Data Protection Notice (SG)

Data Protection Notice (SG)

Effective Date: 18 September 2023

Your Privacy is Important to Us

The purpose of this Data Protection Notice (“Notice”) is to inform you of how Accredify Pte. Ltd. and its related corporations and affiliates (“the Firm”) handles Personal Data which is subject to the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (“PDPA“).

This Notice applies to Personal Data in our possession or under our control, including Personal Data in the possession of service providers and third parties which we have engaged to collect, use, disclose, or process Personal Data for our purposes. By interacting with us, using our websites and applications (any page on the accredify.io domain and other related websites and applications of the Firm, where such websites and applications may change from time to time), including https://www.accredify.io/ and https://dashboard.accredify.io/, and https://app.accredify.io/ (collectively, “Sites”), submitting information to us, or engaging our services, you agree and consent to the Firm, as well as our service providers and third parties appointed by us on your behalf (collectively, “us“, “we” or “our“) collecting, using and disclosing your Personal Data in the manner set forth in this Notice.

This Notice supplements but does not supersede nor replace any other consents you may have previously provided to the Firm in respect of your Personal Data, and your consents herein are additional to any rights which to the Firm may have at law to collect, use or disclose your Personal Data.

We may from time to time update this Notice. If we do make changes, the Firm will inform you by updating the last revised date at the bottom of the Notice and such updates will be posted on the Firm’s Sites. By continuing to interact with us, subject to applicable law, you agree to be bound by the prevailing terms of the Notice as so updated from time to time.

In this Notice, “Personal Data” refers to any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time, but excludes “business contact information” as defined in the PDPA.

Other terms used in this Notice shall have the meanings given to them in the PDPA (where the context so permits).

