Monoko
Sign InStart Now
All documents

Monoko · Legal

Data Processing Addendum

Enterprise B2B controller-processor agreement.

Updated May 17, 2026Effective 1 Jun 2026 Download PDF

MONOKO — DATA PROCESSING ADDENDUM (DPA)

Last Updated: 2026-05-17 Effective Date: 1 June 2026

This Data Processing Addendum ("DPA") forms part of the Monoko Terms and Conditions of Service (Main) V4 (the "Terms") between AEDOWON SINGAPORE PTE. LTD. (UEN 202612161D, "Monoko", "Processor") and You (the "Customer", "Controller") and applies where You submit personal data of third parties as Input to the Service such that Monoko processes that personal data on Your behalf.

This DPA satisfies:

  • Thailand PDPA §40 written processor-contract requirement
  • GDPR Art 28(3) processor contract requirement
  • UK GDPR Art 28(3)
  • Other applicable processor-contract laws

PLAIN LANGUAGE: This DPA covers what happens when You upload customer audience lists, contact lists, or third-party personal data into Monoko. You are the Controller of that data; Monoko processes it on Your instructions as Your Processor. This DPA sets out our processor obligations.

1. DEFINITIONS

Capitalized terms not defined here have the meaning given in the Terms or in the GDPR / Thailand PDPA, as applicable.

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor" — meanings given in GDPR Art 4 / Thailand PDPA §6.
  • "Customer Personal Data" — Personal Data submitted by Customer as Input or otherwise made available to Monoko in the course of providing the Service, where Customer is the Controller and Monoko is the Processor.
  • "Services" — the Monoko AI Ads Studio service governed by the Terms.
  • "Standard Contractual Clauses" / "SCCs" — the standard contractual clauses approved by the European Commission Decision 2021/914 and analogous clauses approved by the Thailand PDPC.

2. SCOPE AND ROLES

2.1 Application. This DPA applies only where Customer uploads or otherwise submits Personal Data of third parties as Input, audience data, contact lists, leads, or employee data and instructs Monoko to process such Personal Data in the course of providing the Service.

2.2 Controller / Processor Roles. For Customer Personal Data:

  • Customer acts as the Controller.
  • Monoko acts as the Processor on Customer's documented instructions.

2.3 Other Personal Data. For account-level Personal Data of the Customer's account holders (User identity, billing, authentication, security telemetry), Monoko acts as Controller per our Privacy Notice. This DPA does not apply to that data.

3. SUBJECT-MATTER AND DURATION

3.1 Subject-matter. Processing by Monoko, as Processor, of Customer Personal Data for the purposes of providing the Service.

3.2 Duration. For the term of Customer's active subscription plus the retention periods set out in the Privacy Notice and §10 below.

4. NATURE AND PURPOSE OF PROCESSING

Monoko shall process Customer Personal Data for the following purposes only:

(a) hosting, storing, indexing, transmitting; (b) transforming via AI inference (text generation, image generation, audio synthesis, video generation); (c) returning Outputs to Customer; (d) generating ad creatives, marketing copy, and audience lists for Customer's use; (e) (where instructed by Customer) onward transfer to advertising platforms (Meta, Google, TikTok, LINE, etc.) selected by Customer; (f) fraud prevention, security, abuse detection on the Customer's account; (g) compliance with Monoko's legal obligations.

Any processing for other purposes requires Customer's separate documented instruction.

5. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA

5.1 Categories of Data Subjects. Customer's customers, prospects, employees, audience members, leads, and other natural persons whose Personal Data Customer submits.

5.2 Categories of Personal Data. Names, contact details (email, phone), demographic data, behavioral and inferred-preference data, advertising identifiers, IP / device data, transactional data, and any other Personal Data Customer submits.

5.3 Sensitive Personal Data. Customer should not submit sensitive Personal Data (TH PDPA §26 / GDPR Art 9 categories) unless Customer has obtained the explicit consent required by law and has documented that consent. Where submitted, the heightened obligations in §11 apply.

6. PROCESSOR OBLIGATIONS (GDPR ART 28(3)(a)-(h) / TH PDPA §40)

Monoko shall:

(a) process Customer Personal Data only on Customer's documented instructions — including with regard to international transfers — except where required to do so by applicable law (in which case Monoko will inform Customer of that legal requirement before processing, unless the law prohibits such notice);

(b) ensure that personnel authorized to process Customer Personal Data are bound by confidentiality undertakings (contractual or statutory) and have received appropriate data-protection training;

(c) implement appropriate technical and organizational measures consistent with Annex II (below) to ensure a level of security appropriate to the risk;

(d) engage Sub-Processors only with Customer's prior general or specific authorization. Customer gives a general authorization for engagement of the Sub-Processors listed in our Sub-Processor List and for additional Sub-Processors subject to the 30-day prior-notice and right-of-objection mechanism in §7 below;

(e) assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection);

(f) assist Customer in ensuring compliance with security, breach-notification, DPIA, and prior-consultation obligations under GDPR Arts 32–36 / TH PDPA §§37–39;

(g) at Customer's choice (and at end of Service), delete or return all Customer Personal Data after the end of provision of the Service, save where Singapore, EU, or applicable law requires retention;

(h) make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer — subject to §9 (audit) below.

