 30 calendar days of termination, in accordance with the timelines and processes set out in the Privacy Policy.

12.3 Residual copies may persist in encrypted backups for the period stated in the Privacy Policy and will be overwritten in accordance with backup cycles.

12.4 Tyto Labs may retain Personal Data to the extent retention is required by law or necessary for billing, tax, fraud prevention, dispute resolution, security investigations, or to enforce the Agreement, in each case in accordance with the retention periods set out in the Privacy Policy.

13. Customer obligations

13.1 The Customer warrants and undertakes that:

1. it has all rights, authority, notices, permissions, and consents required by Applicable Data Protection Law to provide Personal Data to Tyto Labs and to instruct Tyto Labs to process that Personal Data through the Service, including in respect of Leads;
2. its instructions to Tyto Labs comply with Applicable Data Protection Law;
3. it will respond to Data Subject requests in respect of its Leads and other Data Subjects whose Personal Data it controls;
4. it will notify the affected Data Subjects of a Data Breach where required by Applicable Data Protection Law; and
5. it will use the Service in compliance with Meta's WhatsApp Business Messaging Policy, the PDPA (including its Do Not Call provisions), and the Singapore Spam Control Act 2007, as further set out in the Agreement.

13.2 The Customer is responsible for the lawfulness, accuracy, and quality of Personal Data the Customer provides to or processes through the Service.

13.3 Affiliates and authorised users. Where the Customer is an agency, brokerage, or company, the Customer represents that this DPA is entered into for the benefit of all of its authorised users (Agents) under its account, and that the Customer has authority to bind those authorised users and any of its affiliated entities that use the Service through the Customer's account.

14. Liability

14.1 The Parties' aggregate liability under or in connection with this DPA is subject to the limitation of liability set out in the Agreement (including Section 20 of the Terms of Service).

14.2 Nothing in this DPA excludes or limits liability that cannot be excluded or limited under Applicable Data Protection Law.

15. Term and termination

15.1 This DPA takes effect on the Customer's acceptance of the Agreement and continues for so long as Tyto Labs processes Personal Data on the Customer's behalf.

15.2 Termination of the Agreement automatically terminates this DPA, except for those provisions that, by their nature, are intended to survive termination (including Sections 5, 9, 10, 12, 13, 14, and 16).

16. General

16.1 Updates. Tyto Labs may update this DPA from time to time. Material changes will be notified in advance by email or in-app, and may require re-acceptance.

16.2 Governing law and jurisdiction. This DPA is governed by the laws of Singapore. The Parties submit to the exclusive jurisdiction of the courts of Singapore in respect of any dispute arising out of or relating to this DPA.

16.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.

16.4 Order of precedence. In the event of a conflict between this DPA and any other document forming part of the Agreement in respect of the processing of Personal Data, the order of precedence is: (a) this DPA, (b) the Privacy Policy, (c) the Terms of Service.

16.5 Cooperation with regulators. Each Party will reasonably cooperate with the PDPC and other competent regulators in any investigation arising out of or related to the processing of Personal Data under this DPA.

Annex A — Description of processing

Subject matter	Provision of the PropPal EA Service to the Customer, as described in the Agreement.
Duration	The term of the Agreement, plus any period required for return / deletion of Personal Data.
Nature and purpose	Hosting, ingesting, organising, searching, summarising, and drafting based on Customer communications; Lead Concierge auto-replies (Pro tier); Smart Viewings scheduling (Pro tier); CRM record management; billing.
Categories of Data Subjects	The Customer's authorised users; the Customer's Leads (clients, prospects, tenants, landlords, buyers, sellers); individuals who contact the Customer through the Service.
Categories of Personal Data	Identifiers (name, phone number, CEA registration number); WhatsApp messages and attachments; contact records; CRM records and notes; lead qualification answers; AI-generated outputs and Lead Concierge auto-replies; tone of voice samples and personalisation context; Google Calendar event metadata (Pro tier); product analytics events.
Special categories of data	The Service is not designed to process special categories of personal data. The Customer must not upload sensitive credentials (banking passwords, payment card CVVs, one-time passwords). Where Leads voluntarily share special categories of data through WhatsApp messages, such data is processed only to the extent necessary to provide the Service.
Frequency of processing	Continuous during the term of the Agreement.

Annex B — Sub-processors

The current list of Sub-processors is published at proppalcrm.com/subprocessors/ and is incorporated into this DPA by reference. Tyto Labs will provide at least 7 days' advance notice of changes on that page, as further described in Section 7.

At the Effective date, the Sub-processors include:

• Supabase Inc. — primary database and authentication (United States).
• Cloudflare, Inc. — webhook and edge hosting (global edge network).
• Vercel, Inc. — web application hosting and API routes, region pinned to sin1 (United States platform; Singapore sin1 serving edge).
• Resend — transactional email delivery and auth emails (United States).
• Inngest, Inc. — background job queue for AI analysis and async workflows (United States).
• Meta Platforms, Inc. — WhatsApp Business Cloud API (United States / European Union).
• Google LLC — Google Calendar API, Pro tier (United States).
• OpenAI, L.L.C. — AI services, zero-retention API (United States).
• Anthropic, PBC — AI services, zero-retention API (United States).
• Stripe Payments Asia, Pacific Pte. Ltd. — payment processing (Singapore / United States).
• PostHog, Inc. — product analytics (United States, PostHog US Cloud).

Annex C — Security measures

Tyto Labs implements and maintains the following technical and organisational measures (which may be updated from time to time in accordance with Section 6.2):

1. Encryption in transit. TLS / HTTPS for all communication between the Customer's devices, the Service, and Sub-processors.
2. Encryption at rest. AES-256 disk-level encryption on the primary database (Supabase Postgres). Application-layer encryption for OAuth tokens, API keys, and other secrets, in addition to disk-level encryption.
3. Access control. Role-based access controls and authentication measures for personnel access to production systems. Access to Personal Data is limited to personnel who need it to perform their duties.
4. Webhook integrity. Verification of inbound webhook signatures (including Meta X-Hub-Signature-256).
5. Logging and monitoring. Logging of administrative access; periodic review of security events.
6. Secure development. Code review, dependency management, and periodic review of third-party integrations.
7. Backups. Encrypted backups, retained for 30 days rolling and overwritten in accordance with backup cycles.
8. Incident response. Documented procedures for detecting, investigating, and responding to security incidents and Data Breaches, including notification timelines under Section 10.
9. Personnel. Confidentiality obligations and data protection training for personnel with access to Personal Data.
10. Vendor management. Reasonable due diligence on Sub-processors and contractual data protection obligations as set out in Section 7.4.

Contact

For questions about this DPA, or to request a counter-signed PDF version, please contact:

Tyto Labs Pte. Ltd.
[UEN: 202621053Z]
doing business as PropPal Executive Assistant ("PropPal EA")
Email: [email protected]
Data Protection Officer: [email protected] (subject line "Attention: Data Protection Officer")