Kenneth Kiffer Fong
HomeCase Studies

Data Intermediary Agreement - clause-level redline of an OEM-global agreement (2025)

The situation

The client's Data Intermediary Agreement descended from the OEM group's global data-governance guidelines. Rather than counter-sign, I reviewed it clause by clause and proposed amendments that strengthened it for the client while modernising it: a recognised-standards acknowledgment (ISO/IEC 27001, GDPR-aligned) mapped against local PDPA obligations; an approved-sub-processor framework - covering cloud, automation, and AI tooling - replacing a blanket sub-contracting prohibition that no modern digital stack could honour; secure deletion with a formal Certificate of Deletion in place of "returning" digital data (which only multiplies copies and risk); a partnership review mechanism for new data policies; a Data Processing Addendum; and balanced liability terms. The amendments were reviewed and accepted by the client - including their Data Protection Officer - and the client floated them as a template for its other vendors. In parallel I structured the commercial addendum to retain the Company's software ownership under a subscription model and to build in defined exit clauses.

Proactive advisory

Volunteered, beyond scope, a forward list of improvements to the client's own internal data-handling governance across the app ecosystem - access controls and download auditability on customer data - positioning the Company as the data-privacy subject-matter partner ahead of the client's third-party assessment cycle. Repeated the pattern in 2026 ahead of a subsequent internal PDPA audit, producing a structured multi-system briefing paper covering every system the Company provides to the client - per-system strengths and gaps, operational recommendations, and framing advice for the auditor - including flagging the Company's own access role as a control gap worth naming to the auditor. The client's data-protection function has treated the advisory relationship as continuous.

What this shows

Governance, legal, and commercial architecture executed live and in the client's interest - turning a compliance formality into a position of advisory authority, and protecting the Company's IP and exit position at the same time.

← An aftersales network - operational forensics and revenue reactivation (2025)A conglomerate motor group - multi-year group media commitment (2020–present) →