Early Access

QUASR+ DATA PROCESSING GUIDELINES

Effective Date:3 January 2026



  1. Purpose and Regulatory Alignment

These Data Processing Guidelines (“Guidelines”) describe howHealthcare GRC Pte. Ltd. dbaQUASR+ processes personal data while providing its Software-as-a-Service (SaaS) incident reporting and safety management platform.

These Guidelines are intended to support compliance with:

  • Personal Data Protection Act (PDPA)–style laws in applicable jurisdictions,
  • the EU and UK General Data Protection Regulation (GDPR),and
  • HIPAA-adjacent privacy and security principles, where contractually applicable.
  1. Scope

These Guidelines apply to:

  • all personal data and protected health information (PHI) processed through QUASR+,
  • all processing activities performed by QUASR+ on behalf of Customers,
  • all QUASR+ personnel, systems, and authorised sub-processors involved in service delivery.
  1. Roles and Responsibilities

3.1 Customer (Data Controller / Organisation)

The Customer acts as:

  • Data Controller under GDPR, or
  • Organisation under PDPA-style regimes.

The Customer is responsible for:

  • determining the purposes and lawful basis for processing,
  • deciding what data is collected and entered into QUASR+,
  • configuring access controls and user permissions,
  • defining retention periods and disclosure rules.

3.2 QUASR+ (Data Processor / Data Intermediary)

QUASR+ acts as:

  • Data Processor under GDPR, or
  • Data Intermediary / Service Provider under PDPA-style regimes.

QUASR+:

  • processes data only on documented instructions from the Customer,
  • does not determine the purposes of processing,
  • does not use Customer data for independent or unrelated purposes.
  1. Categories of Data Processed

Depending on Customer configuration and use, QUASR+ may process:

4.1 Personal Data

  • user account information (e.g. name, role, email address),
  • staff identifiers referenced in incident records,
  • audit logs, access records, and system activity data.

4.2 Health-Related and Incident Data

  • incident and near-miss reports,
  • descriptions of adverse events or hazards,
  • follow-up actions and investigation records,
  • root cause analysis records

Such data may constitute:

  • Special Category Data under GDPR (health data),
  • Sensitive Personal Data under PDPA-style laws. Or
  • Protected Health Information (PHI) under HIPAA
  1. Purpose Limitation

QUASR+ processes data solely to:

  • enable incident reporting and management workflows,
  • support analysis, tracking, and reporting of safety events,
  • provide dashboards and system-generated reports,
  • operate, maintain, and secure the QUASR+ platform.

QUASR+ does not:

  • sell or monetise Customer data,
  • use Customer data for advertising or profiling,
  • process data beyond Customer instructions.
  1. Lawful Basis for Processing

6.1 GDPR

The Customer determines and documents the lawful basis for processing, which may include:

  • compliance with legal obligations,
  • performance of a task in the public interest,
  • legitimate interests,
  • applicable conditions for processing health data.

QUASR+ relies on the Customer’s determination and acts strictly as a processor.

6.2 PDPA-Style Regimes

Processing may rely on:

  • consent or deemed consent,
  • legal or regulatory obligations,
  • purposes related to organisational safety and risk management.
  1. Data Security Measures

7.1 Technical Safeguards

  • encryption of data in transit (TLS) and at rest,
  • role-based access controls (RBAC),
  • secure authentication mechanisms,
  • logical separation of customer environments,
  • regular security updates and vulnerability management.

7.2 Organisational Safeguards

  • confidentiality obligations for employees and contractors,
  • least-privilege access principles,
  • privacy and security awareness training,
  • documented incident response procedures.

These measures are designed to meet:

  • GDPRrequirements,
  • PDPA protection obligations,
  • HIPAA Security Rule–aligned standards, where applicable.
  1. Sub-processors
  • QUASR+ may engage third-party sub-processors (e.g. cloud infrastructure provider AWS) strictly for service delivery.
  • All sub-processors are bound by written agreements imposing appropriate data protection and confidentiality obligations.
  • QUASR+ remains responsible for the performance of its sub-processors.

A list of current sub-processors is available upon request.

  1. Data Location and Cross-Border Transfers
  • Customer data is hosted in locations agreed contractually.
  • Where data is transferred across borders, appropriate safeguards are implemented, including:
    • Standard Contractual Clauses (GDPR), or
    • equivalent contractual and technical protections under PDPA-style laws.
  1. Data Retention and Deletion
  • Data retention periods are defined by the Customer.
  • QUASR+ retains data only for as long as necessary to provide the service or as instructed.
  • Upon termination of services:
    • Customer data will be returned or made available, and
    • remaining copies securely deleted within agreed timeframes,
      unless retention is legally required.
  1. Data Subject Rights

Where applicable law provides individual rights (e.g. access, correction, erasure):

  • Customers are responsible for responding to such requests as Data Controllers.
  • QUASR+ will provide reasonable assistance to enable compliance.
  1. Security Incidents and Breach Notification
  • QUASR+ maintains a documented security incident management process.
  • In the event of a confirmed personal data breach:
    • Customers will be notified without undue delay,
    • relevant information will be provided to support regulatory assessments,
    • cooperation will be provided for mitigation and remediation.
  1. Audit and Compliance
  • QUASR+ maintains internal controls and documentation to demonstrate compliance with these Guidelines.
  • Reasonable audit or assurance requests may be supported, subject to confidentiality and security requirements.
  1. Updates to These Guidelines

These Guidelines may be updated periodically to reflect:

  • changes in applicable data protection laws,
  • security or architectural improvements,
  • updates to QUASR+ service features.

Material changes will be communicated to Customers.

 

  1. Contact

Data Protection Contact
QUASR+
Email: devaki.k@healthgrc.com

Singapore

QUASR+ unifies quality, safety, and risk management with AI-powered incident reporting and near-miss identification.

  • hak@healthgrc.com
  • +65 94883428
  • Healthcare GRC Pte Ltd, 105 Cecil Street, #16-01 The Octagon, Singapore
Linkedin X-twitter

Quick Links

Legal, Privacy & Governance

Scroll to Top