Effective Date: 3 January 2026

This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms of Service betweenHealthcare GRC Pte Ltd dba QUASR+ and the Customer governing the use of the QUASR+ platform and services (“Services”).

This DPA reflects and mirrors the data protection commitments described in the QUASR+ Privacy Policy.

1. Definitions

For the purposes of this Agreement:

• “Personal Data” means any information relating to an identified or identifiable individual.
• “Sensitive Personal Data” includes health data and other data subject to enhanced protection under applicable law.
• “Controller” means the entity that determines the purposes and means of processing Personal Data.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Applicable Data Protection Laws” includes the Singapore Personal Data Protection Act 2012 (“PDPA”), GDPR (where applicable), and other relevant data protection laws.

For Customers using the Services:

• The Customer is the Controller.
• QUASR+ is the Processor.

2. Scope and Purpose of Processing

QUASR+ shall process Personal Data solely for the purpose of providing, operating, supporting, and improving the Services, including:

• Incident reporting and patient safety workflows
• User authentication, access control, and audit logging
• System security, monitoring, and performance
• Customer support, training, and onboarding
• Compliance with legal and contractual obligations

QUASR+ shall not process Personal Data for any purpose other than as instructed by the Customer and documented in this Agreement and the underlying service contract.

3. Categories of Data and Data Subjects

3.1 Data Subjects

May include:

• Healthcare professionals and staff
• Administrators and authorised users
• Patients or individuals referenced in incident reports (as determined by the Customer)

3.2 Categories of Personal Data

May include:

• User identification and account data
• Incident reports and related content
• Technical and usage data
• Communications and support records

3.3 Sensitive Personal Data

May include health-related or sensitive information strictly as required for patient safety and incident management, and only as configured and controlled by the Customer.

4. Customer Obligations

The Customer shall:

• Ensure it has a valid legal basis to collect and provide Personal Data to QUASR+
• Ensure instructions to QUASR+ comply with Applicable Data Protection Laws
• Configure the Services in accordance with its legal and regulatory obligations
• Respond to data subject requests where the Customer is the Controller

5. QUASR+ Obligations

QUASR+ shall:

• Process Personal Data only on documented instructions from the Customer
• Ensure personnel authorised to process Personal Data are bound by confidentiality obligations
• Not sell Personal Data or use it for independent marketing purposes
• Notify the Customer if an instruction is believed to violate Applicable Data Protection Laws

6. Data Security Measures

QUASR+ shall implement reasonable administrative, technical, and organisational measures designed to protect Personal Data, including:

• Encryption in transit and at rest (where appropriate)
• Role-based access controls
• Audit logging and monitoring
• Secure development and operational practices

These measures are consistent with those described in the QUASR+ Privacy Policy.

7. Sub-processors

QUASR+ may engage trusted sub-processors (such as cloud hosting and security providers) to support delivery of the Services, provided that:

• Sub-processors are bound by written agreements imposing data protection obligations no less protective than this DPA
• QUASR+ remains responsible for the performance of its sub-processors

A list of sub-processors may be provided upon reasonable request.

8. International Data Transfers

Personal Data may be processed or stored outside the Customer’s country, including outside Singapore. Where such transfers occur, QUASR+ shall ensure appropriate safeguards are in place consistent with:

• Singapore PDPA requirements, and
• Equivalent protections under applicable international data protection laws (including GDPR, where applicable)

9. Data Subject Rights

Where applicable, QUASR+ shall reasonably assist the Customer in responding to requests from data subjects to exercise their rights under Applicable Data Protection Laws, including access, correction, deletion, restriction, or portability.

Where QUASR+ receives a request directly, it shall refer the request to the Customer unless legally required to respond.

10. Data Breach Management

QUASR+ shall:

• Maintain procedures to detect and respond to personal data breaches
• Notify the Customer without undue delay after becoming aware of a confirmed breach affecting Personal Data
• Provide reasonable information to assist the Customer in meeting its legal notification obligations

11. Data Retention and Deletion

QUASR+ shall retain Personal Data only for as long as necessary to provide the Services and meet legal or contractual obligations.

Upon termination of the Services, Personal Data shall be returned or deleted in accordance with the Customer’s instructions and the underlying agreement, unless retention is required by law.

12. Audits and Information

Upon reasonable request, QUASR+ shall provide information necessary to demonstrate compliance with this DPA, including relevant security or compliance documentation, subject to confidentiality and security considerations.

13. Limitation of Liability

Liability under this DPA shall be subject to the limitations of liability set out in the main service agreement, unless otherwise required by Applicable Data Protection Laws.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the underlying service agreement. Where not specified, Singapore law shall apply.