1. Personal Data.
  • We may collect Personal Data from you in the course of our business, including through your use of our Sites, when you contact or request information from us, when you engage our services or as a result of your relationship with one or more of our staff and customers.
  • Depending on the nature of your interaction with us, the Personal Data that we may collect includes:
  • Unique identifiers (e.g. full name, National Registration Identification Card (“NRIC”) number, Foreign Identification Number (“FIN”), passport number, personal mobile telephone number, voice of an individual and/or facial image of an individual);
  • Personal particulars (e.g. nationality, gender, date of birth, marital status, and/or education details);
  • Employment details (e.g. occupation, directorships and other positions held, employment history, salary, and/or benefits);
  • Contact information (e.g. residential address, email address and/or telephone number);
  • Financial information (e.g. account numbers and/or banking transactions);
  • Technical information (e.g. information from your visits to our website or applications or in relation to materials and communications we send to you electronically);
  • Personal opinions made known to us (e.g. feedback or responses to surveys);
  • Other information (e.g. photographs and other audio-visual information, website Uniform Resource Locator (URL), free-form text, and/or personal description); and/or
  • Any other information relating to you or any individuals which you have provided us in any forms you may have submitted to us, or via other forms of interaction with you.
  • With regards to Accredify Dashboard for the creation and issuance of health certificates by healthcare providers like clinics and hospitals, generally, we do not collect Personal Data. However, such healthcare providers and clinical laboratories may collect and transfer to us your Personal Data. Personal Data that such third parties transfer to us include your full name, NRIC number, passport number, date of birth, email address and Covid-19 test result details. The Covid-19 results details include, the type of Covid-19 test conducted (e.g. Serology, Polymerase chain reaction (PCR), etc), the date and time the Covid-19 test was conducted, and the date and time that the health certificate comes into effect. Health certificates may be in the form of HealthCerts, Covid-19 Test Credentials that will be accepted for IATA Travel Pass or other similar health certificates schemas that Accredify may support at any time and from time to time. Additional information regarding the HealthCerts may be found here: https://www.healthcerts.gov.sg. Additional information regarding IATA Travel Pass can be found here: https://www.iata.org/en/programs/passenger/travel-pass/. Healthcare providers like clinics and hospitals may also transfer to us the Personal Data of their healthcare professionals like doctors. The Personal Data that they transfer to us include the doctor’s registration number and signature.
  • With regards to Accredify’s Dashboard for organisations that require or requested individuals to conduct self-administration of Covid-19 tests, generally, we do not collect Personal Data. However, such organisations may collect and transfer to us your Personal Data. Personal Data that such third parties transfer to us include your identification number, ID type, country of issue, full name, date of birth, gender, nationality, mobile number, residential address, and barcode reference. With regards to individuals that conduct their self-administration of Covid-19 tests, the Personal Data that we collect include your full name, gender, date of birth, mobile number, NRIC/FIN/Passport Number, nationality, company that the self-test is disclosed to, type of self-administered Covid-19 conducted including the device manufacturer of the test kit, the results of the Covid-19 test including a photograph of the result, and the date the test was self-administered.
2. Collection of Personal Data.
  • Generally, the Firm may collect Personal Data in various ways including:
  • when you submit any for, including but not limited to customer inquiry forms or other forms relating to any of our services
  • when you enter into any agreement, or provide other documentation or information in respect of your interactions with us, or when you use our services;
  • when you subscribe to any of our online services or communication platforms (including electronic publications, updates, alerts, announcements);
  • when you communicate or interact with us via telephone, letters, fax, face-to-face meetings, our Sites, email or other modes of contact or use services on our Sites;
  • when you request that we contact you or request that you be included in an email or other mailing list;
  • when you respond to our promotions, initiatives or to any request for additional Personal Data;
  • when you are contacted by, and respond to, our marketing representatives and customer service officers;
  • as part of our business acceptance processes and about you and others as necessary in the course of providing our services;
  • when you provide information to us, or interact with us directly, for instance engaging with our staff or registering on one of our digital platforms or applications;
  • while monitoring our technology tools and services, including our Sites and email communications sent to and from us;
  • from other sources, such as keeping the contact details we already hold for you accurate and up to date using publicly available sources;
  • when you submit an employment application or provide documents or information such as your resume and/or CV, from recruitment agencies and employment references;
  • when we seek information about you and receive your Personal Data in connection with your relationship with us, including for our products and services or job applications, for example, from business partners, public agencies, your ex-employer, referral intermediaries and the relevant authorities;
  • it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your Personal Data to us (your “authorised representative”) after
  • you (or your authorised representative) have been notified of the purposes for which the data is collected, and
  • you (or your authorised representative) have provided written consent to the collection and usage of your Personal Data for those purposes;
  • collection and use of Personal Data without consent is permitted or required by the PDPA or other written laws;
  • when your images are captured by us via CCTV cameras while you are within or in the vicinity of our premises, or via photographs or videos taken by us or our representatives when you attend our events;
  • from public information sources, search services and other third parties; and/or
  • when you submit your Personal Data to us for any other reason.
  • If you provide us with any Personal Data relating to a third party, by submitting such Personal Data to us, you also represent to us and must ensure that you have notified the third party of the terms of this Policy and obtained his consent thereto.
3. Purposes for the Collection, Use and Disclosure of Your Personal Data.
  • Generally, the purposes for which the Firm collects uses and discloses Personal Data include:
    • If you are a prospective, current, or former customer or user of the Firm, in order to perform our obligations under our Master User Agreement with you and on the basis of our legitimate interest including to:
      • provide, operate, maintain, improve, and promote the Sites and the services and manage your relationship with us;
      • enable you to access and use the Sites and the services;
      • process and complete transactions, and send you related information, including purchase confirmations and invoices;
