This Data Processing Policy (“Data Processing Policy”) outlines the principles and practices by which Score Financial Pte. Ltd. (“Score”) collects, uses, discloses, transfers, stores, and protects data provided or made available by Clients in the course of using Score’s suite of business and technology solutions (the “Services”). This Policy applies to all Client Data processed by Score, whether directly provided by the Client or indirectly obtained through the Client’s authorised Users, integrations, or third-party systems. By accessing or using the Services, or by submitting any Client Data to or through the Platform, the Client and its Users confirm that they have read, understood, and agreed to the terms of this Policy and consent to the processing of Client Data in accordance with its provisions.

1. Definitions

For the purposes of this Data Processing Policy, the following terms shall have the meanings set forth below: “Services” means the suite of business and technology solutions provided by Score, including all related functionalities, platforms, systems, applications, and tools. “Score” means Score Financial Pte. Ltd., a company incorporated in Singapore, including its subsidiaries, affiliates, and related entities, where applicable. “Platform” means the digital infrastructure, interfaces, systems, and related technologies provided by Score through which Clients access the Services, including but not limited to web applications, API, and administrative portals. “User” means any individual who accesses or uses the Services, whether on their own behalf or on behalf of a Client. “Client” means any business entity or organisation that has entered into a Service Agreement with Score and uses the Services for commercial or internal business purposes. “Service Agreement” means the legally binding agreement entered into between Score and the Client, governing the access to and use of the Services by the Client and its Users. “Client Data” means all data, records, or information relating to the Client that is provided to, accessed by, or otherwise obtained by Score in connection with the Services. Client Data includes, but is not limited to, Banking Data, Transaction Data, Corporate Data, and Financial Data. “Banking Data” means any account, transaction, balance, or identity-related data retrieved directly from the Client’s bank or financial institution through authorised APIs or integrated channels. “Transaction Data” means financial information relating to the Client’s business activities other than Banking Data, including but not limited to invoices, payment histories, accounting records, and tax-related documents. “Corporate Data” means information related to the legal, structural, or operational aspects of the Client, including but not limited to incorporation documents, shareholder registers, director details, and business registration information. “Financial Data” means financial statements, performance reports, credit histories, and other financial indicators or metrics of the Client not otherwise classified as Banking Data, Transaction Data, or Corporate Data. “Consent” means any voluntary, specific, informed, and unambiguous indication of the Client’s agreement to the collection, use, and disclosure of Client Data, provided through a statement or affirmative action. “Applicable Law” means all applicable statutes, regulations, rules, directives, guidelines, and legal requirements of any jurisdiction relevant to the performance of obligations or the exercise of rights under this Policy or any related Service Agreement, including but not limited to the laws of the Republic of Singapore. “PDPA” means the Personal Data Protection Act 2012 of Singapore, as amended from time to time, which governs the collection, use, disclosure, and protection of personal data by private organisations. “ETA” means the Electronic Transactions Act 2010 of Singapore, as amended from time to time, which provides for the legal recognition of electronic records, electronic communications, electronic contracts, and electronic signatures. “MAS” means the Monetary Authority of Singapore, established under the Monetary Authority of Singapore Act 1970, which serves as Singapore’s central bank and financial regulatory authority. “ACRA” means the Accounting and Corporate Regulatory Authority of Singapore, established under the Accounting and Corporate Regulatory Authority Act 2004, which serves as the national regulator of business entities, public accountants, and corporate service providers in Singapore. “GST” means Goods and Services Tax, as imposed under the laws of Singapore on the supply of goods and services, including where applicable to transactions arising under this Policy or the Service Agreement.

2. Client Data Collection

2.1 Direct Collection from Clients

Score may collect Client Data directly from the Client or its Users through various means, including but not limited to: a. Completion of onboarding forms, registration processes, or account setup procedures; b. Submission of data through the Platform, APIs, or integrated systems; c. Provision of documents, files, or records required for service activation or verification; d. Direct communications via email, support channels, or customer engagement tools; e. Execution of or amendments to a Service Agreement.

