← Back to sign in

Data Processing Agreement

Between the Client organisation (“Controller”) and Joshua Rayan Communications (“Processor”, “JRC”), governing personal data processed through the Tellus platform.

Version 2.0 · Effective 20 June 2026 · Forms part of the Commercial Agreement between the parties (as defined in the Terms of Service)

This Data Processing Agreement (“DPA”) sets out how JRC processes personal data on behalf of the Client through the Tellus platform (the “Platform”). It is intended to comply with both the Malaysian Personal Data Protection Act 2010 (the “PDPA”, as amended) and, to the extent the Client or its processing is within scope, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and the UK GDPR. It supplements, and forms part of, the Commercial Agreement between the parties. Where this DPA conflicts with the Commercial Agreement on the subject of data protection, this DPA prevails.

1. Definitions and roles

Terms such as personal data, processing, data subject, controller, processor, sub-processor, personal-data breach and supervisory authority have the meanings given to them in the GDPR; where the PDPA applies, “controller” corresponds to data user and “processor” corresponds to data processor under the PDPA. The terms are used interchangeably in this DPA.

For ESG and operational data the Client uploads about its own organisation and people, the Client is the controller (data user) and JRC is the processor (data processor). JRC processes such personal data only on the Client’s documented instructions, which comprise this DPA, the Commercial Agreement, the Client’s configuration and use of the Platform’s features, and any further written instructions the Client gives. If JRC considers that an instruction infringes the GDPR, the PDPA or other applicable data-protection law, it will inform the Client (without being obliged to provide legal advice).

2. Subject-matter, duration, nature and purpose

The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex A, which satisfies Article 28(3) GDPR. In summary, JRC processes the Client’s personal data for the duration of the Commercial Agreement, for the sole purpose of providing the Tellus ESG reporting and assurance service in accordance with the Client’s instructions, and not for any purpose of its own.

3. Processor obligations

JRC will, in accordance with Article 28 GDPR and the PDPA:

Documented instructions — process personal data only on the Controller’s documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do otherwise by applicable law; in that case JRC will inform the Controller of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
Confidentiality — ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and limit access to those who need it to provide the service;
Security — implement and maintain the technical and organisational measures required by Article 32 GDPR and the PDPA Security Principle, as described in Annex B, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk to data subjects;
Sub-processors — respect the conditions for engaging another processor set out in section 4;
Assistance with data-subject rights — taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests from data subjects exercising their rights (including access, rectification, erasure, restriction, portability and objection) under Chapter III of the GDPR and the corresponding rights under the PDPA, and promptly forward to the Controller any such request JRC receives directly;
Assistance with security, breach and DPIAs — assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security of processing, breach notification to the supervisory authority and to data subjects, data-protection impact assessments and prior consultation) and the equivalent PDPA obligations, taking into account the nature of processing and the information available to JRC;
Return or deletion — at the Controller’s choice, delete or return all the personal data to the Controller after the end of the provision of services, and delete existing copies, unless applicable law requires storage of the personal data (section 6);
Audit and information — make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA, and allow for and contribute to audits and inspections (section 8).

JRC also acknowledges that, as a data processor, it owes obligations directly under the PDPA (as amended) — including the Security Principle and the applicable data-breach-notification and data-protection-officer requirements — and that, where the GDPR applies, a processor may be directly liable under Article 82 GDPR; JRC will comply with each.

4. Sub-processors

The Controller grants JRC general written authorisation to engage the sub-processors listed below and in Annex C. JRC will inform the Controller of any intended addition or replacement of a sub-processor in advance, thereby giving the Controller the opportunity to object on reasonable data-protection grounds. If the Controller reasonably objects and JRC cannot accommodate the objection, the Controller may terminate the affected services without penalty. JRC will impose on each sub-processor, by a written contract, data-protection obligations no less protective than those in this DPA (in particular providing sufficient guarantees of appropriate technical and organisational measures), and JRC remains fully liable to the Controller for the performance of each sub-processor’s obligations.

Sub-processor	Service	Location
Supabase	Database, authentication and evidence-file storage	Singapore (AWS ap-southeast-1)
Cloudflare	Application hosting and content delivery	Global edge network
Resend	Transactional email (invitations, password resets, reminders)	Tokyo, Japan

5. International transfers

5.1 PDPA — transfers outside Malaysia

The Controller acknowledges that the Platform’s primary data store is hosted in Singapore and that limited personal data (email addresses and message content for invitations, password resets and reminders) is transferred to Japan via the email sub-processor, while the hosting/CDN sub-processor operates internationally. JRC will ensure that any transfer of personal data outside Malaysia is subject to protections consistent with the PDPA and the applicable Cross-Border Transfer Guideline, including appropriate contractual safeguards with its sub-processors.

