← Back to home

Data Processing Addendum

Last updated: July 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and Clavis ("Processor", "we", "us") for the use of Stasis. It applies where we process personal data on the Controller's behalf, and reflects the requirements of the Personal Data Protection Act 2010 of Malaysia (as amended).

1. Roles of the parties

The Controller is the data controller and determines the purposes and means of processing the personal data it puts into Stasis. Clavis is the data processor and processes that personal data only on the Controller's behalf. Each party will comply with its own obligations under applicable data protection law.

2. Subject-matter, duration, nature & purpose

  • Subject-matter: provision of the Stasis team-management and capacity-planning service.
  • Duration: for the term of the Controller's subscription, plus any wind-down period described in this DPA.
  • Nature & purpose: hosting, storing, organising, scheduling and displaying the Controller's work data, and sending related notifications, in order to provide the service.
  • Types of data: names, work email addresses, roles, schedules, leave records, task notes and related work data of the Controller's staff.
  • Data subjects: the Controller's staff and users of its workspace.

3. Processing on documented instructions

We will process personal data only on the Controller's documented instructions, including as set out in the agreement, this DPA and the Controller's use of the service's features, unless required to act otherwise by applicable law (in which case we will inform the Controller where legally permitted).

4. Confidentiality of personnel

We ensure that persons authorised to process personal data are bound by confidentiality obligations and are granted access only on a need-to-know basis.

5. Security measures

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, row-level tenant isolation, access controls and least-privilege access, encrypted push notifications, and logging of security-relevant events. We review these measures as the service and risks evolve.

6. Sub-processors

The Controller authorises us to engage sub-processors to provide the service. Our current sub-processors are:

Sub-processorPurposeLocation
SupabaseDatabase & authenticationSingapore
CloudflareHosting, CDN & file storageGlobal (incl. Singapore)
ResendTransactional emailUnited States
StripePayment processingGlobal

We impose data-protection obligations on each sub-processor that are substantially the same as those in this DPA, and we remain responsible for their performance. We will give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor, and the Controller may object on reasonable data-protection grounds; if an objection cannot be resolved, the Controller may terminate the affected part of the service.

7. Assisting with data-subject requests

Taking into account the nature of the processing, we will assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects to exercise their rights (such as access, correction, withdrawal of consent and data portability). The service also lets the Controller access, correct, export and delete workspace data directly.

8. Personal-data breach notification

We will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's personal data, and will provide the information reasonably available to help the Controller meet its own notification obligations.

9. Deletion or return on termination

On termination or expiry of the subscription, and at the Controller's choice, we will delete or return the personal data we process on the Controller's behalf, and delete existing copies, except to the extent applicable law requires us to retain them. The Controller may export its data before termination.

10. Demonstrating compliance

We will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and will contribute to reasonable audits or inspections conducted by the Controller or its appointed auditor, subject to reasonable confidentiality and security arrangements.

11. Cross-border transfer

Where processing involves transferring personal data outside Malaysia (for example to Singapore or to globally-operated sub-processors), we rely on contractual safeguards equivalent to recognised standards such as the EU Standard Contractual Clauses and the ASEAN Model Contractual Clauses, so that the data remains protected to a comparable standard.

12. International transfers (EU / UK GDPR)

Where the Controller is subject to the EU General Data Protection Regulation or the UK GDPR, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor), are incorporated into this DPA by reference and apply to transfers of the Controller's personal data to us. For transfers subject to the UK GDPR, the parties also incorporate the UK International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner. For the purposes of those clauses, the description of processing in section 2 stands as Annex I, the security measures in section 5 stand as Annex II, and the sub-processor list in section 6 stands as the Annex III list of authorised sub-processors. In the event of a conflict between this DPA and the incorporated clauses, the clauses prevail.

The service is hosted in Singapore, which is not covered by an EU adequacy decision. That is why these contractual safeguards apply: they supply the protection for transfers out of the EU or UK that an adequacy decision would otherwise provide.

13. EU / UK data subject rights

Where EU or UK GDPR applies to the Controller, the data-subject rights under those laws are supported by features the Controller can use directly: access and portability through the workspace export, which produces a machine-readable copy of the workspace's clients, jobs, templates, schedules, people and settings (JSON and per-table CSV); rectification by editing records in the app; erasure through workspace deletion, the remove-person flow (which anonymises past records), and member deletion requests routed to the Controller; and restriction of processing by unassigning a person's future work pending resolution of a request. Where a request cannot be completed through these features, we will assist the Controller as described in section 7.

14. Order of precedence

This DPA forms part of, and is subject to, the Terms of Service. In the event of a conflict between this DPA and the Terms with respect to the processing of personal data, this DPA prevails.

15. Contact

For any matter under this DPA, contact [email protected].

Questions about this document? Contact us at [email protected].