PDPA & Data Protection

Version effective: 2026-01-01

This page answers common procurement questions about how chatavocado.ai handles customer data under Singapore's Personal Data Protection Act ("PDPA"). It is a plain-English summary. Where a signed Data Processing Addendum applies, the signed agreement controls.

We also publish our standard form below so customers can review the core terms before procurement. The form follows the structure of Singapore PDPC's Guide on Data Protection Clauses for Agreements Relating to the Processing of Personal Data and should be incorporated into an order form, master services agreement, or signed addendum before it becomes binding.

1. Do you have a standard Data Processing Agreement or PDPA Addendum?

Yes. For customers that need a written data processing agreement, our standard PDPA Data Processing Addendum is set out below for review and signature.

Where we process personal data on a customer's behalf to provide chatavocado.ai, we act as a data intermediary for that processing under Singapore's PDPA. The addendum is designed to sit alongside the commercial agreement, order form, or other written terms between us and the customer.

The addendum covers the usual data processing terms, including:

  • The scope, purpose, and duration of processing.
  • Processing only for the agreed services and documented instructions.
  • Confidentiality and access controls for personnel who may handle customer data.
  • Security measures used to protect customer data.
  • Use of third-party service providers and integrations needed to deliver the service.
  • Breach notification support where required by law or contract.
  • Return, deletion, retention, or anonymisation of customer data when the service ends.

2. How is customer data protected and isolated from other clients on your dashboard?

Customer data is isolated at the workspace/account level. Each client has a separate workspace ID. Dashboard access is checked against the user's workspace membership and role before customer data is returned.

Isolation is enforced server-side, not only in the dashboard interface. Backend queries are scoped by workspace, so contacts, conversations, messages, bookings, inboxes, customer records, and knowledge base data are retrieved and updated only within the authorised workspace context.

Customer-facing portal data is scoped even more narrowly. Where a customer portal is used, data is checked against both the workspace and the individual user or contact, so a portal user only sees the records that belong to their own account.

Customer data is protected through:

  • Authenticated access to the dashboard and customer portal.
  • Role-based access controls for workspace owners, admins, staff, and other permitted users.
  • Server-side workspace scoping on customer data queries and updates.
  • Access controls for operational or support access by authorised personnel.
  • Retention, deletion, and anonymisation controls where configured or requested.

We do not expose one client's contacts, conversations, bookings, records, or knowledge base data to another client's dashboard.

Architecture note

Our standard cloud service uses workspace-scoped tenant isolation. We do not describe this as a separate database per client unless that has been agreed as part of a customer-specific architecture.

Certification and assurance

We maintain PDPA-aligned controls and can share the current assurance position during procurement. We are preparing for Singapore's Data Protection Trustmark certification and will update this page when a current certificate, award, or assessment applies.

Contact

For a signed copy of our PDPA Data Processing Addendum or for security review questions, contact us at [email protected].

Standard PDPA Data Processing Addendum

Version effective: 2026-01-01

1. Parties and application

This PDPA Data Processing Addendum ("Addendum") applies where it is incorporated into an order form, master services agreement, statement of work, online terms, or other written agreement between Overveew Pte. Ltd. trading as chatavocado.ai ("chatavocado", "we", "us", or "our") and the customer identified in that agreement ("Customer").

This Addendum forms part of the agreement between chatavocado and Customer for the provision of chatavocado.ai services ("Agreement"). If there is a conflict between this Addendum and the Agreement in relation to the processing of Customer Personal Data, this Addendum will apply to the extent of that conflict.

2. Definitions

"Customer Personal Data" means Personal Data that Customer provides to chatavocado, makes available through the services, or instructs chatavocado to process on Customer's behalf.

"Personal Data", "processing", and "data intermediary" have the meanings given to them under Singapore's Personal Data Protection Act 2012, as amended from time to time.

"Services" means the chatavocado.ai services provided under the Agreement, including customer messaging, dashboard, booking, record, knowledge base, AI employee, support, and integration features made available to Customer.

3. Roles of the parties

Customer is responsible for determining the purposes for which Customer Personal Data is collected, used, disclosed, retained, and processed.

Where chatavocado processes Customer Personal Data on Customer's behalf for the Services, chatavocado acts as a data intermediary under the PDPA and processes Customer Personal Data only for the purposes set out in this Addendum, the Agreement, Customer's documented instructions, or as required by law.

4. Customer responsibilities

Customer is responsible for:

  • Having the right to provide Customer Personal Data to chatavocado for processing.
  • Giving any required notices and obtaining any required consents from individuals.
  • Ensuring that Customer's instructions comply with applicable data protection laws.
  • Keeping Customer's authorised user accounts, roles, and access permissions accurate.
  • Not uploading sensitive, regulated, or special-category data unless that processing has been agreed and is appropriate for the Services.

5. Processing instructions

chatavocado will process Customer Personal Data only:

  • To provide, maintain, secure, support, and improve the Services for Customer.
  • To configure, operate, monitor, and improve Customer's AI employee and related workflows, including customer-specific prompts, knowledge base, retrieval, and workflow settings.
  • To respond to support, onboarding, account management, billing, or security requests.
  • As Customer instructs through the dashboard, integrations, messages, support requests, order forms, or the Agreement.
  • As required by applicable law, court order, regulator, or government authority.

