Circular 03/2026 · Policy Publication · Policy Reference: DB-POL-001
Renewal, Revocation & Programme Conduct Policy
Applies to all Data Bureau certification programmes.
1. Purpose & Scope
This Policy establishes the obligations, procedures, and governance standards that govern the ongoing certification relationship between Data Bureau (Singapore) Pte. Ltd. ("Data Bureau") and all entities that hold, apply for, or seek to renew a Data Bureau certification ("Certificate Holders").
This Policy applies to all certification programmes issued under the Data Bureau certification framework, including but not limited to CBA-01 through VPO-16, and supersedes any conflicting provisions in earlier versions of individual certification standards regarding renewal, revocation, suspension, or appeals.
The authority to certify, suspend, reinstate, and revoke rests exclusively with Data Bureau (Singapore) Pte. Ltd. No facilitation partner, verification agency, or third party may exercise these powers on Data Bureau's behalf.
2. Definitions
| Term | Meaning |
|---|---|
| Certificate | A Data Bureau certification document issued under any programme in the CBA-01–VPO-16 series. |
| Certificate Holder | Any natural person or legal entity currently holding a valid, unexpired Data Bureau certificate. |
| Certification Period | The validity window stated on the face of the certificate, typically one (1) year from the date of issue unless otherwise specified. |
| Renewal Application | A formal application submitted by a Certificate Holder to extend their certification for a further Certification Period. |
| Material Change | Any change to the Certificate Holder's legal status, ownership, regulatory standing, operating scope, or any criterion assessed in the original certification, that may affect conformance to the applicable standard. |
| Suspension | A temporary administrative hold on a certificate's active status pending investigation or resolution of a compliance concern. |
| Revocation | The permanent cancellation of a certificate prior to its stated expiry. |
| Lapse | Automatic expiry of a certificate where no valid Renewal Application has been submitted and approved before the end of the Certification Period. |
| Public Registry | The Data Bureau online register of current, suspended, and revoked certificates, accessible at databureau.com.sg. |
| Appointed Verification Agency | An entity appointed by Data Bureau to conduct assessment activities on its behalf, including Scam.SG / OnScam (SG) Pte. Ltd. Such entities do not hold certification authority. |
3. Certificate Holder Obligations
3.1 Continuous Compliance
A certificate represents conformance at the time of assessment. Certificate Holders are required to maintain continuous conformance with all applicable certification criteria throughout the Certification Period, not merely at the point of initial assessment or renewal.
3.2 Mandatory Notification Obligations
Certificate Holders must notify Data Bureau in writing at certify@databureau.com.sg within the timeframes specified below upon becoming aware of any of the following events:
| Event | Notification Deadline |
|---|---|
| Change of legal name or UEN | 14 calendar days |
| Change of registered address or principal place of business | 14 calendar days |
| Change of directors, partners, or beneficial owners | 14 calendar days |
| Bankruptcy, winding-up, or judicial management application filed against the entity or any director | 48 hours |
| Regulatory enforcement action, licence suspension, or licence revocation by any Singapore authority | 48 hours |
| Material change to any system, process, or data architecture within scope of an AI or information flow certification | 30 calendar days |
| Any agentic AI incident resulting in unintended action, system access breach, or third-party harm (AAC-03 holders) | 48 hours |
| Discovery that any information submitted in the certification application was inaccurate or incomplete | Immediately upon discovery |
| Any other Material Change | 30 calendar days |
3.3 Display & Use of Certification Marks
Certificate Holders are permitted to display the Data Bureau certification badge and reference their certification status in commercial communications, subject to the following conditions:
- •The certificate must be current and not suspended or revoked.
- •The certification badge must link to the Certificate Holder's Public Registry entry or the verification page at databureau.com.sg.
- •Certificate Holders must not misrepresent the scope of their certification. A certificate issued for one programme may not be represented as covering another.
- •Certificate Holders must not claim that certification constitutes a government endorsement, regulatory approval, or guarantee of performance.
