Third-party vendors engaged by CSI Tech that may process personal data in the course of delivering managed services.
This register is maintained for transparency under CSI Tech's Master Services Agreement (Clause 9.3). It is available to active clients and prospective clients on request. To request a copy or raise a data processing query, contact hello@csi-tech.sg.
Data processedUser identities, device data, email and file content, sign-in and activity logs
Storage locationSingapore / APAC region (Microsoft data centre)
BasisMicrosoft Cloud Agreement; PDPA-compliant DPA via Microsoft Online Services Terms
AFI.AI (Afi Technologies)
Microsoft 365 backup
Cross-border transfer
FunctionBackup and recovery of Microsoft 365 data — mailboxes, SharePoint, OneDrive, Teams
Data processedEmail, calendar, contacts, files, Teams conversations
Storage locationAustralia (AWS Sydney region)
BasisCross-border transfer to Australia. Australia's Privacy Act 1988 provides a standard of protection comparable to Singapore's PDPA. Contractual data processing obligations consistent with PDPA Schedule 10 are in place via AFI.AI's Data Processing Agreement.
NAKIVO Inc.
Physical server and VM backup / BCDR
FunctionBackup, replication, and disaster recovery for on-premises and virtualised infrastructure
Data processedServer data, virtual machine images, application data as configured per client scope
Storage locationSingapore — client-designated storage, no cross-border transfer by default
BasisNAKIVO partner agreement. Data residency in Singapore.
Action1
Patch management and vulnerability remediation
Cross-border transfer
FunctionAutomated patch management, software deployment, and vulnerability remediation for managed endpoints
Data processedEndpoint inventory, patch status, software versions, device identifiers
Storage locationAustralia (AWS Sydney region)
BasisCross-border transfer to Australia. Australia's Privacy Act 1988 provides comparable protection to Singapore's PDPA. Covered under Action1 Service License Agreement at action1.com/legal/service-license-agreement/. Action1 is SOC 2 Type II and ISO 27001:2022 certified.
Gorelo
PSA and RMM platform
Region pending
FunctionRemote monitoring and management, ticketing, asset inventory, service delivery
Data processedDevice telemetry, user contact details, support request content, asset data
Storage locationAzure — region TBC, written confirmation from Gorelo pending
BasisGorelo partner agreement. Azure data region and DPA confirmation pending — client onboarding gated until confirmed.
Huntress Labs Inc.
Managed EDR / MDR — Secure and Executive tiers
Cross-border transfer
FunctionEndpoint detection, threat investigation, and managed response
Data processedEndpoint telemetry, process activity, file and registry events, security alert data
Storage locationUnited States (SOC operations); telemetry processed across US / UK / AU follow-the-sun
BasisHuntress MSP partner agreement and Data Processing Addendum (effective 19 March 2025). Three-jurisdiction cross-border transfer (US primary; UK and AU sub-processors). Contractual obligations consistent with PDPA Schedule 10 applied. Cross-border transfer disclosed at Secure and Executive tier onboarding.
ConnectWise ScreenConnect Cloud
Remote access and screen sharing — csitech.screenconnect.com
Cross-border transfer
FunctionRemote access and screen sharing for managed devices during support delivery
Data processedDevice screen content, session metadata, device identifiers
Storage locationTokyo, Japan (ConnectWise cloud infrastructure)
BasisCross-border transfer to Japan. Japan's Act on the Protection of Personal Information (APPI, amended 2022) provides comparable protection to Singapore's PDPA. Covered under ConnectWise DPA at connectwise.com/legal, incorporated by reference into the ScreenConnect SaaS agreement.
Check Point Harmony
Endpoint and email security
Cross-border transfer
FunctionEndpoint protection, threat prevention, and email security for managed devices
Data processedEndpoint telemetry, file and process activity, email metadata and content where email security is in scope
Storage locationCheck Point cloud infrastructure — region to be confirmed per deployment
BasisCheck Point partner agreement and DPA. Cross-border transfer disclosed at client onboarding where applicable.
ScoutDNS
DNS filtering and web content control
Cross-border transfer
FunctionDNS-layer filtering to block malicious domains, phishing, and unwanted content categories
Data processedDNS query logs, device identifiers, IP addresses
Storage locationUnited States (ScoutDNS cloud infrastructure)
BasisScoutDNS partner agreement and DPA. Contractual obligations consistent with PDPA Schedule 10 applied. Cross-border transfer to US disclosed at client onboarding.
DefensX
Browser security and web isolation
Cross-border transfer
FunctionBrowser-layer security, phishing protection, and web isolation for managed users
Data processedWeb browsing activity, URL requests, user identifiers
Storage locationDefensX cloud infrastructure — region to be confirmed per deployment
BasisDefensX partner agreement and DPA. Cross-border transfer disclosed at client onboarding where applicable.
Bitwarden
Password management
Cross-border transfer
FunctionManaged password vault for client staff — credential storage, sharing, and access management
Data processedEncrypted credential vault data, user identities, organisational metadata
Storage locationUnited States (Bitwarden cloud, Microsoft Azure US region)
BasisBitwarden Business agreement and DPA. Vault data is end-to-end encrypted — Bitwarden cannot access plaintext credentials. Contractual obligations consistent with PDPA Schedule 10 applied. Cross-border transfer to US disclosed at client onboarding.
Dropsuite / NinjaOne
Email and Microsoft 365 backup
Cross-border transfer
FunctionEmail archiving and backup, Microsoft 365 backup delivered via NinjaOne integration
Data processedEmail content and metadata, Microsoft 365 data as configured per client scope
Storage locationSingapore (Dropsuite primary region); NinjaOne infrastructure — region to be confirmed
BasisDropsuite and NinjaOne partner agreements and DPAs. Cross-border transfer disclosed at client onboarding where applicable.
Notes on this register
Scope: This register covers vendors that process personal data as defined under the Personal Data Protection Act 2012 (Singapore) in the course of CSI Tech's service delivery. Internal productivity tools used solely by CSI Tech staff and not processing client personal data are not listed.
Cross-border transfers: Where personal data is transferred outside Singapore, CSI Tech takes steps to ensure adequate protection is in place, including contractual clauses and data processing agreements consistent with PDPA Schedule 10. Clients are informed of any cross-border transfers at the time of onboarding. Current cross-border destinations are: Australia (AFI.AI, Action1), Japan (ConnectWise ScreenConnect), and United States (ScoutDNS, Bitwarden, Huntress). Transfers to Australia are covered under the Australian Privacy Act 1988, which provides comparable protection to Singapore's PDPA. Transfers to Japan are covered under Japan's Act on the Protection of Personal Information (APPI, amended 2022), which provides comparable protection to Singapore's PDPA. For Check Point, DefensX, and NinjaOne, data regions are being confirmed and will be updated in this register when known.
Gorelo region disclosure: Written confirmation of Gorelo's Azure data region and DPA is pending. CSI Tech will not onboard clients to Gorelo-supported services until this confirmation is received and this register is updated accordingly.
Changes to this register: CSI Tech will provide at least 30 days' notice to active clients of any material change to this register, including addition of new sub-processors, change of data location, or removal of a vendor. Notice will be provided by email to the primary IT contact named in the MSA.
Questions about how personal data is handled under your service agreement?