Documented instructions are: (i) this DPA; (ii) the Terms; (iii) Customer's configuration of the Service through the Service interface (e.g., target advertising platforms selected, audience lists uploaded); and (iv) any additional written instructions agreed in writing.

7. SUB-PROCESSORS

7.1 Authorized Sub-Processors. Authorized Sub-Processors are those listed in the current Sub-Processor List.

7.2 New Sub-Processors. Monoko provides at least 30 days' prior notice before engaging any new material Sub-Processor or replacing an existing material Sub-Processor with one in a different jurisdiction. Notice is given via:

  • Update to the Sub-Processor List with the "Last Updated" date;
  • Email to Customer's billing-contact on record;
  • In-app banner.

7.3 Customer Objection. Customer may object to the engagement of a new Sub-Processor on reasonable grounds within the 30-day notice period. If Monoko cannot accommodate the objection, either party may terminate the affected portion of the Service with refund of unused prepaid fees per Terms §16.3 and §6.7.

7.4 Sub-Processor Obligations. Monoko enters into written agreements with each Sub-Processor that impose substantially the same data-protection obligations on the Sub-Processor as those imposed on Monoko under this DPA. Monoko remains fully liable to Customer for the performance of its Sub-Processors.

8. INTERNATIONAL TRANSFERS

8.1 Transfer Mechanisms. Where Customer Personal Data is transferred from the EEA, UK, Switzerland, Thailand, or Singapore to a third country, transfers are made on the following bases (in order of preference):

(a) Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) or by the Thailand PDPC, or Binding Corporate Rules approved by the competent supervisory authority; (b) Adequacy decision recognized by the Thailand PDPC or European Commission; (c) Contract necessity for performance of Customer's contract (TH PDPA §28 ¶2(3); GDPR Art 49(1)(b)); (d) Customer's explicit consent after being informed of the absence of adequate safeguards; (e) Compliance with legal obligation, public interest, vital interests, or legal claims.

8.2 EU SCCs Incorporation. Where required, the EU SCCs (Module 2: Controller-to-Processor) are deemed incorporated into this DPA between Customer and Monoko. The optional docking clause (Clause 7) is included, allowing additional parties to accede. Annex I (parties, description, supervisory authority), Annex II (TOMs — see Annex II below), and Annex III (Sub-Processors — see Sub-Processor List) are completed as set out in the corresponding sections of this DPA.

8.3 UK Addendum. Where personal data is transferred from the United Kingdom, the UK International Data Transfer Addendum (issued by the UK Information Commissioner) is incorporated into this DPA, supplementing the EU SCCs.

8.4 Thailand PDPC SCCs. Where Thailand-PDPC-approved SCCs become available and applicable, those clauses are incorporated by this reference.

9. AUDIT

9.1 Audit Frequency. No more than once per calendar year (or more frequently following a confirmed personal-data breach affecting Customer), Customer (or a mutually-acceptable auditor mandated by Customer) may audit Monoko's processing of Customer Personal Data.

9.2 Conditions. Audits are subject to:

  • 30 days' prior written notice (except in cases of suspected breach, where shorter notice may apply);
  • conduct during normal business hours;
  • a reasonable confidentiality agreement;
  • reimbursement of Monoko's reasonable costs (where the audit is at Customer's election rather than triggered by a confirmed breach);
  • limitation to information reasonably relevant to Monoko's compliance with this DPA.

9.3 Audit Substitution. Where Monoko obtains and maintains current SOC 2 Type II, ISO/IEC 27001, or equivalent independent assurance, Monoko may satisfy routine audit-information requests by providing the current report or certificate under NDA, subject to Customer's mandatory-law rights to inspect after a confirmed breach.

10. RETENTION AND DELETION

10.1 During the Service term. Customer Personal Data is retained for the periods set out in the Privacy Notice §6 unless Customer instructs deletion earlier.

10.2 On termination. Customer may export Customer Personal Data per Terms §16.5 within the 30-day grace period; thereafter Monoko will delete (or, where infeasible, irreversibly anonymize) Customer Personal Data within the retention windows in the Privacy Notice §6, subject to legal hold, accounting-record retention, and back-up-cycle exceptions.