5.2 GDPR — transfers outside the EEA/UK

Where the GDPR or UK GDPR applies and personal data is transferred to a country outside the European Economic Area or the United Kingdom that is not the subject of an adequacy decision, such transfer will be governed by the European Commission’s Standard Contractual Clauses (Module Two: controller-to-processor, and Module Three: processor-to-sub-processor, as applicable) set out in Commission Implementing Decision (EU) 2021/914, and, for UK transfers, by the UK Information Commissioner’s International Data Transfer Addendum to those clauses. By entering into this DPA, the parties are deemed to have entered into those Standard Contractual Clauses, which are incorporated by reference; the Controller is the data exporter and JRC is the data importer, and the optional clauses and docking clause apply. Where required, JRC will conduct or assist with a transfer impact assessment and implement supplementary measures (such as encryption) to ensure an essentially equivalent level of protection. In the event of conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses prevail.

6. Return and deletion

On termination or expiry of the services, JRC will, at the Controller’s choice, return or delete the personal data and existing copies within a reasonable period, unless applicable law requires it to retain the data (in which case JRC will protect the confidentiality of that data and process it only as required by that law). Routine deletions made by the Controller within the Platform (for example, deleting evidence) are processed on a scheduled basis. On request, JRC will certify in writing that deletion has taken place.

7. Personal-data breach

JRC will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting the Controller’s personal data, so that the Controller can meet its own statutory deadlines (including the Article 33 GDPR notification to the supervisory authority and the corresponding PDPA notification). The notification will include, to the extent available: the nature of the breach (including, where possible, the categories and approximate number of data subjects and personal-data records concerned); the likely consequences of the breach; the name and contact details of JRC’s data-protection contact; and the measures taken or proposed to address the breach and mitigate its effects. JRC will document the breach and provide further information and reasonable assistance for the Controller to notify the Personal Data Protection Commissioner, the relevant GDPR supervisory authority and affected data subjects.

8. Audit and information

JRC will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR, the PDPA and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice, during normal business hours, no more than once per year (save where required by a supervisory authority or following a breach), and subject to confidentiality, as further described in the Commercial Agreement. JRC may satisfy an audit request by providing relevant third-party certifications or audit reports where these reasonably address the Controller’s request.

9. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service and the Commercial Agreement, save that nothing in this DPA limits any liability that cannot be limited under applicable data-protection law, including a data subject’s rights to compensation under Article 82 GDPR.

10. Governing law

This DPA is governed by the laws of Malaysia. Where the Standard Contractual Clauses apply to a transfer under section 5.2, the governing law and forum for those clauses are as specified within them (and, for the UK Addendum, the law of England and Wales), which prevails for matters arising under those clauses.

Annex A — Details of processing

Item	Detail
Subject matter	Provision of the Tellus ESG reporting and assurance platform
Duration	For the term of the Commercial Agreement and any period during which JRC retains personal data thereafter as permitted by section 6
Nature of processing	Collection, storage, calculation, consolidation, organisation, structuring, reporting, assurance support, evidence storage, user administration, security monitoring, and (on the Controller’s choice) return or erasure
Purpose	To provide the ESG reporting and assurance service to the Controller on its documented instructions, and for no other purpose
Categories of data subjects	The Controller’s employees and representatives who use the Platform; individuals referenced within ESG figures (for example, headcount and health-and-safety data)
Categories of personal data	Names, work contact details and roles; the Client and entities a user is assigned to; sign-in events and the record of who changed what and when; ESG and operational figures; uploaded evidence. The Platform is intended for aggregated figures; the Controller must not submit sensitive personal data / special categories of data (as defined in the PDPA and Articles 9 and 10 GDPR) without the explicit consent or other lawful condition the applicable law requires.
Special categories / sensitive data	None intended. The Platform is not designed to process special-category or sensitive personal data at individual level.
Frequency of transfer	Continuous, for the duration of the service

Annex B — Technical and organisational measures (Article 32 GDPR / PDPA Security Principle)

Encryption of personal data in transit;
Role-based access control, enforced on the server and scoped to each user’s assigned entities (confidentiality and access limitation);
Append-only audit logging of changes — who changed what and when — supporting integrity and accountability;
Validation of uploaded evidence files, including true-file-type detection and rejection of files containing macros or active content;
The ability to lock a reporting year so that assured figures cannot be altered (integrity of the assurance record);
Least-privilege administrative access and logical segregation of each tenant’s data;
Measures to restore the availability of and access to personal data in a timely manner in the event of an incident, and processes for regularly testing and evaluating the effectiveness of these measures.

Annex C — Sub-processors

The current sub-processors are those listed in section 4 above (Supabase, Cloudflare, Resend). JRC maintains this list as the canonical record and notifies Client administrators of changes in accordance with section 4.