      • send transactional messages, including responses to your comments, questions, feedback, suggestions, and requests; provide customer service and support; and send you technical notices, updates, security alerts, and support and administrative messages;
      • performing obligations in the course of or in connection with our provision of services requested by you;
      • verifying your identity, processing payments, and managing our administrative and business operations (including the processing, storage, monitoring, and backup of data);
      • providing updates and other communications on developments relating to the Firm;
      • to send administrative email notifications (including security, support, and/or maintenance notices);
      • to improve our services and communications to you and the quality of your interaction with our Sites, including auditing and monitoring its use;
      • complying with applicable laws and regulations, codes or practice or guidelines, policies, procedures, regulatory requirements and directions issued by relevant authorities;
      • to fulfil our legal, regulatory and risk management obligations, including establishing, exercising, or defending legal claims;
      • investigate and prevent fraudulent transactions, unauthorized access to the Sites and the services, and other illegal activities;
      • send promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners;
      • process and deliver contest or sweepstakes entries and rewards;
      • monitor and analyze trends, usage, and activities in connection with the Sites and services and for marketing or advertising purposes;
      • personalize the Sites and services, including by providing features or advertisements that match your interests and preferences;
      • transmitting to any unaffiliated third parties including our third-party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad, for the aforementioned purposes;
      • for the purpose of recruitment; and/or
      • for other purposes for which we obtain your consent.
  • With regards to Accredify Dashboard for the creation and issuance of HealthCerts by healthcare providers like clinics and hospitals, generally, the purposes for which the Firm collects, uses and discloses Personal Data include:
    • allowing users of clinics and hospitals to create health certificates like Covid-19 test results in the HealthCerts format, Covid-19 Test Credentials that will be accepted for IATA Travel Pass or other similar health certificates schemas that Accredify may support at any time and from time to time, and other medical records;
    • deliver such health certificates and medical records to their patients, travellers or persons to whom the health certificate and medical record relates;
    • revoke, and if required, to edit, recreate and redeliver such health certificates and medical records to their patients; and
    • to store and download such health certificates and medical records of their patients.
  • With regards to Accredify’s Dashboard for self-administering of Covid-19 test by individuals like employees of an organisation, generally, the purposes for which the Firm collects, uses and discloses Personal Data include:
    • For individuals:
      • allowing individuals to upload, store, and download their self-administered Covid-19 test results;
      • allowing individuals to classify their self-administered test results as a company record (e.g. their employer) and state the organisation that required or requested them to conduct the test and disclose it with them or to classify as a personal record.
    • For organisations (e.g. employers):
      • allow organisations to create accounts (whether by uploading a nominal roll or otherwise) for individuals that they require to conduct self-administered Covid-19 test (e.g. employees) so that such individuals can upload and disclose their test results to such organisations;
      • allow organisations to generate, download, and issue self-administered Covid-19 health certificates in the form of the HealthCerts format, Covid-19 Test Credentials that will be accepted for IATA Travel Pass or other similar health certificates schemas that Accredify may support at any time and from time to time, to the individuals that disclosed the test results with it;
      • allow organisations to prepare reports regarding self-administered Covid-19 test results submitted to them, where such reports include the reports required to be submitted to governmental authorities like the Health Promotion Board.
    • If you are an employee, officer or owner of an external service provider or vendor outsourced or prospected by the Firm:
      • assessing your organisation’s suitability as an external service provider or vendor for the Firm;
      • managing project tenders and quotations, processing orders or managing the supply of goods and services;
      • creating and maintaining profiles of our service providers and vendors in our system database;
      • processing and payment of vendor invoices and bills;
      • facilities management (including but not limited to issuing visitor access passes and facilitating security clearance); and/or
      • purposes which are reasonably related to the aforesaid.
    • If you submit an application to us as a candidate for employment, internships or traineeships:
      • conducting interviews;
      • processing your application (including but not limited to pre-recruitment checks involving your qualifications and facilitating interviews);
      • obtaining references and for background screening;
      • assessing your suitability for the position applied for;
      • enrolling successful candidates as our employees and facilitating human resource planning and management (including but not limited to preparing letters of employment, name cards and building access passes); and/or
      • purposes which are reasonably related to the aforesaid.
    • If you are an existing employee of the Firm:
      • providing remuneration, reviewing salaries and bonuses, conducting salary benchmarking reviews, staff appraisals and evaluation, as well as recognising individuals for their services and conferring awards;
      • staff orientation and entry processing;
      • administrative and support processes relating to your employment, including its management and termination, as well as staff benefits, including travel, manpower, business continuity and logistics management or support, processing expense claims, medical insurance applications, medical screenings and immunisations, leave administration, long-term incentive plans, training, learning and talent development, and planning and organising corporate events;
      • providing you with tools and/or facilities to enable or facilitate the performance of your duties;
      • facilitating professional accreditation and complying with compliance audits;
      • compiling and publishing internal directories and emergency contact lists for business continuity;
      • managing corporate social responsibility projects;
      • conducting analytics and research for human resource planning and management, and for us to review, develop, optimise and improve work-related practices, environment and productivity;
      • ensuring that the administrative and business operations of the Firm function in a secure, efficient and effective manner (including but not limited to examining or monitoring any computer software and/or hardware installed within the Firm, your work emails and personal digital and storage devices);
      • compliance with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities (including but not limited to disclosures to regulatory bodies, conducting audit checks or surveillance and investigation);
      • administering cessation processes; and/or
      • any other purposes relating to any of the above.
