Effective Date:3 January 2026

1. Purpose and Regulatory Alignment

These Data Processing Guidelines (“Guidelines”) describe howHealthcare GRC Pte. Ltd. dbaQUASR+ processes personal data while providing its Software-as-a-Service (SaaS) incident reporting and safety management platform.

These Guidelines are intended to support compliance with:

• Personal Data Protection Act (PDPA)–style laws in applicable jurisdictions,

• the EU and UK General Data Protection Regulation (GDPR),and

• HIPAA-adjacent privacy and security principles, where contractually applicable.

2. Scope

These Guidelines apply to:

• all personal data and protected health information (PHI) processed through QUASR+,
• all processing activities performed by QUASR+ on behalf of Customers,
• all QUASR+ personnel, systems, and authorised sub-processors involved in service delivery.

3. Roles and Responsibilities

3.1 Customer (Data Controller / Organisation)

The Customer acts as:

• Data Controller under GDPR, or
• Organisation under PDPA-style regimes.

The Customer is responsible for:

• determining the purposes and lawful basis for processing,
• deciding what data is collected and entered into QUASR+,
• configuring access controls and user permissions,
• defining retention periods and disclosure rules.

3.2 QUASR+ (Data Processor / Data Intermediary)

QUASR+ acts as:

• Data Processor under GDPR, or
• Data Intermediary / Service Provider under PDPA-style regimes.

QUASR+:

• processes data only on documented instructions from the Customer,
• does not determine the purposes of processing,
• does not use Customer data for independent or unrelated purposes.

4. Categories of Data Processed

Depending on Customer configuration and use, QUASR+ may process:

4.1 Personal Data

• user account information (e.g. name, role, email address),
• staff identifiers referenced in incident records,
• audit logs, access records, and system activity data.

4.2 Health-Related and Incident Data

• incident and near-miss reports,
• descriptions of adverse events or hazards,
• follow-up actions and investigation records,
• root cause analysis records

Such data may constitute:

• Special Category Data under GDPR (health data),
• Sensitive Personal Data under PDPA-style laws. Or
• Protected Health Information (PHI) under HIPAA

5. Purpose Limitation

QUASR+ processes data solely to:

• enable incident reporting and management workflows,
• support analysis, tracking, and reporting of safety events,
• provide dashboards and system-generated reports,
• operate, maintain, and secure the QUASR+ platform.

QUASR+ does not:

• sell or monetise Customer data,
• use Customer data for advertising or profiling,
• process data beyond Customer instructions.

6. Lawful Basis for Processing

6.1 GDPR

The Customer determines and documents the lawful basis for processing, which may include:

• compliance with legal obligations,
• performance of a task in the public interest,
• legitimate interests,
• applicable conditions for processing health data.

QUASR+ relies on the Customer’s determination and acts strictly as a processor.

6.2 PDPA-Style Regimes

Processing may rely on:

• consent or deemed consent,
• legal or regulatory obligations,
• purposes related to organisational safety and risk management.

7. Data Security Measures

7.1 Technical Safeguards

• encryption of data in transit (TLS) and at rest,
• role-based access controls (RBAC),
• secure authentication mechanisms,
• logical separation of customer environments,
• regular security updates and vulnerability management.

7.2 Organisational Safeguards

• confidentiality obligations for employees and contractors,
• least-privilege access principles,
• privacy and security awareness training,
• documented incident response procedures.

These measures are designed to meet:

• GDPRrequirements,
• PDPA protection obligations,
• HIPAA Security Rule–aligned standards, where applicable.

8. Sub-processors

• QUASR+ may engage third-party sub-processors (e.g. cloud infrastructure provider AWS) strictly for service delivery.
• All sub-processors are bound by written agreements imposing appropriate data protection and confidentiality obligations.
• QUASR+ remains responsible for the performance of its sub-processors.

A list of current sub-processors is available upon request.

9. Data Location and Cross-Border Transfers

• Customer data is hosted in locations agreed contractually.
• Where data is transferred across borders, appropriate safeguards are implemented, including:
  • Standard Contractual Clauses (GDPR), or
  • equivalent contractual and technical protections under PDPA-style laws.

10. Data Retention and Deletion

• Data retention periods are defined by the Customer.
• QUASR+ retains data only for as long as necessary to provide the service or as instructed.
• Upon termination of services:
  • Customer data will be returned or made available, and
  • remaining copies securely deleted within agreed timeframes,
    unless retention is legally required.

11. Data Subject Rights

Where applicable law provides individual rights (e.g. access, correction, erasure):

• Customers are responsible for responding to such requests as Data Controllers.
• QUASR+ will provide reasonable assistance to enable compliance.

12. Security Incidents and Breach Notification

• QUASR+ maintains a documented security incident management process.
• In the event of a confirmed personal data breach:
  • Customers will be notified without undue delay,
  • relevant information will be provided to support regulatory assessments,
  • cooperation will be provided for mitigation and remediation.

13. Audit and Compliance

• QUASR+ maintains internal controls and documentation to demonstrate compliance with these Guidelines.
• Reasonable audit or assurance requests may be supported, subject to confidentiality and security requirements.

14. Updates to These Guidelines

These Guidelines may be updated periodically to reflect:

• changes in applicable data protection laws,
• security or architectural improvements,
• updates to QUASR+ service features.

Material changes will be communicated to Customers.

15. Contact

Data Protection Contact
QUASR+
Email: devaki.k@healthgrc.com

Singapore