- •Upon lapse, suspension, or revocation, all certification marks must be removed from commercial communications, websites, and physical materials within 5 business days.
4. Annual Renewal
4.1 Renewal Timeline
Certificates are valid for one (1) year from the date of issue unless a different validity period is stated on the certificate face. Certificate Holders who wish to maintain certification must submit a Renewal Application before expiry.
| Step | Action | Detail |
|---|---|---|
| T−60 | Renewal Reminder | Data Bureau issues a written renewal reminder to the Certificate Holder's registered email address. |
| T−30 | Renewal Application Window Opens | Certificate Holder may submit a Renewal Application via the Data Bureau portal or by email to certify@databureau.com.sg. The renewal fee is payable at submission. |
| T−14 | Final Notice | Where no Renewal Application has been received, Data Bureau issues a final notice. Failure to respond by T−0 will result in lapse. |
| T−0 | Certificate Expiry | Certificate lapses if no valid Renewal Application has been approved. Registry status is updated to 'Lapsed' with immediate effect. |
| T+0 to T+30 | Late Renewal Window | A Certificate Holder may submit a late Renewal Application within 30 days of lapse. A late renewal fee applies. The certificate remains lapsed — and the certification mark may not be displayed — until the Renewal Application is approved. |
| T+30+ | Lapse Becomes Final | After 30 days post-expiry, the entity must submit a fresh certification application and undergo full assessment. |
4.2 Renewal Assessment Scope
Renewal is not automatic. Each renewal involves a reassessment of the applicable certification criteria. Data Bureau may conduct a full or targeted reassessment depending on:
- •Changes notified by the Certificate Holder since the last assessment;
- •Adverse signals identified through continuous monitoring, including Scam.SG complaint data, regulatory enforcement records, and ACRA status changes;
- •The passage of time since criteria or data sources were last verified; and
- •Any outstanding compliance conditions from the prior certification.
Where a targeted reassessment is conducted, Data Bureau will specify which criteria have been re-evaluated. Criteria not re-evaluated carry forward the prior assessment outcome.
4.3 Renewal Fees
Renewal fees are set at the rate applicable at the time of the Renewal Application. Current fees are published in the Data Bureau Certification Catalogue. Data Bureau reserves the right to adjust fee schedules with a minimum of 60 days' written notice to Certificate Holders. Fees paid are non-refundable where a Renewal Application fails assessment, except where the failure is attributable solely to a Data Bureau administrative error.
5. Suspension
5.1 Grounds for Suspension
Data Bureau may suspend a certificate, with immediate effect and without prior notice, where it has reasonable grounds to believe that one or more of the following conditions exist:
- 1A Material Change has occurred that may render the Certificate Holder non-compliant, and investigation is required to determine the impact on certification status.
- 2A complaint, enforcement action, or adverse signal has been received that, if substantiated, would constitute grounds for revocation.
- 3The Certificate Holder has failed to provide information requested by Data Bureau within the specified timeframe.
- 4False or misleading information is suspected to have been submitted in the certification application or any subsequent notification.
- 5The certificate is subject to an ongoing appeals or dispute process that requires interim status management.
5.3 Duration of Suspension
Suspension shall not exceed 60 calendar days from the date of the Suspension Notice. Where a resolution has not been reached within 60 days, Data Bureau will either proceed to revocation or extend the suspension by a further period, not exceeding 30 days, with written notice to the Certificate Holder. A certificate may not be suspended indefinitely.
6. Revocation
6.1 Grounds for Revocation
Data Bureau may revoke a certificate, with immediate effect, upon any of the following grounds:
- 6The Certificate Holder submitted false, misleading, or materially incomplete information in the certification application or any subsequent notification.
- 7The Certificate Holder provided a false declaration in connection with any criterion assessed by signed declaration.
- 8A Material Change has occurred that renders the Certificate Holder non-compliant with the applicable certification standard, and the Certificate Holder has failed to remediate within the period specified by Data Bureau.