    • If you are an independent contractor of the Firm:
      • Training and orientation;
      • Administrative and support processes relating to the engagement, including its management and termination;
      • facilitating professional accreditation and complying with compliance audits;
      • compiling and publishing internal directories and emergency contact lists for business continuity;
      • ensuring that the administrative and business operations of the Firm function in a secure, efficient and effective manner (including but not limited to examining or monitoring any computer software and/or hardware installed within the Firm, your work emails and personal digital and storage devices);
      • compliance with any applicable rules, laws and regulations, codes of practice or guidelines or to assist in law enforcement and investigations by relevant authorities (including but not limited to disclosures to regulatory bodies, conducting audit checks or surveillance and investigation);
      • administering cessation processes; and/or
      • any other purposes relating to any of the above.
    • Furthermore, where permitted under the Act, the Firm may also collect, use and disclose your Personal Data for the following “Additional Purposes”:
      • taking or filming photographs and videos for corporate publicity or marketing purposes, and featuring your photographs and/or testimonials in our articles and publicity materials;
      • providing or marketing services and benefits to you, including promotions, service upgrades, loyalty, reward and/or membership programmes;
      • organising roadshows, tours, campaigns and promotional or events and administering contests and competitions;
      • matching Personal Data with other data collected for other purposes and from other sources (including third parties) in connection with the provision or offering of services;
      • sending you details and information of services and rewards, either to our customers and users generally, or which we have identified may be of interest to you;
      • conducting market research, aggregating and analysing customer profiles and data to determine patterns and trends, understanding and analysing customer behaviour, location, preferences and demographics for us to offer you other products and services as well as special offers and marketing programmes which may be relevant to your preferences and profile; and/or
      • purposes which are reasonably related to the aforesaid.
    • In relation to particular services or in your interactions with us, we may also have specifically notified you of other purposes for which we collect, use or disclose your Personal Data. If so, we will collect, use and disclose your Personal Data for these additional purposes as well, unless we have specifically notified you otherwise.
    • The Firm may disclose your Personal Data in various ways including:
      • where such disclosure is required for performing obligations in the course of or in connection with our provision of the services requested by you;
      • if we believe that your actions are not consistent with our user policies and agreements, or to protect the property, safety, and rights of us or any third party;
      • to technical consultants, vendors, experts or other service providers whether located in Singapore or elsewhere who require access to such information to do work on our behalf;
      • to agents, contractors or third party service providers who provide technology solutions, support, operational or administrative services, such as for our online services, courier services, telecommunications, information technology, payment, payroll processing, training, market research, storage, archival, client support services;
      • in connection with professional indemnity policies, and to our professional advisers including auditors;
      • to any relevant authorities, including professional regulatory bodies and/or law enforcement agencies, whether local or overseas;
      • to the extent necessary to comply with any laws, regulations, rules, directions, guidelines and other similar requirements;
      • in connection with, or during negotiations of, any sale, merger of company assets, acquisition or financing of a portion or all of our business to another company or individual;
      • disclose de-identified or aggregated information, which cannot reasonably be used to identify you;
      • at your direction or with your consent; and/or
      • any other party to whom you authorise us to disclose your Personal Data.
    • Subject to the provisions of any applicable law, your Personal Data may be disclosed, for the purposes listed above (where applicable), to the following entities or parties, whether they are located overseas or in Singapore:
      • among the Firm and affiliates (including their staff);
      • companies providing services relating to insurance to the Firm;
      • agents, contractors, sub-contractors or third party service providers who provide operational services to the Firm, such as courier services, telecommunications, information technology, payment, printing, billing, debt recovery, processing, technical services, transportation, training, market research, call centre, security, or other services to the Firm;
      • vendors or third party service providers and our marketing and business partners in connection with marketing promotions, products and services;
      • our corporate clients;
      • any business partner, investor, assignee or transferee (actual or prospective) to facilitate business asset transactions (which may extend to any merger, acquisition or asset sale);
      • external banks, credit card companies, other financial institutions and their respective service providers;
      • our professional advisers such as consultants, auditors and lawyers;
      • relevant government ministries, regulators, statutory boards or authorities or law enforcement agencies to comply with any laws, rules, guidelines and regulations or schemes imposed by any governmental authority; and/or
      • any other party to whom you authorise us to disclose your Personal Data to.
    • The purposes listed in the above clauses may continue to apply even in situations where your relationship with us (for example, pursuant to a contract) has been terminated or altered in any way, for a reasonable period thereafter (including, where applicable, a period to enable us to enforce our rights under any contract with you).
    • You further understand, acknowledge and agree that where you have engaged us to carry out any work in any jurisdictions outside Singapore, the transfer of your Personal Data records to these jurisdictions may be necessary to give effect to your instructions and that you request and consent to our so transmitting your, Personal Data outside Singapore. Personal Data may therefore be exported to, processed and accessed in countries whose laws provide a different level of protection, which may not necessarily be comparable to that provided in Singapore.
4. Use of Cookies, Web Beacons, and Similar Technologies on the Sites.
  • When you visit or interact with our Sites and services, we or our authorised service providers may use cookies, web beacons, and other similar technologies for collecting and storing information to help provide you with a better, faster, and safer web experience.
  • The information collected by us or our authorised service providers may recognise a visitor as a unique user and may collect information such as how a visitor arrives at our Sites, what kind of browser a visitor is on, what operating system a visitor is using, a visitor’s IP address and a visitor’s click stream information and time stamp (for example, which pages they have viewed, the time the pages were accessed and the time spent per web page).

