Data processing terms
Customer data-processing framework.
These terms allocate privacy and security responsibilities when 2Prune processes personal data for a customer.
Effective July 12, 2026.
2Prune, operated by PRUNE PTE. LTD. (UEN: [UEN TO BE INSERTED]). Legal, privacy, and data-protection notices may be sent to hello@2prune.com.
1. Application and roles
These data processing terms form part of the agreement where 2Prune processes personal data on behalf of a customer. The customer is the organization or controller and 2Prune is the data intermediary or processor, except where each party independently determines a processing purpose.
The customer is responsible for the lawfulness of its instructions, assessment purpose, collection, notices, lawful basis, participant rights, and decisions made using assessment evidence.
2. Processing instructions
2Prune will process customer personal data to provide, secure, support, and improve the contracted service; follow documented customer instructions; comply with law; and exercise rights under the agreement. The agreement, assessment configuration, customer use, and support requests constitute documented instructions.
2Prune will notify the customer if an instruction appears to violate applicable data-protection law, unless law prohibits notice, and may suspend the affected processing while the parties resolve the issue.
3. Processing details
Processing may include collection, recording, organization, storage, retrieval, analysis, scoring support, transmission, disclosure to authorized providers, restriction, deletion, and return. Data subjects may include participants, customer personnel, workspace users, and people identified in customer materials.
Data may include identity and contact details, account information, assessment content, submissions, workspace activity, AI interactions, technical records, scores, inferences, messages, and support data. Customers must not provide special-category or highly sensitive data unless expressly agreed in writing.
4. Personnel and security
2Prune will limit data access to personnel and providers with a need to know, subject them to confidentiality duties, and maintain reasonable administrative, technical, and organizational safeguards appropriate to the processing risk.
Customers are responsible for secure account administration, authorized-user access, assessment configuration, lawful exports, and security of systems outside 2Prune's control.
5. Subprocessors
The customer authorizes the providers listed on the Subprocessors page. 2Prune will impose data-protection obligations appropriate to each provider's services and remains responsible for its obligations under these terms.
Where contractually required, 2Prune will give notice before adding a material subprocessor. A customer may object on reasonable data-protection grounds within the stated notice period. The parties will seek a practical resolution, which may include disabling the affected feature or terminating it without penalty.
6. International transfers
2Prune will use legally recognized transfer safeguards where required, including contractual commitments intended to provide protection comparable to Singapore's PDPA and applicable standard contractual clauses. The customer authorizes transfers needed to provide the service subject to those safeguards.
7. Assistance and rights requests
Taking into account the nature of processing and information available, 2Prune will provide reasonable assistance with verified data-subject requests, impact assessments, regulator consultations, security obligations, and breach notifications required for the customer's use of the service. The customer remains responsible for responding as controller.
2Prune may charge reasonable fees for assistance that is unusually burdensome or caused by the customer's acts, except where prohibited by law.
8. Security incidents
2Prune will notify the customer without undue delay after confirming a personal-data breach affecting customer personal data, provide information reasonably available for the customer's assessment, and take reasonable steps to contain and remediate the incident.
Notification is not an admission of fault. The customer is responsible for notices to individuals and regulators unless law places that duty directly on 2Prune.
9. Return, deletion, and audits
On termination or written request, 2Prune will return or delete customer personal data as required by the agreement, subject to legal retention, security records, backup cycles, dispute preservation, and data that has been lawfully de-identified.
2Prune will make information reasonably necessary to demonstrate compliance available under confidentiality. Audits must be proportionate, avoid disruption and exposure of other customers' information, use existing reports first, occur no more than annually unless a confirmed breach or regulator requires otherwise, and be at the customer's expense.
10. Priority and contact
If these terms conflict with the general Terms of use on personal-data processing, these terms control. The liability provisions in the commercial agreement apply to these terms to the maximum extent permitted by law.
For a signed copy, transfer details, or privacy questions, contact 2Prune.