These Data Processing Terms describe the default allocation of data protection responsibilities between Beyond Clock PTE. LTD. and a Customer that uses the Beyond Clock service under the Terms of Use.

These terms are intended as a public baseline only. A signed order form, master services agreement, or negotiated data processing addendum may supplement or replace them. If a signed contract conflicts with these terms, the signed contract controls.

Customer

The organization that purchases, receives, or otherwise authorizes use of the Beyond Clock service.

Authorized User

An employee, contractor, clinician, researcher, or other individual whom the Customer permits to access the service under its account.

Customer Data

Information, files, biomarker values, survey responses, demographics, identifiers, and related metadata submitted to or made available through the service by or for the Customer.

Report Output

Reports, scores, visualizations, benchmarks, exports, and related outputs generated by the service for a Customer workflow.

De-identified Data

Data derived from Customer Data after direct identifiers have been removed or reduced, but that may still remain linkable or reasonably capable of re-identification if combined with other information. De-identified Data is not the same as anonymized data.

Anonymized/Aggregated Data

Data that has been irreversibly altered, generalized, or combined so that an individual is not reasonably identifiable by Beyond Clock or a recipient using available means.

Service Improvements

Improvements to the service, software, models, workflows, documentation, security controls, and related know-how developed from operating and improving the platform, excluding Customer Data and Report Output in identifiable form.

For Customer Data submitted to the service, the Customer acts as the controller or equivalent responsible party, and Beyond Clock acts as the processor or service provider for the core service functions described below.

Beyond Clock may act as an independent controller for limited activities involving account administration, billing, security, fraud prevention, legal compliance, and other uses of personal data that are necessary to operate the business relationship. If the parties permit internal De-identified Data use for service improvement, Beyond Clock may also act for those specific internal purposes as described in Section 9.

The subject matter of processing includes account management, secure file intake, biomarker extraction or review, report generation, report delivery, support, hosting, logging, and security operations associated with the service.

By default, Customer Data submitted through the service is stored and operationally handled in Singapore. This applies to the core hosting, storage, report processing, support, logging, and security operations used to provide the service.

Data subjects may include the Customer's staff users, patients, members, study participants, clients, or other individuals whose information the Customer chooses to submit. Categories of Customer Data may include identifiers, account information, uploaded files, biomarker values, demographic details, survey responses, report metadata, and related operational records. Processing will continue for the duration of the service relationship and any agreed return, deletion, or backup-retention period that follows.

When acting as processor, Beyond Clock will:

• process Customer Data on the Customer's documented instructions, unless otherwise required by law;
• limit personnel access to those with a business need and confidentiality obligations;
• maintain reasonable administrative, technical, and organizational safeguards for Customer Data;
• engage subprocessors only under appropriate contractual controls; and
• provide reasonable assistance with data subject requests, security incidents, and compliance obligations to the extent required by applicable law and the parties' contract.

The Customer remains responsible for:

• determining whether the service is appropriate for its intended use case and regulated environment;
• providing notices and obtaining consents or other lawful bases for the collection, disclosure, and processing of Customer Data;
• ensuring the legality, accuracy, and relevance of Customer Data submitted to the service;
• issuing lawful processing instructions and responding to data subject requests where the Customer is the controller; and
• deciding whether to restrict or opt out of internal De-identified Data use through a signed enterprise agreement.

Beyond Clock will maintain an incident-response process designed to identify, contain, investigate, and remediate security events affecting Customer Data. Where required by applicable law or contract, Beyond Clock will notify the Customer without undue delay after confirming a security incident affecting Customer Data.

Beyond Clock will provide reasonable information needed for the Customer's assessment of security controls and compliance posture, subject to confidentiality, proportionality, and the protection of other customers and platform security.

The Customer authorizes Beyond Clock to use subprocessors that support hosting, storage, security, communications, and related operational functions, provided that Beyond Clock remains responsible for their performance of the delegated processing obligations.

Where Customer Data is transferred across borders, Beyond Clock will implement contractual, technical, and organizational safeguards that are appropriate to the transfer. Any additional transfer mechanism or localization requirement should be handled in a signed contract.

Unless a signed enterprise agreement states otherwise, the Customer authorizes Beyond Clock to create and use De-identified Data derived from Customer Data for internal quality assurance, validation, workflow refinement, service analytics, and product or model improvement.

This default authorization does not extend to identifying a person or Customer publicly, reselling identifiable Customer Data, or describing merely de-identified data as anonymized. Customers that require a stricter position may negotiate an opt-out or narrower use right in the applicable order form or data processing addendum.

At the end of the service relationship, Beyond Clock will return or delete Customer Data in accordance with the applicable contract, subject to limited retention needed for security, backup integrity, legal compliance, dispute resolution, or other legitimate recordkeeping obligations.

Customers may request removal or deletion of Customer Data in accordance with applicable data privacy laws and the parties' contract. Where Beyond Clock receives a deletion or removal request directly from an individual, it may direct the request to the relevant Customer when the Customer is responsible for responding as controller or equivalent responsible party.

De-identified Data and Anonymized/Aggregated Data may continue to be retained where permitted by contract and law, provided that Beyond Clock handles those datasets in line with the distinctions described in the Privacy Policy.