  • The use of cookies, web beacons and similar technologies by us on our Sites has different functions. They are either necessary for the functioning of our services, help us improve our performance, or serve to provide you with extra functionalities. They may also be used to deliver content that is more relevant to you and your interests, or to target advertising to you on or off our Sites.

    Cookies – Small text files (typically made up of letters and numbers) placed in the memory of your browser or device when you visit a website or view a message. Cookies allow a website to recognise a particular device or browser. There are several types of cookies:

  • Session cookies expire at the end of your browser session and allow us to link your actions during that particular browser session.
  • Persistent cookies are stored on your device in between browser sessions, allowing us to remember your preferences or actions across multiple Sites.
  • First-party cookies are set by the Site you are visiting.
  • Third-party cookies are set by a third party site separate from the Site you are visiting.

    Cookies can be disabled or removed by tools that are available in most commercial browsers. The preferences for each browser you use will need to be set separately and different browsers offer different functionality and options.

    Web beacons – Small graphic images (also known as “pixel tags” or “clear GIFs”) may be included on our Sites and services. Web beacons typically work in conjunction with cookies to profile each unique user and user behaviour.

    Similar technologies– Technologies that store information in your browser or device utilising local shared objects or local storage, such as flash cookies, HTML 5 cookies, and other web application software methods. These technologies can operate across all of your browsers.

  • We offer certain Site features and services that are available only through the use of these technologies. You are always free to block, delete, or disable these technologies if your browser so permits. However, if you decline cookies or other similar technologies, you may not be able to take advantage of certain Site features or services tools. For more information on how you can block, delete, or disable these technologies, please review your browser settings.
5. Third-Party Sites.
  • Our Sites may contain links to other websites and resources operated or provided by third parties, including for example our business partners, with different privacy practices. We are not responsible for the data protection practices of websites operated by third parties that are linked to our Sites. We encourage you to learn about the data protection practices of such third party websites. Some of these third party websites may be co-branded with our logo or trade mark, even though they are not operated or maintained by us. Once you have left our Sites, you should check the applicable Data Privacy Policy of the third party website to determine how they will handle any information they collect from you.
  • We use third party service providers, like Freshworks Inc (Freshworks) to enable interaction with you on our website and/or our product. As a data processor acting on our behalf, Freshworks automatically receives and records certain information of yours like device model, IP address, the type of browser being used and usage pattern through cookies and browser settings. Freshworks performs analytics on such data on our behalf which helps us improve our service to you. You can read about the cookies Freshworks sets in their cookie policy here https://www.freshworks.com/list-of-cookies/. 
6. Retention of Personal Data.
  • We retain such Personal Data as may be required for business or legal purposes, and such purposes do vary according to the circumstances.
  • We will cease to retain your Personal Data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the Personal Data was collected, and is no longer necessary for legal or business purposes.
7. Protection of Personal Data.
  • The Firm will take reasonable steps to protect your Personal Data against unauthorised disclosure. To safeguard your Personal Data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of Personal Data by us, and disclosing Personal Data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
  • You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
8. Data Breach Notification.
  • data breach”, in relation to personal data, means —
    • the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
    • the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
  • affected individual” means any individual to whom any personal data affected by a data breach relates.
  • Where required by PDPA, we will notify the Personal Data Protection Commission (“PDPC”) of a data breach as soon as practicable but in any case no later than 3 calendar days after the day we makes the assessment of whether the data breach is a notifiable data breach.
  • Where required by PDPA, we will notify the affected individuals as soon as soon as practicable, at the same time or after notifying the PDPC, in any manner reasonable in the circumstances.
  • The notification by us to the PDPC of a notifiable data breach will include all of the information as required by Personal Data Protection (Notification of Data Breaches) Regulations 2021.
  • The notification by us to affected individuals affected by a notifiable data breach will include all of the following information as required by Personal Data Protection (Notification of Data Breaches) Regulations 2021 and also notify you and advise on the possible steps to protect yourself from further potential harm.
  • Notification(s) of notifiable data breaches by us to affected individuals, if any, will be delivered to affected individuals by any means we select, including via email. It is the affected individual’s sole responsibility to ensure the accurate contact information is maintained on our applications and secure transmission at all times.
  • Notwithstanding the foregoing, where required by PDPA and where we are a data intermediary and have reason to believe that a data breach has occurred in relation to personal data that we (as a data intermediary) are processing on behalf of another organisation (“Customer”), we will, without undue delay, notify Customer of the occurrence of the data breach. Customer is solely responsible for determining whether to notify affected individuals and for providing such notice, and for determining whether relevant supervisory authorities like PDPC need to be notified of a data breach as may be required for Customer’s own business and activities. Notwithstanding the foregoing, Customer agrees to reasonably coordinate with us on the content of Customer’s intended public statements or required notices for affected individuals and/or notices to relevant supervisory authorities like PDPC regarding the data breach.
  • Notification(s) of data breaches by us to Customer, if any, will be delivered to one or more of Customer’s administrators by any means we select, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on our applications and secure transmission at all times.
  • Our obligation to report a data breach under this Notice is not and will not be construed as an acknowledgement by us of any fault or liability of us with respect to such data breach.
  • The foregoing notification obligations of ours do not extend to data breaches caused by the Customers or personally identifiable information (PII) principals / data subjects or within system components for which such Customers or PII principals / data subjects are responsible.
9. Accuracy of Personal Data.
  • We generally rely on Personal Data provided by you (or your authorised representative). In order to ensure that your Personal Data is current, complete and accurate, please update us if there are changes to your Personal Data by informing our Data Protection Officer in writing or via email at the contact details provided below.
10. Transfers of Personal Data Outside of Singapore.
  • Your Personal Data may be transferred from country, state and city (“Home Country”) in which you are present while using our services to another country, state and city (“Alternate Country”).

