Legal · B2B · Last updated 14 July 2026

Data processing agreement

Governs how TIMS Sdn Bhd(“processor”) handles personal data on behalf of enterprise customers (“controllers”) using TIMS to train their employees. Aligned with GDPR Article 28, Malaysian PDPA sections 9-11, and Singapore PDPA Part IV.

For a countersigned MSA + custom DPA, contact privacy@tims.systemsandbox.cloud. This page contains our standard terms — enterprise deals may layer additional clauses.

Scope of processing

Subject-matterProvision of the TIMS training marketplace + management platform
DurationFor the term of your subscription + 90 days for winding down
NatureStorage, hosting, transmission, structured querying, aggregation
PurposeDeliver training operations: enrolment, attendance, certification, analytics, comms
Data subjectsYour employees, HR admins, learners, provider staff
Data categoriesIdentity, contact, employment role, training records, assessment results, payment references

Processor obligations

  • Process personal data only on documented instructions from the controller (your admin configures via TIMS).
  • Ensure personnel who access personal data are bound by confidentiality obligations.
  • Implement appropriate technical + organisational measures (see Security below).
  • Not engage a sub-processor without prior authorisation. Current sub-processors listed on our privacy page.
  • Assist the controller in responding to data subject requests (export + delete are self-service; other requests within 21 days).
  • Notify the controller without undue delay of a personal data breach — within 72 hours of becoming aware.
  • On termination, delete or return all personal data at controller's choice, save where legal retention overrides.
  • Make available all information necessary to demonstrate compliance and allow audits — annual SOC 2-style attestation on request.

Security measures

  • TLS 1.2+ for all transport; HSTS + HTTP security headers enforced platform-wide.
  • Passwords hashed with bcrypt (cost 12). Session tokens are JWTs signed with a rotated secret.
  • Sensitive PII (emergency insurance policy IDs) encrypted at rest via AES-GCM with per-record IV.
  • Rate limiting on every write endpoint. HMAC signatures on NFC card URLs to prevent PII enumeration.
  • Nightly encrypted database backups to a separate region, 30-day retention, weekly automated restore-test.
  • Structured audit log of admin + privileged actions. Retention 2 years, tamper-evident.
  • Role-based access control with least-privilege: employees see themselves + team; HR admins see the org; providers see their own catalogue only.

Sub-processors

Current sub-processors and their function:

Alibaba CloudOSS file storage (Singapore) + Qwen AI generation
Zoho MailTransactional email delivery
Cloudflare / LiteSpeedTLS termination + reverse proxy

Controllers are notified via email 30 days before we add or replace a sub-processor. You may object; if we can’t address the objection you may terminate the affected service.

Cross-border transfers

Primary data storage is Singapore. Backups replicate to Alibaba OSS Singapore region. Where a controller is in the EU/UK, we rely on the EU-approved Standard Contractual Clauses (2021) supplemented by the transfer-risk assessment we can share on request. For Malaysian controllers, transfers to Singapore rely on PDPA s.129(1)(b) adequate-protection determination + our own DPA with the receiving processor.

Data subject requests

  • Self-service: any user can export their data or delete their account from Settings → Privacy without controller involvement.
  • Controller-initiated: submit via your HR admin dashboard or email us. We respond within 21 days.
  • Where a data subject contacts us directly, we route the request to the controller unless the subject requests otherwise.

Term + termination

This DPA runs for the term of the underlying subscription. On termination, we return or delete personal data within 30 days at the controller’s written direction, except where retention is required by law (see the retention table on our privacy policy).

Governing law

Malaysian law, without prejudice to mandatory data-protection statutes applicable to the controller (e.g. GDPR for EU controllers, Singapore PDPA for SG controllers). Disputes go to the courts of Kuala Lumpur.

Contact

Data Protection Officer
privacy@tims.systemsandbox.cloud