Skip to main content

Annex 1: Subject matter and details of data processing

Notes

This is a part of our Data Processing Agreement (DPA).

Last updated: 13 June 2026

A. List of parties

The data exporter is the Customer, a non-Holistics entity, as defined in the Holistics Terms of Service (Terms) at https://www.holistics.io/terms/. The data importer is Holistics.

Data exporter (Customer)Data importer (Holistics)
NameHolistics Software Pte Ltd
Address14 Robinson Road, Far East Finance Building, #08-01A, Singapore 048545
Contact person's name(To be added in the final executed agreement)
Contact person's position(To be added in the final executed agreement)
Contact person's email(To be added in the final executed agreement)
RoleController or Processor, determined by operation of the clause belowProcessor
Activities relevant to the data transferred under these ClausesProcessing of Personal Data in connection with Customer's use of the Holistics Subscription Services under the Holistics Terms of Service ("Terms").Processing of Personal Data in connection with Customer's use of the Holistics Subscription Services under the Holistics Terms of Service ("Terms").

 

Customer role:

Customer's role, and therefore the applicable transfer mechanism, is determined by the actual nature of Customer's processing under applicable Data Protection Laws. No box needs to be checked, and an unstated role does not affect the protections that apply:

  • Where, and to the extent that, Customer acts as a controller, EU SCC Module 2 (Controller to Processor) applies under Annex 4: EU SCC.
  • Where, and to the extent that, Customer acts as a processor on behalf of one or more third-party controllers (for example, in embedded analytics deployments), EU SCC Module 3 (Processor to Processor) applies under Annex 4: EU SCC.
  • Where Customer's processing is subject to the UK GDPR, the UK SCC applies under Annex 5: UK SCC, regardless of whether Customer is a controller or processor.

Where Customer's role is mixed (controller for some personal data, processor for other personal data), each mechanism applies to the corresponding processing.

For Module 3 (Processor to Processor), the controller(s) on whose behalf Customer processes the personal data are the controllers identified by Customer; where not separately identified, they are the controllers on whose behalf Customer connects the relevant Customer Database to the Subscription Services. Customer will, on Holistics' reasonable request, supply the information about such controllers that the GDPR requires Holistics to maintain.

B. Description of transfer

Data subjects

The personal data transferred concern the following categories of data subjects in two main categories

  1. Customer End Users of the Holistics Subscription Service, mainly the employees of the Data Exporter, and other individuals who have been invited to access the Holistics Subscription Service in their customer account. This also includes users who have submitted their contact details through the Holistics website.

  2. Data subjects whose data is stored in the Exporter's database connected to the Holistics application servers that may contain Personal Data.

Categories of data

  1. Holistics Metadata and Usage Data (From Customer End Users)

    The personal data transferred concern personal data, software license checks, audit trails, website usage information (URLs accessed, time of access, browser type, IP address), email data, metadata on reports and dashboards, data source schemas, encrypted data source connection credentials, and other electronic data submitted, stored, sent, or received by users of the Subscription Service.

  2. Temporary Cached Query Results from the Customer (Exporter)'s database

    Once the Customer's database is connected to the Holistics server, the Holistics cache temporarily retains data from the database that is fetched in response to a user's report queries. The Exporter can reduce the amount of time that query results are held in cache (minimum of 10 minutes).

    The categories of personal data within these results are determined and controlled solely by the Customer (the data exporter). Holistics does not control, and is not in a position to know, the specific categories of personal data the Customer queries through the Service. This data relates to the second category of data subjects described above (those whose data is stored in the Exporter's database), limited to the records returned by the Customer's queries.

    When a dashboard widget is exported into Excel/CSV file, the file will also be temporarily stored in Holistics' file storage system.

  3. AI Interaction Data (from Customer End Users who use AI-powered features)

    Where the Customer enables Holistics' AI-powered features, the data transferred to the AI (LLM) Sub-processors listed in Annex 3 comprises the inputs the Customer chooses to share through its AI settings: object metadata (always), and, where enabled by the Customer, a small sample of source column values and chart result data. To the extent any of this data contains Personal Data, its categories are determined and controlled solely by the Customer. The data accessed by each feature and the controls available to the Customer are described at https://docs.holistics.io/docs/ai/data-access-and-policy.

Sensitive data transferred and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data. In the event sensitive data is stored in Customer's Database, Customer has the flexibility to restrict or isolate sensitive data from the database user credential account that is used to connect to Holistics Software.

Frequency of the transfer

On a continuous basis, each time a dashboard or query is loaded by a user or executed by a scheduled job configured by the Customer.

Purpose of the transfer and further processing

Holistics will process data for the purposes of providing the Subscription Services to Customer in accordance with the Holistics Terms of Service ("Terms").

Where the Customer enables AI-powered features, the purpose also includes transmitting the data described above to the AI (LLM) Sub-processors listed in Annex 3 to generate the requested AI responses, subject to the protections set out in this DPA and that Annex.

Period for which data will be retained

Temporary Cached Query Results will be stored for a minimum of 10 minutes (or higher) from the time the dashboard is first accessed.

Exported files (Excel/CSV downloads) are stored for up to 24 hours before they expire automatically.

Holistics Metadata and Usage Data (From Customer End Users) will be removed after 180 days after the Term expires, or earlier upon request by Customer.

AI Interaction Data (conversations with AI-powered features) is encrypted at rest and retained for 30 days, after which it expires and is deleted.

Competent supervisory authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either

  1. Where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer's compliance with the GDPR;
  2. Where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer's representative is established; or
  3. Where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located in relation to Data Processed that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).
Signature:
Name: (completed on signing)
Designation: (completed on signing)
Holistics Software Pte Ltd
Date: (completed on signing)		Signature:
Customer Name: (completed on signing)
Designation: (completed on signing)
Company: (completed on signing)
Date: (completed on signing)
Open Markdown
Let us know what you think about this document :)