    When we transfer your Personal Data from your Home Country to the Alternate Country, we will comply with our legal and regulatory obligations in relation to your Personal Data, including having a lawful basis for transferring Personal Data and putting appropriate safeguards in place to ensure an adequate level of protection for the Personal Data. We will also ensure that the recipient in Alternate Country is obliged to protect your Personal Data at a standard of protection comparable to the protection under applicable laws.

    Our lawful basis will be either consent (i.e. we may ask for your consent to transfer your Personal Data from your Home Country to the Alternate Country at the time you provide your Personal Data) or one of the safeguards permissible by laws
11. Withdrawing Your Consent.
  • The consent that you provide for the collection, use and disclosure of your Personal Data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop using and/or disclosing your Personal Data for any or all of the purposes listed above by submitting your request in writing or via email to our Data Protection Officer at the contact details provided below.
  • If you withdraw your consent to any or all use of your Personal Data, depending on the nature of your request, we may not be in a position to continue to provide our products and services to you, or administer any contractual relationship in place, which in turn may also result in the termination of any agreements with the Firm, and your being in breach of your contractual obligations or undertakings. The Firm’s legal rights and remedies in such event are expressly reserved.
  • Please note that withdrawing consent does not affect our right to continue to collect, use and disclose Personal Data where such collection, use and disclosure without consent is permitted or required under applicable laws.
12. Consequences of not consenting and/or providing personal data necessary for transaction, service, or application.
  • Please be noted that should you not consent and provide us with the relevant Personal Data to fulfil the purposes of collection, use and disclosure of your Personal Data by Accredify,it may hinder the Firm’s ability to continue to interact with you.
  • For Job Applicants: The Firm may not be able to make a decision on your suitability for recruitment and employment or comply with the law and therefore, the Firm may not be able to make you an offer of employment.
  • For Employees: The Firm may not be able to process your Personal Data to fulfil the necessary Human Resource / Administrative requirements for employment or comply with the law and therefore, the Firm may not be able to continue the employment relationship with you.
  • For Customers (including Healthcare Providers, Education Institutes, and Corporations): The Firm may not be able to provide, operate and administer Accredify’s products/services and provide ongoing products/services support.
13. Contact Us – Withdrawal of Consent, Access to and Correction of Personal Data.
  • If you: have any questions or feedback relating to your Personal Data or our Notice;
  • would like to withdraw your consent to any use of your Personal Data as set out in this Notice;
  • wish to make an access request for access to a copy of the Personal Data which we hold about you or information about the ways in which we use or disclose your Personal Data; or
  • wish to make a correction request to correct or update any of your Personal Data which we hold about you,

    Please contact us as follows:

  • Email: dpo@accredify.io
  • Write to our Data Protection Officer at:

    Data Protection Officer
    Accredify Pte. Ltd.
    30A Kallang Place
    #11-06/07 Singapore 339213

  • Please note that if your Personal Data has been provided to us by a third party, you should contact that organisation or individual to make such queries, complaints, and access and correction requests to the Firm on your behalf.
14. Effect of Notice and Changes to Notice.
  • Without prejudice to the foregoing, by accessing and using our Sites in any way, you represent and warrant that you have read, understand and consent to the collection, use and disclosure of your Personal Data as set out above.
  • This Notice applies in conjunction with any other policies, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your Personal Data by us.
  • We may revise this Policy from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Notice was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
15. Governing Law.
  • This Data Protection Notice shall be governed in all respects by the laws of Singapore. 

