Skip to content

Data Processing Addendum

Updated as at June 19, 2026.

This Data Processing Addendum ("DPA") forms part of, and is subject to, the Terms of Service (the "Agreement") between Mykongsi Sdn Bhd (Company No. 202101039178 (1439478-A)) ("IMPACT", "we", "us") and the customer that has accepted the Agreement ("Customer", "you"). It governs the processing of Personal Data by IMPACT on the Customer's behalf in connection with the Services. Where this DPA conflicts with the Agreement on the subject of data protection, this DPA prevails.

1. Scope & Roles

1.1 For Personal Data that the Customer submits to or processes through the Services ("Customer Personal Data"), the Customer is the data controller (or equivalent, such as "data user" under the Malaysian PDPA) and IMPACT is the data processor (or equivalent, such as "data processor" under the PDPA), processing Customer Personal Data only on the Customer's documented instructions.

1.2 IMPACT's own collection and use of personal data as a controller (for example, account administration and the data described in our Privacy Notice) is governed by the Privacy Notice, not this DPA.

2. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings given in the applicable data protection laws, including the Malaysian Personal Data Protection Act 2010 ("PDPA") and, where applicable, the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act as amended ("CCPA/CPRA"). "Applicable Data Protection Law" means all such laws applicable to the processing under this DPA.

3. Processing of Personal Data

3.1 Instructions. IMPACT processes Customer Personal Data only to provide the Services and as otherwise instructed by the Customer in writing (including through use of the Services), and as required by applicable law. IMPACT will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

3.2 Details of processing. The subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I.

3.3 Confidentiality. IMPACT ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as needed to perform their duties.

3.4 No sale of data. IMPACT does not sell or share Customer Personal Data and does not process it for any purpose other than providing the Services.

4. Security Measures

IMPACT implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, as described in Annex II. IMPACT may update these measures provided the level of protection is not materially reduced.

5. Sub-processors

5.1 The Customer provides general authorisation for IMPACT to engage sub-processors to process Customer Personal Data. The current sub-processors are listed in Annex III.

5.2 IMPACT imposes data protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for each sub-processor's performance of its obligations.

5.3 IMPACT will give the Customer reasonable prior notice of any intended addition or replacement of a sub-processor (for example, by updating Annex III and/or the Trust Center), giving the Customer the opportunity to object on reasonable data-protection grounds.

6. Data Subject Rights & Assistance

6.1 Taking into account the nature of the processing, IMPACT assists the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights (access, correction, deletion, restriction, portability, and objection, as applicable under Applicable Data Protection Law).

6.2 If IMPACT receives a request from a Data Subject relating to Customer Personal Data, it will, unless legally prohibited, direct the Data Subject to the Customer and/or promptly notify the Customer rather than respond directly.

6.3 IMPACT also assists the Customer, taking into account the information available to it, with data protection impact assessments and prior consultations where required.

7. Personal Data Breach

IMPACT notifies the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provides information reasonably available to it to help the Customer meet its own notification obligations to regulators (including the Malaysian Personal Data Protection Commissioner / JPDP and, where applicable, EU/UK supervisory authorities) and to affected Data Subjects. IMPACT's incident handling is described in our internal incident-response procedure.

8. International Transfers

Customer Personal Data may be processed in, or transferred to, locations outside the Customer's country, including where IMPACT or its sub-processors maintain facilities. Where such transfers are subject to Applicable Data Protection Law, they are made on a lawful basis — including, as applicable, the Customer's instructions and consent, the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), or another approved mechanism — together with appropriate supplementary measures. The relevant transfer mechanism for each sub-processor is reflected in Annex III.

9. Audit

IMPACT makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and subject to confidentiality, allows for and contributes to audits — which may be satisfied by IMPACT providing third-party certifications, attestation reports, or summaries (for example, penetration-test summaries or, when available, an ISO/IEC 27001 certificate or SOC 2 report) where these adequately address the Customer's request.

10. Return & Deletion

On termination of the Services, and on the Customer's request, IMPACT deletes or returns Customer Personal Data in accordance with the Agreement, save to the extent retention is required by applicable law. Residual copies in routine backups are deleted in line with IMPACT's backup-retention cycle.

Annex I — Details of Processing

  • Subject matter: provision of the IMPACT performance-management and related Services.
  • Duration: the term of the Agreement, plus any legally required retention period.
  • Nature & purpose: hosting, storage, and processing of Customer data to deliver the Services and their features (including AI-assisted features where enabled).
  • Types of Personal Data: account and profile details, contact information, usage and transaction data, and any Personal Data the Customer or its users choose to submit. Payment-instrument data is handled by PCI-DSS-certified payment providers and is not stored on IMPACT's servers.
  • Categories of Data Subjects: the Customer's authorised users, employees, members, and contacts.

Annex II — Security Measures

  • Encryption of data in transit (TLS) and at rest at the infrastructure layer.
  • Access control on least-privilege and need-to-know principles, with authentication via the platform identity provider.
  • Logical tenant isolation between customer workspaces.
  • Secrets held in a managed secret store, not in source code.
  • Logging and monitoring of privileged and security-relevant events.
  • Regular patching, backups, and an incident-response process.
  • Independent security testing (penetration testing) of the platform.

These measures reflect IMPACT's current security posture and may be updated provided protection is not materially reduced. Public details are summarised on the Trust Center.

Annex III — Sub-processors

Sub-processorPurposeProcessing locationTransfer mechanism
Google Cloud (Google Asia Pacific / LLC)Cloud hosting and infrastructurePer region of deploymentSCCs / provider DPA
AnthropicAI-assisted features (Claude models)United StatesSCCs / provider DPA; API inputs not used to train models
TavilySearch/retrieval for AI featuresUnited StatesSCCs / provider DPA
StripePayment processing (Marketplace)United States / region of operationSCCs / provider DPA; PCI-DSS certified

This list is maintained as the Services evolve; the current version supersedes earlier versions and may also be surfaced on the Trust Center. Material additions are notified per Section 5.

-End of Document-