Updated 2026-04-21 · Operator: AcctTen (acctten.com)
The following third-party service providers process personal data on our behalf as sub-processors under our Data Processing Addendum. Each provider operates under a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) or is certified under comparable frameworks (APEC CBPR, APEC PRP) recognised by the Singapore Personal Data Protection Commission (PDPC) for cross-border transfer under PDPA §26.
| Processor | Purpose | Region | Certification | DPA |
|---|---|---|---|---|
| Supabase (Postgres, Auth, Storage) | Primary data store — tenants, employees, payroll records, audit logs, authentication | ap-southeast-1 (Singapore) | SOC 2 Type II · ISO 27001 | DPA ↗ |
| Vercel | Application compute, static hosting, edge functions | Global edge network | SOC 2 Type II · ISO 27001 · GDPR SCCs | DPA ↗ |
| Stripe | Subscription billing + card payment processing (card data stays on Stripe — we never receive PAN) | United States | PCI-DSS Level 1 · SOC 2 Type II · SCCs | DPA ↗ |
| Google Vertex AI | Agentic payroll assistance (zero-retention inference, APEC-CBPR certified transfer) | Global Endpoint | APEC CBPR · APEC PRP · ISO 27001 · ISO 27701 | DPA ↗ |
| Anthropic (via Vertex router) | Backup LLM route for high-tier agent calls (zero-retention for API calls) | United States | SOC 2 Type II · SCCs | DPA ↗ |
| Sentry (Functional Software, Inc.) | Error telemetry only — PII-scrubbing hook redacts NRIC, bank, salary, email before ingestion | Configurable (default United States) | SOC 2 Type II · ISO 27001 · SCCs | DPA ↗ |
| OneMap (SG Land Authority) | Postal-code → address lookup at signup (non-PII query) | Singapore | Government-operated service | DPA ↗ |
| ACRA Open Data | UEN → entity lookup at signup (SG Open Data Licence, attribution displayed) | Singapore | Government open data — SG Open Data Licence 1.0 | DPA ↗ |
| Google OAuth | Optional social sign-in (for users who choose Google SSO) | United States | APEC CBPR · APEC PRP · ISO 27001 | DPA ↗ |
Material changes: We will notify registered OWNER / ADMIN contacts at least 30 days in advance of any new sub-processor engagement that will materially alter the cross-border transfer pattern or the categories of personal data processed.
Questions or objections regarding sub-processors: dpo@acctten.com