Effective as of 18 September 2023 Accredify Pte. Ltd. have updated our Data Protection Notice.

16. Previous Versions.

Data Protection Notice (EU)

Data Protection Notice (EU)

Effective Date: 18 September 2023

These Data Processing Terms apply to the Services supplied by Accredify Pte. Ltd. (“Accredify”) if you or your End Users access or use the Services in the European Economic Area or are otherwise subject to the GDPR or legislation implementing the GDPR. 

The Data Processing Terms set out terms that apply to the Processing of your Personal Data and Personal Data of your End Users by Accredify as set out in the Accredify Customer Agreement. 

In these Data Processing Terms: 

  • Data Subject” means your End Users, employees, contractors and agents, who in each case are natural persons to the extent that they are identified or identifiable and, if you are a natural person, you;
  • Data Controller” means you (the party that has entered into the Accredify Customer Agreement);
  • Data Processor” means Accredify; and
  • other capitalised terms which are not defined in the Data Processing Terms have the meanings set out in the Accredify Customer Agreement.

To provide the Services to the Data Controller, the Data Processor will store and Process Personal Data of Data Subjects in accordance with these Accredify Data Processing Terms. Where there is any conflict or ambiguity between these Data Processing Terms and the Accredify Customer Agreement, these Data Processing Terms take priority. 

1. Appointment of Data Processor.
  1. Appointment. Data Controller appoints Data Processor to Process Personal Data in accordance with clause 1.2.
  2. Processing Details. Data Processor may Process the Personal Data of Data Subjects as follows:

    • Duration of Processing. For the Duration of the Term in accordance with the Accredify Customer Agreement, for any period that the Data Processor is permitted to continue Processing to fulfil its obligations or exercise its rights under the Accredify Customer Agreement (e.g. to allow the Data Controller access to Your Content after termination), and for any longer period required by law (e.g. to maintain statutory records).

    • Nature and Purpose of Processing. To provide any Services or Material to the Data Controller as contemplated by the Accredify Customer Agreement.

    • Type of Personal Data. The Data Subject’s:

      • name, date of birth, customer identifier, email address, phone number, physical or postal address details, other contact details, bank account details and an IP address (to the extent that the Data Subject is identifiable from it);

      • communications to the Data Processor or with other End Users (e.g. in community support forums); and

      • any other personal data provided by Data Subjects or on their behalf to the Data Controller in connection with the Services – e.g. personal data that forms part of, or is disclosed by, a credential that the Data Subject submits to a Service for verification. This may include special category data.

