Governs how TIMS Sdn Bhd(“processor”) handles personal data on behalf of enterprise customers (“controllers”) using TIMS to train their employees. Aligned with GDPR Article 28, Malaysian PDPA sections 9-11, and Singapore PDPA Part IV.
For a countersigned MSA + custom DPA, contact privacy@tims.systemsandbox.cloud. This page contains our standard terms — enterprise deals may layer additional clauses.
| Subject-matter | Provision of the TIMS training marketplace + management platform |
| Duration | For the term of your subscription + 90 days for winding down |
| Nature | Storage, hosting, transmission, structured querying, aggregation |
| Purpose | Deliver training operations: enrolment, attendance, certification, analytics, comms |
| Data subjects | Your employees, HR admins, learners, provider staff |
| Data categories | Identity, contact, employment role, training records, assessment results, payment references |
Current sub-processors and their function:
| Alibaba Cloud | OSS file storage (Singapore) + Qwen AI generation |
| Zoho Mail | Transactional email delivery |
| Cloudflare / LiteSpeed | TLS termination + reverse proxy |
Controllers are notified via email 30 days before we add or replace a sub-processor. You may object; if we can’t address the objection you may terminate the affected service.
Primary data storage is Singapore. Backups replicate to Alibaba OSS Singapore region. Where a controller is in the EU/UK, we rely on the EU-approved Standard Contractual Clauses (2021) supplemented by the transfer-risk assessment we can share on request. For Malaysian controllers, transfers to Singapore rely on PDPA s.129(1)(b) adequate-protection determination + our own DPA with the receiving processor.
This DPA runs for the term of the underlying subscription. On termination, we return or delete personal data within 30 days at the controller’s written direction, except where retention is required by law (see the retention table on our privacy policy).
Malaysian law, without prejudice to mandatory data-protection statutes applicable to the controller (e.g. GDPR for EU controllers, Singapore PDPA for SG controllers). Disputes go to the courts of Kuala Lumpur.
Data Protection Officer
privacy@tims.systemsandbox.cloud