2.2 Automated Collection via Services

In the course of using the Services, certain Client Data may be collected automatically through technical means, such as: a. System logs and audit trails generated during Client use of the Platform; b. Metadata associated with uploaded files or records; c. Access records, including timestamps, IP addresses, and device information; d. API interactions and data synchronised from authorised third-party systems.

2.3 Third-Party and Integrated Sources

Where authorised by the Client or as required to perform the Services, Score may collect or retrieve Client Data from third-party sources or integrations, including but not limited to: a. Financial institutions and banking partners via secure APIs or data feeds; b. Government or regulatory databases (e.g., corporate registries, tax authorities); c. Third-party platforms used by the Client (e.g., accounting software, ERP systems); d. Publicly available sources, where relevant and lawful.

2.4 Limitations on Collection

Score collects only the Client Data that is reasonably necessary for the purposes described in this Policy or as required under the Service Agreement or Applicable Law. Clients are responsible for ensuring that any Client Data provided to Score is accurate, lawful, and authorised for processing.

3. Client Data Types

Score processes various categories of Client Data to facilitate the delivery, support, and enhancement of the Services. The data types processed may include, but are not limited to, the following:

3.1 Banking Data

Information retrieved, with the Client’s authorisation, from licensed financial institutions, including: a. Bank account identifiers and account holder information; b. Transaction histories, bank statements, and account balances; c. Details of credit facilities, overdrafts, or loan repayments; d. Data obtained through secure APIs or integrated banking channels.

3.2 Transaction Data

Business-related financial information captured or imported through the Services, such as: a. Invoices, receipts, and payment instructions; b. Tax documents, including GST submissions and IRAS filings; c. Sales, procurement, and revenue data; d. General ledger entries and bookkeeping records.

3.3 Corporate Data

Information related to the Client’s legal and operational identity, including: a. Company registration details and business profiles obtained from regulatory sources such as ACRA; b. Shareholder, director, and officer information; c. Company constitutions, board resolutions, and other governance documents; d. Regulatory licenses, permits, and statutory filings.

3.4 Financial Data

Additional financial information not otherwise classified above, which may include: a. Profit and loss statements, balance sheets, and cash flow reports; b. Budget forecasts, financial models, and internal performance reports; c. Credit reports and financing applications; d. Third-party evaluations, such as auditor reports or financial due diligence documentation.

3.5 Derived or Analytical Data

Insights or metrics generated by Score based on Client Data, including: a. Financial trend analysis, liquidity ratios, and performance indicators; b. Credit assessments, risk profiling, and funding readiness evaluations; c. Benchmarking data and interactive dashboards.

4. Client Data Purpose and Use

Score collects, processes, and uses Client Data solely for purposes that are lawful, reasonable, and necessary in connection with the provision and support of the Services. These purposes include, but are not limited to, the following:

4.1 Service Provision and Delivery

a. To provide, operate, and maintain the Services as agreed under the Service Agreement; b. To facilitate Client onboarding, system integration, and user account setup; c. To retrieve and process data from third-party platforms or financial institutions as authorised by the Client; d. To generate reports, analytics, and dashboards within the Services.

4.2 Client Relationship Management

a. To communicate with Clients and their Users regarding service usage, updates, and administrative matters; b. To manage service tickets, troubleshooting, or other support-related interactions; c. To personalise the user experience and configure Service settings based on Client needs.

4.3 Data Analysis and Insights

a. To analyse Client Data for the generation of insights, trends, or recommendations; b. To produce derived or aggregated analytics for financial risk scoring, benchmarking, or strategic planning; c. To improve the accuracy, relevance, and performance of Score’s data-driven features. a. To comply with Applicable Law, regulations, and regulatory guidance in Singapore or other relevant jurisdictions; b. To respond to lawful requests from regulatory authorities, including MAS, ACRA, or IRAS; c. To detect, investigate, and prevent fraud, abuse, or unauthorised access to the Services.

4.5 Internal Operations and Service Improvement

a. To conduct audits, data quality checks, and system diagnostics; b. To test, develop, and enhance the Services, including improvements to algorithms, interfaces, and security protocols; c. To ensure operational resilience, reliability, and scalability of the platform infrastructure. Score may also use Client Data for other specific purposes for which the Client has provided prior Consent, or where such use is reasonably related to the primary purposes listed above and is permitted under Applicable Law.

5. Client Data Disclosure

Score may disclose Client Data to third parties only where such disclosure is necessary to deliver the Services, perform obligations under the Service Agreement, comply with Applicable Law, or otherwise support legitimate business purposes as set out in this Policy.

5.1 Categories of Recipients

Client Data may be disclosed to the following categories of recipients: a. Users – Individuals authorised by the Client to access and use the Services on the Client’s behalf, including employees, officers, and agents; b. Service Providers – Third-party vendors engaged by Score to provide infrastructure, hosting, analytics, customer support, cybersecurity, or other operational capabilities in connection with the Services; c. Integration Partners – External platforms, systems, or financial institutions connected to the Services by or on behalf of the Client, whether through APIs or other technical integrations; d. Professional Advisors – Legal counsel, auditors, accountants, and consultants appointed by Score under appropriate confidentiality obligations for the purpose of obtaining professional advice or conducting audits or investigations; e. Regulatory and Government Authorities – Public agencies, regulatory bodies, or law enforcement authorities where disclosure is required under Applicable Law or upon receipt of a lawful order or directive; f. Affiliates and Successors – Subsidiaries, related entities, or successor organisations of Score in connection with a merger, acquisition, corporate restructuring, or transfer of business assets, provided that such entities are bound by data protection obligations substantially equivalent to those in this Policy.

5.2 Conditions for Disclosure

Any disclosure of Client Data shall be subject to the following conditions: a. The disclosure shall be limited to the minimum extent necessary to fulfil the specified purpose; b. The recipient shall be contractually or legally bound to maintain the confidentiality, security, and integrity of the Client Data; c. The handling of Client Data by the recipient shall be in compliance with this Policy and all Applicable Law, including the PDPA where relevant.

5.3 No Unauthorised Commercial Use

Score does not sell, license, rent, or otherwise disclose Client Data to third parties for advertising, marketing, or commercial exploitation purposes. Client Data shall not be disclosed to any third party except as permitted under this Policy or with the prior Consent.

6. Client Data Transfer

Score may transfer, store, or process Client Data in jurisdictions outside of Singapore where such transfer is necessary for the provision of the Services, the performance of obligations under the Service Agreement, or to comply with Applicable Law. All such transfers are conducted with appropriate safeguards to maintain the confidentiality, integrity, and security of Client Data.

6.1 Cross-Border Transfers

Client Data may be transferred to, accessed from, or stored in locations outside of Singapore, including where: a. Score’s systems, servers, or data centres are hosted or managed by third-party providers located overseas; b. Third-party Service Providers or Integration Partners are based outside Singapore or operate from multiple jurisdictions; c. Cross-border access is required for operational support, system administration, analytics, or business continuity purposes; d. Disclosure is required to comply with foreign legal or regulatory obligations.

6.2 Safeguards for Overseas Transfers

In all cases where Client Data is transferred across borders, Score shall implement reasonable and appropriate safeguards to ensure continued protection of the data. These safeguards may include: a. Contractual arrangements with recipients to impose data handling obligations that meet Score’s standards of confidentiality, integrity, and access control; b. Technical and organisational measures to protect data during transmission and storage, including encryption, access controls, and audit logging; c. Due diligence and periodic assessments of third-party systems or vendors handling such data; d. Where Client Data contains Personal Data, Score shall ensure compliance with the PDPA and any other Applicable Law governing such data.

6.3 Client Responsibilities

The Client is responsible for ensuring that any instructions to transfer Client Data to third parties, including through integrations or external connections, comply with Applicable Law and that all necessary consents, notices, or authorisations have been obtained where required.

7. Client Data Security

Score implements a combination of administrative, technical, and physical safeguards designed to protect Client Data against unauthorised access, alteration, disclosure, or destruction. These security measures are aligned with recognised industry standards and are proportionate to the nature, sensitivity, and volume of Client Data processed.

7.1 Security Measures

Security measures employed by Score may include, but are not limited to: a. Access Controls – Role-based access, multi-factor authentication, and least-privilege access principles to restrict access to Client Data; b. Data Encryption – Encryption of Client Data in transit and at rest using industry-standard protocols and technologies; c. Network and Infrastructure Security – Use of firewalls, intrusion detection/prevention systems (IDS/IPS), virtual private networks (VPNs), and secure hosting environments; d. System Hardening and Monitoring – Regular patching, configuration reviews, endpoint protection, and continuous monitoring of systems for anomalies or threats; e. Audit Logging – Logging and review of access, changes, and transactions involving Client Data for accountability and traceability; f. Secure Software Development – Adherence to secure coding practices and regular vulnerability assessments during system development and updates.

7.2 Organisational and Administrative Safeguards

a. Staff Training and Awareness – All personnel with access to Client Data are trained on data protection obligations, confidentiality, and information security; b. Confidentiality Obligations – Internal and third-party personnel are subject to confidentiality agreements and access restrictions appropriate to their roles; c. Incident Response Planning – Score maintains an incident response plan to detect, respond to, and recover from security incidents involving Client Data.

7.3 Security Assessments and Certifications

Score conducts periodic internal and third-party assessments of its systems and controls to ensure ongoing effectiveness of its security framework. Where applicable, Score may maintain certifications or compliance with recognised standards, including: a. ISO/IEC 27001 – Information Security Management System (ISMS); b. SOC 2 (Type I and/or Type II) – Security, availability, and confidentiality principles; c. Other security attestations relevant to Score’s operations and Services.

7.4 Limitations

While Score implements industry-standard security measures and regularly reviews its practices, no method of electronic transmission or storage is entirely secure. The Client acknowledges that there are inherent risks in digital environments and agrees to take appropriate steps to secure its own systems and credentials when using the Services.

8. Client Data Accuracy

Score relies on the accuracy and completeness of Client Data to provide effective and reliable Services. Accordingly, the Client is responsible for ensuring that all Client Data submitted, transmitted, or made available to Score is accurate, current, and complete to the best of its knowledge.

8.1 Client Obligations

The Client agrees to: a. Provide accurate and up-to-date Client Data at the time of submission; b. Promptly notify Score of any changes or corrections to previously submitted Client Data; c. Ensure that any data retrieved or integrated through third-party systems or platforms under the Client’s control is reliable and legally obtained; d. Take reasonable steps to verify the accuracy of data before it is submitted through the Services.

8.2 Score’s Efforts

While Score does not independently verify all Client Data, Score may, where reasonably necessary: a. Conduct limited reviews of submitted data for completeness or consistency; b. Request clarification or updated information from the Client; c. Apply automated or manual checks to identify obvious anomalies or errors that may affect the performance of the Services.

8.3 Consequences of Inaccurate Data

The Client acknowledges that the accuracy of the Services and any outputs, reports, or analyses depends on the quality of the underlying Client Data. Score shall not be responsible for any errors, omissions, or adverse outcomes resulting from the Client’s failure to provide accurate, current, or complete data.

9. Client Data Retention

Score retains Client Data only for as long as necessary to fulfil the purposes outlined in this Policy or as required under Applicable Law or the Service Agreement. Upon termination or expiry of the Service Agreement, Score may retain certain Client Data for legal, regulatory, or operational continuity purposes, subject to safeguards consistent with this Policy.

10. Client Data Breach Notification

Score maintains controls and procedures to detect, respond to, and mitigate actual or suspected breaches involving Client Data. In the event of a security incident that compromises the confidentiality, integrity, or availability of Client Data, Score will take prompt and appropriate action.

10.1 Breach Detection and Response

Upon becoming aware of a suspected or confirmed breach involving Client Data, Score shall: a. Investigate and assess the nature, scope, and impact of the breach; b. Contain the incident to prevent further unauthorised access or disclosure; c. Identify the root cause and implement corrective measures to address vulnerabilities or system failures.

10.2 Notification to Client

Where the breach is assessed to pose a material risk to the Client’s use of the Services or the confidentiality of Client Data, Score will notify the Client without undue delay. Such notification will include, where available: a. A general description of the breach and the types of Client Data affected; b. The date or estimated date of the breach and how it was discovered; c. Steps taken or planned by Score to mitigate the breach and prevent recurrence; d. Recommendations for the Client to assess or mitigate any potential impact.

10.3 Ongoing Communication and Remediation

Score will cooperate with the Client to respond to and manage the impact of the breach, including: a. Providing updates as new information becomes available; b. Supporting reasonable investigations or audits initiated by the Client in accordance with the Service Agreement; c. Reviewing and updating relevant processes, safeguards, and response protocols to enhance future resilience.

10.4 Limitation

Score’s obligation to notify the Client does not apply to incidents that do not result in unauthorised access to, or disclosure of, Client Data, or where the breach is promptly contained and determined to have no material impact. The Client, by entering into a Service Agreement with Score and by using the Services, provides express consent to the collection, use, disclosure, and processing of Client Data as set out in this Policy. Such consent is deemed to be given on behalf of the Client and its Users. The Client acknowledges and agrees that: a. It has the authority to provide Client Data to Score for the purposes outlined in this Policy and the Service Agreement; b. It has obtained any necessary permissions, consents, or authorisations from relevant internal or external parties before submitting or integrating Client Data with the Services; c. It consents to Score processing Client Data through third-party Service Providers, systems, or integrations, subject to the safeguards described in this Policy. The Client is responsible for ensuring that its Users have been informed of and consent to the processing of any data they submit through the Services, and that such processing is consistent with the Client’s own policies and applicable obligations under Applicable Law. The Client may withdraw its consent to the processing of Client Data by terminating the use of the Services in accordance with the terms of the Service Agreement. Withdrawal of consent may affect the Client’s ability to access or use the Services in whole or in part.

11.4 Limitations on Withdrawal

Withdrawal of consent does not: a. Affect the lawfulness of processing conducted prior to the withdrawal; b. Relieve the Client or Score of their respective obligations under the Service Agreement or Applicable Law; c. Prevent Score from retaining or processing Client Data where required for legal, regulatory, or business continuity purposes.

12. Client Rights and Requests

Score recognises that the Client retains ownership and control over its Client Data and may exercise certain rights in respect of such data, subject to the terms of this Policy, the Service Agreement, and Applicable Law.

12.1 Access to Client Data

Upon written request, the Client may request access to Client Data submitted to or maintained by Score in connection with the Services. Score will provide such access within a reasonable period, provided that: a. The request is made by an authorised representative of the Client; b. The request does not compromise the security or privacy of other clients or third parties; c. The data is still in Score’s possession or control and not subject to legal or operational retention constraints.

12.2 Correction or Update of Client Data

The Client may request corrections or updates to Client Data where it identifies inaccuracies or outdated information. Score will make reasonable efforts to support the Client in updating such data, including by: a. Enabling self-service updates through the Platform where applicable; b. Processing manual update requests submitted through designated support channels; c. Coordinating with Integration Partners or third-party data sources where relevant.

12.3 Restrictions on Processing

The Client may request that Score restrict or suspend the processing of certain Client Data, where: a. The processing is not required for Score to perform its obligations under the Service Agreement; b. Such restriction does not interfere with Score’s legal or regulatory obligations; c. The restriction is technically feasible and clearly defined in scope and duration.

12.4 Data Portability and Export

Score may, at the Client’s request, provide a copy of the Client Data in a structured and commonly used format, to the extent such data is stored by Score in a format reasonably capable of being exported and transferred.

12.5 Handling of Requests

All Client rights-related requests must be submitted through Score’s designated support or data request channels. Score may take steps to verify the identity and authority of the requestor before acting on the request. Response times and procedures may vary depending on the complexity and scope of the request.

13. Data Processing Policy Modification

13.1 Right to Modify

Score reserves the right to amend, update, or otherwise modify this Data Processing Policy from time to time, including to reflect changes in the Services, Applicable Law, regulatory requirements, or Score’s internal policies, risk management frameworks, or business operations.

13.2 Notice of Amendments

Where required under Applicable Law, Score shall provide reasonable advance notice to Clients of any material amendments to this Data Processing Policy. Such notice may be provided through the Platform, email, or other communication channels designated by Score.

13.3 Client Acceptance

Continued access to or use of the Services following the effective date of any amendment shall constitute the Client’s acceptance of the revised Data Processing Policy. If a Client does not agree to the amended terms, its sole and exclusive remedy shall be to discontinue use of the Services.

13.4 No Retroactive Effect

No amendment to this Data Processing Policy shall have retroactive effect unless expressly stated by Score in the relevant amendment notice or as required under Applicable Law.

14. Governing Law

This Data Processing Policy shall be governed by, and construed in accordance with, the laws of the Republic of Singapore. Any disputes arising out of or in connection with this Data Processing Policy, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Singapore.

15. Electronic Transactions

By accessing or using the Services, the Client and its Users consent to receive communications, notices, and documents from Score in electronic form, including via email, phone, or system-generated notifications. Such communications shall have the same legal effect as if they were provided in physical form.

15.2 Use of Electronic Records and Signatures

Where permitted under Applicable Law, electronic records and electronic signatures used in connection with the Services, the Service Agreement, or any related documents shall be valid and enforceable, and shall carry the same legal effect as handwritten signatures or paper-based documentation. This Data Processing Policy is intended to be consistent with the requirements of the Electronic Transactions Act 2010 of Singapore and other applicable electronic commerce laws and frameworks.

16. Confidentiality

16.1 Treatment of Client Data

Score acknowledges that Client Data may contain non-public, sensitive, or proprietary information. Score shall treat such Client Data as confidential and shall not use or disclose it except as necessary to provide the Services, comply with Applicable Law, or fulfil its obligations under this Policy or the Service Agreement.

16.2 Internal Use and Access Controls

Client Data may be accessed within Score by personnel who require such access for legitimate business, operational, or compliance purposes, provided that such personnel are subject to appropriate confidentiality obligations.

16.3 Third-Party Obligations

Where Score engages third-party Service Providers, Integration Partners, or advisors to support the delivery or operation of the Services, Score shall take reasonable steps to ensure that such parties are contractually obligated to maintain the confidentiality of Client Data and to use such data solely for the intended purpose.

16.4 Exceptions

Nothing in this Section shall restrict Score’s right to: a. Use or disclose Client Data where required by law, regulation, or court order; b. Process or analyse anonymised or aggregated data that does not identify the Client; c. Fulfil its obligations or enforce its rights under the Service Agreement.

16.5 No Limitation on Agreement Terms

This Section is intended to supplement, and not override, any confidentiality obligations set out in the Service Agreement or other binding legal arrangements between the Client and Score.

17. Contact

For any questions, concerns, or communications regarding this Data Processing Policy or the handling of Client Data, please contact Score using the details below:

17.1 Data Protection Officer

Email: support@scorefintech.com All correspondence should include the Client’s registered entity name and relevant contact information to facilitate a timely response.