10.3 Audit trail. Monoko maintains an audit trail of deletion / anonymization actions for at least the period required by applicable law.

11. SECURITY MEASURES (ANNEX II)

Monoko maintains the following technical and organizational measures (subject to ongoing improvement):

Control areaBaseline measure
EncryptionPersonal Data encrypted at rest using AES-256 or equivalent managed-disk encryption; data in transit protected by TLS 1.2+ (TLS 1.3 preferred).
Access controlRole-based access control, least-privilege grants, named-user admin accounts, quarterly access review, immediate revocation on role change or termination.
AuthenticationMulti-factor authentication for all administrative, production, payment, and DPO tooling.
LoggingSecurity-relevant admin events, authentication events, data exports, consent changes, payment webhook events, and DSR actions logged for at least twelve (12) months unless a longer retention period is required.
BackupsProduction data backed up periodically with restoration tested at least quarterly; backup deletion follows the retention schedule and legal-hold rules.
Business continuityDisaster-recovery target: RPO 24 hours / RTO 8 hours for core account and billing data, subject to third-party provider incidents outside Monoko's reasonable control.
Vendor riskSub-Processors reviewed before onboarding and at least annually; material new Sub-Processors are subject to §7 notice and objection.
Incident responseWritten incident-response procedure, severity classification, breach assessment, and notification workflow aligned to SG PDPA §§26B–26D, TH PDPA §§37–39, and GDPR Arts 33–34.
TrainingMandatory annual data-protection training for personnel with access to Personal Data.
Physical securityHosting providers maintain SOC 2 / ISO 27001 / equivalent certifications for physical security at data-center facilities.
Pseudonymization / minimizationWhere technically feasible, fraud-detection signals are stored as hashes; access logs aggregate where individual-level data is not necessary.

12. BREACH NOTIFICATION

12.1 Notification to Customer. Monoko will notify Customer of any Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware, and in any event within the timeframes that allow Customer to comply with Customer's notification obligations to its own data subjects and supervisory authorities.

12.2 Content of notification. The notification will include, to the extent then known:

  • nature of the breach;
  • categories and approximate number of data subjects and records affected;
  • likely consequences;
  • measures taken or proposed to address the breach;
  • contact point for further information.

12.3 Monoko's own notification obligations. Monoko separately notifies regulators per its Privacy Notice §9 (TH PDPC within 72 hours; SG PDPC within 3 calendar days; GDPR Arts 33–34).

13. DATA SUBJECT REQUESTS

13.1 Assistance. Monoko shall, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to Data Subject requests within statutory timelines.

13.2 Forwarding. If Monoko receives a Data Subject request relating to Customer Personal Data, Monoko will forward the request to Customer without undue delay and will not respond to the Data Subject directly unless authorized by Customer or required by law.

14. LIABILITY

14.1 Limitation. Each party's liability under this DPA is subject to the Limitation of Liability in Terms §14, and to the non-waivable carve-outs in Terms §14.6 (including statutory data-protection damages under TH PDPA §77, SG PDPA §32, GDPR Art 82).

14.2 No additional limitation on Data Subject rights. Nothing in §14.1 limits or excludes Monoko's direct liability to Data Subjects under applicable data-protection law where such liability cannot be limited by contract.

15. ORDER OF PRECEDENCE

In case of conflict between this DPA and the Terms with respect to processor obligations under TH PDPA §40 / GDPR Art 28(3), this DPA controls. In case of conflict between this DPA and any SCCs incorporated under §8.2, the SCCs control.

16. TERM AND TERMINATION

This DPA continues for as long as Monoko processes Customer Personal Data, and terminates automatically on termination of the Terms, subject to §10 (retention and deletion).

17. SINGAPORE PDPC AND THAILAND PDPA §40 CONFORMANCE

17.1 Singapore PDPC. This DPA is intended to operate as written data-processing terms for Singapore PDPA purposes and to be interpreted consistently with PDPC Singapore advisory guidance on accountability, transfer limitation, protection, retention limitation, breach notification, and DPO designation.

17.2 Thailand PDPA §40. This DPA is intended to satisfy Thailand PDPA §40 written-contract requirements, including documented instructions, confidentiality, security, Sub-Processor control, data-subject assistance, deletion/return, and audit cooperation.

18. CONTACT

Monoko Data Protection Officer: dpo@monoko.ai Privacy Inquiries: privacy@monoko.ai Enterprise / DPA Inquiries: enterprise@monoko.ai Address: AEDOWON SINGAPORE PTE. LTD., 8 Temasek Boulevard, #17-02A, Suntec Tower Three, Singapore 038988

END OF MONOKO DATA PROCESSING ADDENDUM — V1 Last Updated: 2026-05-17