15. Order of Precedence

In the event of a conflict between this DPA and other agreements:

1. This DPA shall prevail with respect to data protection matters
2. The main service agreement shall prevail for all other matters

Annex A – Technical & Organisational Measures

QUASR+ implements reasonable administrative, technical, and organisational measures designed to protect Personal Data against unauthorised access, loss, misuse, alteration, or disclosure, taking into account the nature of the data and the risks involved.

1. Governance & Policies

• Documented information security and privacy policies
• Defined roles and responsibilities for data protection and security
• Confidentiality obligations for personnel with access to Personal Data

2. Access Controls

• Role-based access controls aligned to job responsibilities
• Principle of least privilege
• Secure authentication mechanisms (e.g. strong passwords, MFA where supported)
• Timely provisioning and revocation of user access

3. Encryption & Data Protection

• Encryption of data in transit using industry-standard protocols
• Encryption of data at rest where appropriate and supported by infrastructure
• Secure key management practices

4. Application & Infrastructure Security

• Secure software development practices
• Segregation of environments (e.g. production, testing)
• Vulnerability management and patching processes
• Logical separation of customer data

5. Monitoring & Logging

• Audit logs for user access and system activity
• Monitoring for security events and anomalies
• Logs protected against unauthorised access and tampering

6. Incident Management

• Documented incident response procedures
• Processes to identify, investigate, and contain security incidents
• Notification to Customers of confirmed personal data breaches without undue delay, in accordance with the DPA

7. Availability & Resilience

• Measures to support service availability and resilience
• Backup and recovery processes appropriate to the Services
• Business continuity and disaster recovery planning

8. Vendor & Sub-processor Management

• Due diligence on sub-processors before engagement
• Written agreements requiring data protection and security obligations no less protective than those in the DPA
• Ongoing oversight of key sub-processors

9. Training & Awareness

• Security and privacy awareness training for relevant personnel
• Periodic refreshers aligned with role and risk

Annex B – Sub-processor List

QUASR+ may engage the following categories of sub-processors to support delivery of the Services. Sub-processors are subject to written agreements imposing data protection obligations consistent with the DPA.

An up-to-date list of named sub-processors may be provided to the Customer upon reasonable request.

QUASR+ remains responsible for the acts and omissions of its sub-processors in accordance with the DPA.

All Customer Data is stored and processed using MongoDB Atlas, with primary data hosting located in the Singapore (SG) region. Data processing activities are performed in accordance with applicable data protection laws and the terms of this Data Processing Agreement.

HIPAA-Aligned Addendum

(Applicable only where required by Customer)

This HIPAA-Aligned Addendum (“Addendum”) applies only to the extent that QUASR+ processes Protected Health Information (PHI) on behalf of a customer that is a “Covered Entity” or “Business Associate” under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

This Addendum does not apply to Customers or processing activities outside the scope of HIPAA.

1. Definitions

Terms such as “Protected Health Information (PHI)”, “Covered Entity”, “Business Associate”, “Use”, and “Disclosure” have the meanings given under HIPAA.

For purposes of this Addendum:

• The Customer is the Covered Entity or Business Associate
• QUASR+ acts as a Business Associate only where PHI is involved

2. Permitted Uses and Disclosures

QUASR+ may use and disclose PHI solely to:

• Perform services as permitted under the DPA and underlying agreement
• Support patient safety, incident reporting, and healthcare operations
• Meet legal and regulatory requirements

QUASR+ shall not use or disclose PHI in a manner that would violate HIPAA if done by the Customer.

3. Safeguards

QUASR+ shall apply administrative, technical, and physical safeguards to protect PHI, consistent with:

• HIPAA Security Rule requirements, and
• The Technical & Organisational Measures described in Annex A

4. Sub-contractors

QUASR+ shall ensure that any sub-contractor that creates, receives, maintains, or transmits PHI on its behalf agrees in writing to comply with applicable HIPAA requirements.

5. Breach Notification

QUASR+ shall notify the Customer without unreasonable delay after becoming aware of a breach of unsecured PHI, and provide information reasonably required for the Customer to comply with HIPAA breach notification obligations.

6. Access, Amendment, and Accounting

To the extent required by HIPAA, QUASR+ shall reasonably assist the Customer in:

• Responding to requests for access to PHI
• Amending PHI
• Providing an accounting of disclosures

7. Termination

Upon termination of services involving PHI, QUASR+ shall return or securely destroy PHI, where feasible, in accordance with the underlying agreement and applicable law.

8. No Expansion of Scope

This Addendum:

• Applies only where HIPAA legally applies
• Does not expand QUASR+’s obligations beyond the Services provided
• Does not override non-US data protection laws, including PDPA or GDPR

9. Order of Precedence

In the event of conflict:

1. This HIPAA-Aligned Addendum applies only to PHI
2. The DPA governs all other Personal Data
3. The main service agreement governs all non-data protection matters