We do not sell Customer Personal Data. We do not use Customer Personal Data to train our own general AI models, or models for unrelated customers. Where the Services call third-party AI API or enterprise model providers, Customer Personal Data may be transmitted to those providers only to generate, embed, classify, retrieve, moderate, or otherwise operate the Services. We use provider services that state customer inputs and outputs are not used to train or improve general foundation models unless Customer has opted in, given prior permission, or specifically instructed that processing. Provider-side retention, caching, abuse monitoring, and application state, where applicable, are separate from model training and remain subject to the relevant provider terms and configured controls.

6. Confidentiality and personnel access

chatavocado will limit access to Customer Personal Data to personnel and authorised service providers who need access to provide, secure, or support the Services. Personnel with access to Customer Personal Data are subject to confidentiality obligations.

7. Security measures

chatavocado will make reasonable security arrangements to protect Customer Personal Data against unauthorised access, collection, use, disclosure, copying, modification, disposal, loss, or similar risks.

These arrangements include, where applicable:

  • Authenticated access to the dashboard and customer portal.
  • Role-based access controls for workspace users.
  • Server-side workspace scoping for customer data queries and updates.
  • Workspace-level isolation of customer records in the Services.
  • Access controls for operational and support access.
  • Cloud infrastructure security controls.
  • Retention, deletion, or anonymisation controls where configured or requested.

8. Sub-processors and third-party providers

Customer authorises chatavocado to use third-party providers where needed to provide, host, secure, support, or integrate the Services. These may include cloud hosting providers, messaging providers, AI model providers, analytics providers, payment or billing providers, communications providers, and customer-authorised integrations.

chatavocado will take reasonable steps to ensure that providers who process Customer Personal Data are subject to confidentiality and data protection obligations appropriate to the nature of their processing.

9. Overseas transfers

Where Customer Personal Data is transferred or made accessible outside Singapore as part of the Services, chatavocado will take reasonable steps required under the PDPA to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA.

10. Data breach notification

If chatavocado becomes aware of a data breach involving Customer Personal Data processed on Customer's behalf, chatavocado will notify Customer without undue delay after confirming the breach or having credible grounds to believe that the breach has occurred.

The notice will include information reasonably available to chatavocado, which may include the nature of the breach, the categories of affected data, likely consequences, steps taken or proposed to address the breach, and contact details for follow-up. Customer remains responsible for assessing whether notification to affected individuals, the PDPC, or other parties is required, unless the law places that obligation directly on chatavocado.

11. Assistance with requests and compliance

Taking into account the nature of the Services and information available to chatavocado, we will provide reasonable assistance to Customer for data protection requests, security reviews, deletion or export requests, and breach assessments relating to Customer Personal Data.

12. Retention, deletion, return, and anonymisation

chatavocado will retain Customer Personal Data only for as long as needed to provide the Services, comply with the Agreement, comply with legal obligations, resolve disputes, enforce rights, maintain security, or as otherwise instructed by Customer.

On termination or expiry of the Agreement, or on Customer's written request, chatavocado will return, delete, or anonymise Customer Personal Data within a reasonable period, unless retention is required or permitted by law, the Agreement, backup procedures, dispute management, or legitimate business needs.

13. Audit and assurance

On reasonable request, chatavocado will provide information about its data protection and security measures to help Customer assess compliance with this Addendum. Any audit or review must be reasonable in scope, protect the confidentiality and security of chatavocado and other customers, and avoid disrupting the Services.

14. Limitation of liability

Liability arising under this Addendum is subject to the limitations, exclusions, and liability caps in the Agreement, unless applicable law requires otherwise.

15. Governing law

This Addendum is governed by the laws of Singapore. Any disputes arising from or in connection with this Addendum will be resolved in accordance with the dispute resolution provisions of the Agreement, or if none are stated, by the courts of Singapore.

Schedule 1: Processing details

Subject matter: Provision of chatavocado.ai services to Customer.

Duration: The term of the Agreement, plus any retention period required for support, backup, legal, compliance, security, or agreed business purposes.

Nature and purpose: Customer messaging, enquiry handling, booking and workflow management, customer record management, knowledge base operation, AI employee configuration and operation, support, analytics, reporting, billing support, and integrations authorised by Customer.

Categories of individuals: Customer's end customers, leads, prospects, patients or service recipients where applicable, authorised users, staff, admins, and other individuals whose data Customer provides or makes available through the Services.

Categories of personal data: Names, phone numbers, email addresses, messaging identifiers, conversation content, booking details, service preferences, customer records, uploaded files, knowledge base content, operational notes, user account details, support communications, and other data Customer submits to the Services.

Sensitive data: The Services are not intended for sensitive, regulated, or special-category data unless agreed with Customer. If Customer chooses to submit such data, Customer is responsible for ensuring that it has a lawful basis and appropriate controls for that processing.

Schedule 2: Data isolation summary

Customer data is isolated by workspace/account. Each workspace has a separate workspace ID. Dashboard access is checked against workspace membership and role. Backend queries are scoped by workspace, and customer portal access is scoped by both workspace and user or contact where applicable.

Tim

Ask Tim

Growth Partner
Get your free consultation