1. Introduction
This policy outlines how our company, acting as a Data Intermediary, handles personal data in accordance with the Singapore Personal Data Protection Act (PDPA). We specialize in AI-as-a-Service (AIaaS), specifically Retrieval-Augmented Generation (RAG).

2. Data Intermediary Status
We process data solely on behalf of our clients. All processed data remains on the client’s premises or their designated cloud infrastructure. We do not own or control the primary data sets.

SG AI-as-a-Service (SG AiaaS) operates strictly as a Data Intermediary under the PDPA.
– RAG Mechanism: The AI utilizes Retrieval-Augmented Generation (RAG). This architecture retrieves context from the client’s private databases only when needed to generate an answer. SG AiaaS does not store these snippets or use them to train core models.
– Liability: Since all data resides on the client’s infrastructure, the client remains the Data Controller. SG AiaaS is not liable for the accuracy, security, or integrity of data residing within the client’s environment.

3. Purpose of Processing
Data is accessed exclusively for the implementation and operation of RAG-based AI systems. We explicitly do not use client end-user or corporate data to train, fine-tune, or improve foundation models unless specifically agreed upon in a separate Data Sharing Agreement.
– SG AIaaS accesses the client’s end-user and corporate data strictly for the operational delivery of AI-as-a-Service (AIaaS) solutions.
– RAG Deployment: Processing is limited to the retrieval of relevant context from the client’s internal knowledge base to generate accurate, context-aware AI responses.
– Zero Model Training: The client’s data is never utilized for training, fine-tuning, or optimizing foundation models or third-party algorithms.
– Operational Integrity: Processing ensures the AI system remains grounded in the client’s specific data without persistence on our systems.

4. Protection Obligation
Under the PDPA, we maintain strict security protocols. This includes encryption for data in transit, Multi-Factor Authentication (MFA) for all developer access, and detailed audit logging of all interactions with the client’s environment.
As a Data Intermediary, SG AIaaS implements the best possible available security mechanisms to safeguard the client’s data during RAG processing.
– Advanced Encryption: We utilize industry-leading encryption protocols for data in transit and at rest within the AI pipeline.
– Access Control: Multi-factor authentication (MFA) and granular identity management are enforced for all environment interactions.
– Continuous Updates: Security measures are regularly updated to align with evolving cybersecurity standards and PDPC guidelines.

5. Retention Limitation
We adhere to a ‘Zero-Storage’ policy. We do not replicate, download, or store client data on our own internal servers. Once the RAG implementation or contract period is complete, all access credentials are decommissioned.
SG AiaaS adheres to a strict “No-Storage” mandate for all the client’s data used within the RAG pipeline.
– Temporary Processing: Data retrieved for AI generation is processed in-memory and discarded immediately after the response is served.
– Zero Persistence: We do not replicate, cache, or archive the client’s end-user or corporate data on our internal systems.
– Post-Project Decommissioning: Upon termination of services, all access tokens and temporary configurations within the client’s infrastructure are securely purged.

6. Accuracy and Access
As the data resides on the client’s infrastructure, requests for data access, correction, or concerns regarding accuracy should be directed to the client. We will assist the client in fulfilling these obligations where technically necessary.
As the client maintains full control over the primary data sources, SG AIaaS operates under the following framework regarding data accuracy and access:
– Source Data Integrity: The client remains responsible for the accuracy and completeness of the end-user and corporate data stored within their infrastructure.
– Correction and Access Requests: Any requests from data subjects to access or correct personal data must be managed by the client as the Data Controller.
– Technical Support: SG AiaaS will provide reasonable technical assistance to the client to facilitate these requests within the AI pipeline.

7. Auditability and Logging
To ensure full regulatory transparency, SG AIaaS maintains immutable, granular audit trails that map every AI response back to its specific source data within the client’s infrastructure, providing a clear chain of custody for all RAG-driven interactions. SG AIaaS maintains comprehensive audit trails to support the client’s regulatory and compliance requirements.
– Transaction Traceability: Every AI interaction is logged, capturing the user query, specific data chunks retrieved via RAG, and the final generated – output.
– Data Lineage: We provide metadata mapping that attributes AI responses to the original source documents within the client’s infrastructure.
– Access Logs: All technical interactions with the RAG pipeline are recorded in immutable logs, ensuring a transparent chain of custody.

8. Breach Notification
In the event of a security anomaly with the AI model, we will notify the client’s DPO within 24 hours to facilitate timely reporting to the PDPC if required.

9. Contact Information
For inquiries regarding this policy, contact our Data Protection Officer at: dpo@sg-aiaas.com.