Data Protection Policy — Nest Creation Pte Ltd

1. Purpose

This policy sets out how Nest Creation Pte Ltd ("NCPL") protects personal data processed through software platforms developed and maintained by NCPL on behalf of its clients, in compliance with the Personal Data Protection Act 2012 ("PDPA").

NCPL is a software development and consultancy firm. NCPL does not provide financial advisory services and is not licensed by the Monetary Authority of Singapore. Personal data processed through NCPL's platforms is collected and controlled by NCPL's clients, who are responsible for their own compliance with the PDPA as organisations under the Act.

2. NCPL's Role Under the PDPA

Under the PDPA, NCPL operates as a data intermediary (Section 4(2)) — an organisation that processes personal data on behalf of another organisation pursuant to a written contract.

Entity	PDPA Role	Responsibility
NCPL's clients	Organisation (data controller)	Determines purposes of data collection; bears all 11 PDPA obligations
NCPL	Data intermediary	Processes data on behalf of the organisation; bears Protection, Retention, and Breach Notification obligations
Airtable, Cloudflare, Softr	Sub-processors	Process data under contract with NCPL; bear Protection, Retention, and Breach Notification obligations

3. Scope

This policy applies to:

All employees and contractors of NCPL
All personal data processed through NCPL's software platforms
All third-party systems engaged by NCPL to deliver its services

4. Personal Data Processed Through Our Platforms

NCPL's platforms process personal data entered by authorised users (the organisation's representatives). NCPL does not determine what data is collected or for what purpose. The categories below reflect the data fields available in the platform:

Category	Examples	Entered By
Identity	Full name, date of birth	Organisation's representative
Insurance	Policy numbers, insurer, coverage amounts, premiums, benefits	Organisation's representative
Financial	Income, net worth, financial profile, protection gap analysis	Organisation's representative
Family	Spouse information, dependant ages	Organisation's representative
System	User email, consent timestamps, record metadata	System-generated

5. Purpose of Processing

NCPL processes personal data solely to provide and maintain its software platforms for its clients. Specifically:

Platform operation — storing, retrieving, and displaying data entered by authorised users
Feature delivery — enabling portfolio visualisation, coverage gap analysis, and report generation as requested by the organisation
System maintenance — ensuring platform availability, security, and performance
Compliance support — recording consent timestamps and facilitating data export and deletion at the organisation's direction

NCPL does not use personal data processed through its platforms for any purpose beyond providing the contracted software service. NCPL does not use this data for marketing, profiling, analytics, or any independent purpose.

6. Consent

NCPL does not collect personal data directly from data subjects. The organisation (NCPL's client) is responsible for obtaining consent from data subjects before entering their data into the platform.

To support the organisation's consent obligations, NCPL's platforms include:

A mandatory data protection notice displayed before any data entry
A consent confirmation checkpoint that must be completed before data can be entered
Automatic recording of the consent date and the identity of the user who confirmed consent

7. Data Storage and Transfer

7.1 Systems

System	Provider	Location	Role	Certifications
Airtable	Formagrid Inc	United States	Database	ISO 27001, SOC 2 Type II, ISO 27701
Cloudflare Workers	Cloudflare Inc	Global edge	API proxy	ISO 27001, SOC 2 Type II
Softr	Softr Platforms GmbH	Germany (AWS EU)	Web application	SOC 1, SOC 2, ISO 27001 (via AWS); 256-bit TLS

7.2 Overseas Transfer

Personal data processed through NCPL's platforms is stored on servers located in the United States. NCPL ensures a comparable standard of protection through:

Data Processing Agreements with all sub-processors, each incorporating breach notification obligations
Airtable DPA (signed 31 March 2026) incorporating GDPR-level protections and EU Standard Contractual Clauses
Sub-processors holding ISO 27001 and SOC 2 Type II certifications
The organisation's own informed consent process with data subjects, supported by the platform's built-in consent notice

7.3 Data Processing Agreements

Sub-processor	DPA Status	Breach Notification Commitment
Airtable	Signed (31 March 2026)	Within 72 hours of substantiation
Cloudflare	Standard Customer DPA	Without undue delay
Softr	Incorporated as Appendix 1 of Terms and Conditions	Immediately upon becoming aware

8. Protection

8.1 Technical Measures

All data transmissions between the platform and sub-processors use HTTPS encryption in transit
API credentials for sub-processors are stored server-side in Cloudflare Workers and are never exposed in client-side code
Platform access requires authentication through Softr's login system
Data records are scoped to authorised user email addresses
Role-based access isolation between different user permission levels

8.2 Administrative Measures

All NCPL personnel with access to production systems are bound by confidentiality obligations
NCPL does not access personal data in its clients' platforms except when required for technical support, with the client's knowledge
Access credentials are rotated periodically
Security incidents are escalated to the DPO immediately upon discovery

9. Retention

NCPL retains personal data in its platforms only for as long as the organisation requires. Specifically:

During the service relationship: Data is retained as long as the organisation's account is active
Dormancy monitoring: The platform flags data records with no activity for 24+ months, prompting the organisation's users to review whether retention is still necessary
On termination: Upon termination of the service agreement, NCPL will delete or return all personal data at the organisation's instruction
Sub-processor retention: Upon termination of NCPL's agreements with sub-processors, NCPL will request deletion of all data per the relevant DPA

NCPL does not independently determine retention periods. The organisation is responsible for establishing and enforcing its own retention schedule.

10. Access and Correction

NCPL does not receive access or correction requests directly from data subjects. Such requests are directed to the organisation.

To support the organisation's obligations:

The platform includes a data export function that produces a complete record of all data held for any individual
The platform allows the organisation's authorised users to correct data directly
NCPL will assist the organisation in responding to access or correction requests upon reasonable notice

11. Data Breach Notification

In the event that NCPL becomes aware of a data breach affecting personal data in its platforms:

NCPL will notify the affected organisation without undue delay, and in any case within 24 hours of becoming aware of the breach
NCPL will provide the organisation with all available information about the breach, including the nature, scope, and potential impact
NCPL will cooperate with the organisation in its assessment of whether the breach is notifiable under the PDPA
NCPL will take immediate steps to contain the breach and preserve evidence

The organisation is responsible for assessing notifiability and notifying the PDPC and affected individuals as required under the PDPA.

12. Data Protection Officer

Name: Liow Yaw Onn
Email: yawonnliow@nestcreation.com
Phone: 8363 6363

Organisations, their representatives, and data subjects may contact the DPO for any enquiries regarding how NCPL handles personal data.

13. Updates to This Policy

This policy will be reviewed annually or when there are material changes to NCPL's data processing practices. NCPL's clients will be informed of any updates that affect the processing of personal data in their platforms.