    • Categories of Data Subjects. As defined in the introduction to these Data Processing Terms.
2. Data Processor’s Obligations.
  1. Processing in accordance with Data Controller’s Instructions.
    1. Data Processor will only Process Personal Data on behalf of the Data Controller, and in accordance with the purpose set out in clause 1.2 and otherwise in accordance with the terms of these Data Processing Terms.
  2. Restrictions on Processing.
    1. Except as set out in these Data Processing Terms, the Data Processor is not entitled to Process the Personal Data for its own purposes.
  3. Technical and Organisation Security Measures.
    1. Data Processor implements technical and organisational security measures for the processing of personal data in accordance with the GDPR. On written request, Accredify will provide the Data Controller with information reasonably requested by Data Controller regarding security practices and policies.
  4. Data and Security Breach Notification. 
    1. Data Processor will, as soon as practicable, notify Data Controller about any breach of security resulting in the accidental or unlawful disclosure of, or access to, Personal Data or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of Personal Data in accordance with the Accredify Customer Agreement.
  5. Reasonable Assistance in Response to Enquiries.
    1. Data Processor will provide reasonable assistance in response to enquiries from Data Controller or the Regulator relating to Data Processor’s Processing of Personal Data and abide by any specific advice of the Regulator to Data Processor regarding the Processing of such Personal Data.
  6. Evidence of Compliance with Data Processing Terms. 
    1. Data Processor will, upon written request from Data Controller, provide Data Controller with all information reasonably necessary to demonstrate Data Processor’s compliance with these Data Processing Terms. 
  7. Reasonable Assistance in Connection with Applicable Data Protection Laws.
    1. Data Processor will provide reasonable assistance to Data Controller to enable that Data Controller to comply with obligations which arise as a result of:
      1. a Data Subject exercises their rights under Applicable Data Protection Law in respect of Personal Data Processed by Data Processor on behalf of Data Controller (such as rights to rectification, erasure, blocking, access their personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making);
      2. Data Controller is required to deal or comply with any assessment, enquiry, notice or investigation by the Regulator; or
      3. Data Controller is required under Applicable Data Protection Law to carry out a mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data entrusted to the Data Processor under these Data Processing Terms,
  8. Audits.
    1. Data Processor will permit Data Controller upon written notice, at a mutually convenient date and time and no more than once per year (or more frequently if required by law), to conduct an audit to confirm compliance with Data Processor’s obligations under these Data Processing Terms. Such audits must be carried out subject to the auditor having professional qualifications to carry out such an audit and agreeing to reasonable terms to protect the confidential information of the Data Processor. Access to the systems and processes of the Data Processor will be strictly limited to that which is necessary for the purpose of this clause 2.8 and subject to access being within the Data Processor’s control.
  9. Processing in a Third Country. 
    1. Where the Data Processor Processes Personal Data in any Third Country, it will ensure that any transfer of Personal Data to any Third Country will comply with Applicable Data Protection Laws.
3. Data Controller’s Obligations.
  1. Warranties. Data Controller warrants that:
    1. the legislation applicable to it does not prevent Data Processor from fulfilling the instructions received from the Data Controller and performing Data Processor’s obligations under the Accredify Customer Service Agreement and these Data Processing Terms; and
    2. it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained all necessary consents and given all necessary notices, and otherwise has a legitimate ground to disclose the Personal Data to Data Processor and enable the Processing of the Personal Data by the Data Processor as described in these Data Processing Terms and the Accredify Customer Service Agreement. 
  2. Indemnity.
    1. Data Controller indemnifies and will hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interests, penalties and legal and other professional costs and expenses) incurred by Data Processor in connection with any breach of this clause 3. 
4. Sub-processors.
  1. Permitted sub-processors. Data Controller consents to the use of sub-processors for Processing as updated from time to time. If Data Controller objects or does not agree to any such sub-processors, the Data Processor may terminate the Accredify Customer Agreement on written notice.
  2. Terms applicable to sub-processors. Data Processor will ensure it has a written contract in place with all sub-processors who perform Processing which contains obligations which permit effective control and oversight with respect to the Processing of Personal Data to ensure compliance with these Data Processing Terms.
5. Confidentiality.
  1. The Data Processor undertakes to the Data Controller to:

    1. hold all Personal Data in strict confidence; and

    2. ensure that employees, agents, officers, consultants, sub-processors, subcontractors and advisers authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

  2. The obligation in clause 5.1 will not apply to a disclosure of Personal Data that is required by any law or regulation of any country with jurisdiction over the affairs of any Data Processor or required by any order of any court of competent jurisdiction.
6. Governing Law and Jurisdiction.

This Agreement will be governed by the Laws of Singapore and each party consents to the non-exclusive jurisdiction of the Singapore courts. Neither party is permitted to object to the transfer of any proceedings to Singapore courts on any basis, including inconvenience.

7. Termination.
  1. Termination. These Data Processing Terms terminate if the Accredify Customer Agreement terminates. 
  2. Consequences of termination.
    1. Upon termination of the Accredify Customer Agreement and these Data Processing Terms, the Data Processor will manage all Personal Data in accordance with the Accredify Customer Agreement and Applicable Data Protection Laws, including with respect to the destruction or return of such Personal Data, and the ongoing security of any retained Personal Data.
8. Changes to Data Processing Terms.
  1. Data Processor may make changes to these Data Processing Terms in accordance with the processes set out in the Accredify Customer Agreement (as if references to “this Agreement” were references to these Data Processing Terms). 
9. Definitions and Interpretation.
  1. Definitions. The following terms will have the meaning set out below:
    1. Applicable Data Protection Laws means the GDPR (as amended, consolidated, re-enacted or replaced from time to time). 
    2. GDPR  means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 
    3. Accredify Customer Agreement means the Agreement entered into between you and Accredify Limited as described in the Customer Agreement document (and including, for clarity, any applicable Service Terms and Service Level Agreements). 
    4. Personal Data  means any information relating to a Data Subject that is subject to the GDPR or any legislation implementing the GDPR. 
    5. Process, Processed or Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
    6. Regulator  means the data protection supervisory authority which has jurisdiction over Data Controller’s Processing of Personal Data. 
    7. Third Countries  means all countries outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time, which at the date of these Data Processing Terms include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay.