Privacy Policy

Last updated: 24 April 2026

Nusax Pte. Ltd. operates Tokatos, a secure workflow platform for professional services firms. This policy explains how we handle personal data as a Data Intermediary under Singapore's Personal Data Protection Act 2012 (PDPA).

1. Distinction Between Personal Data and Corporate Data

It is important to distinguish between Personal Data (protected under the PDPA) and Corporate Data (protected by contractual confidentiality).

  • Corporate Data: Information pertaining to corporate entities—including ACRA resolutions, statutory submissions, financial ledgers, and company UENs—is not Personal Data. It is handled with strict confidentiality under our Terms of Use but is not governed by the PDPA.
  • Personal Data: The PDPA only protects data relating to an identifiable natural person.

2. Data We Collect & The BCI Exemption

Under the PDPA, Business Contact Information (BCI) (e.g., name, position, business phone, business email) provided for business purposes is exempt from consent, access, and correction requirements.

  • From Firm Staff and Client Staff: We collect your BCI and professional role/permissions to provide secure identity verification and role-based access control (RBAC).
  • Automated Processing Data: We process WhatsApp messages, emails, and operational metadata to organize communications, draft documents, execute signature workflows, and power AI-assisted triage.

3. Legal Basis for Processing: Employment & Deemed Consent

Because Tokatos is a B2B enterprise platform, the processing of any non-exempt personal data is strictly tied to business operations.

  • Deemed Consent: Consent is deemed to be given because the use of Tokatos is directed by the user's employer (either the professional Firm or the Client company). Interacting with the platform is necessary for the performance of the user's employment or contractual duties.

4. Data Storage, Security & Breach Notification

  • All data is stored on Google Cloud Platform, Singapore region (asia-southeast1).
  • Data is encrypted at rest (AES-256) and in transit (HTTPS/TLS 1.3).
  • Strict database-level Row Level Security (RLS) ensures data isolation between different Firms.
  • Data Breach Notification: In the event of a security breach that compromises personal data, Tokatos, acting as a Data Intermediary, will notify the Data Controller (the Firm) without undue delay. It is the sole statutory responsibility of the Data Controller to assess the breach and notify the Personal Data Protection Commission (PDPC) and affected individuals if required by the PDPA.

5. LLM Processing & Model Training Exemption

Tokatos utilizes Enterprise AI services to process documents and messages.

  • No Public Model Training: Your Personal Data and Corporate Data are processed securely within isolated environments. We explicitly guarantee via our enterprise agreements with Google Cloud that your data is never used to train public foundation models (such as those used by public ChatGPT or Gemini interfaces).

6. Sub-processors and Data Sharing

We never sell, rent, or trade data. We securely share data only with essential infrastructure sub-processors to operate the Service:

  • Meta Platforms (WhatsApp): For message delivery through the WhatsApp Cloud API.
  • Google Cloud Platform (Firebase, Vertex AI): For infrastructure hosting, isolated Enterprise AI processing, and encrypted database management (AlloyDB/Cloud SQL).
  • SendGrid: For transactional email delivery.

7. Your Rights & How to Opt Out

Under the PDPA, individuals have rights to access, correct, and withdraw consent. However, due to the employment-based nature of Tokatos:

  • Correction: Firm staff and Client staff should contact their respective system administrators to update incorrect profile data.
  • Opting Out / Deletion: Because using Tokatos is directed by the employer for business continuity, a request to opt-out or delete personal data must be directed to the Data Controller (the Firm or the Client Boss). Tokatos will permanently erase or anonymize data upon direct instruction from the Data Controller.