- 9The Certificate Holder has failed to notify Data Bureau of a Material Change within the required timeframe under Section 3.2.
- 10A regulatory authority has taken enforcement action against the Certificate Holder, or the Certificate Holder's operating licence has been suspended or revoked, in a manner material to the certification scope.
- 11The Certificate Holder has been wound up, placed under judicial management, or has become insolvent, and the circumstances are material to the certification scope.
- 12The Certificate Holder has failed to pay the applicable renewal fee within 30 days of the due date.
- 13The Certificate Holder has misrepresented their certification status or misused the Data Bureau certification mark in a manner that brings the certification programme into disrepute.
- 14The Certificate Holder has refused or obstructed a Data Bureau audit or investigation.
6.3 Immediate Revocation
Notwithstanding Section 6.2, Data Bureau may effect immediate revocation — without a Show Cause Notice — where:
- •The grounds for revocation involve fraud or deliberate misrepresentation;
- •A Singapore regulatory authority has ordered revocation or taken action that makes continued certification untenable; or
- •Continued display of the certification mark poses an immediate risk of consumer harm.
In cases of immediate revocation, the Certificate Holder retains the right to appeal under Section 7.
6.4 Consequences of Revocation
A revoked Certificate Holder may not apply for any Data Bureau certification for a period of 12 months from the effective date of revocation, unless the revocation was subsequently overturned on appeal.
Where revocation was on the grounds of fraud or deliberate misrepresentation, a 24-month exclusion period applies, and any new application will be subject to enhanced assessment.
7. Appeals
7.1 Appealable Decisions
- •A denial of a certification application (initial or renewal);
- •A suspension decision;
- •A revocation decision; and
- •A decision on the scope or conditions attached to a conditional certification.
7.3 Effect of Appeal on Status
The filing of a Notice of Appeal does not automatically suspend the effect of the decision under appeal. Where the decision is a revocation, the certificate remains revoked during the appeal period unless the appeals panel grants an interim stay in writing.
An interim stay may be granted by the panel where the appellant demonstrates a prima facie arguable case and that continued suspension or revocation would cause disproportionate harm pending appeal.
8. Reapplication After Lapse or Revocation
Where a certificate has lapsed for more than 30 days, the entity must submit a fresh certification application and undergo full assessment against the current version of the applicable standard. Prior certification history will be noted in the Registry but does not guarantee reapproval.
Subject to the exclusion periods set out in Section 6.4, a formerly revoked entity may reapply for certification. Where the grounds for revocation related to false information, misuse of certification marks, or obstruction, the reassessment will include enhanced due diligence, including verification of all previously declared information and an interview with a senior Data Bureau officer.
9. Continuous Monitoring
Data Bureau conducts continuous monitoring of all active Certificate Holders through:
- •Automated cross-referencing against ACRA Business Profile API for status changes, director changes, and UEN flags;
- •Continuous monitoring via the Scam.SG complaint and enforcement database for adverse events, unresolved complaints, and fraud patterns;
- •Periodic review of sector-specific regulatory registers where applicable to the certification programme (e.g., MOH, CEA, CPIB);
- •MinLaw Insolvency Office monitoring for bankruptcy and winding-up filings; and
- •Horizon scanning of public enforcement actions and media-reported adverse events relevant to Certificate Holders.
Adverse signals identified through continuous monitoring will trigger a review in accordance with the suspension or revocation procedures in Sections 5 and 6, as appropriate. Data Bureau will not disclose the specific configuration of its monitoring systems to Certificate Holders.
10. Programme Conduct Standards
10.1 Integrity of the Certification Process
All persons and entities participating in the Data Bureau certification process — including applicants, Certificate Holders, Appointed Verification Agencies, and Data Bureau staff — are required to maintain the integrity of that process. The following conduct is prohibited:
- •Submitting false, falsified, or misleading documents or declarations in connection with any certification application, renewal, notification, or appeal;
- •Attempting to influence the outcome of a certification decision through improper means, including inducements, threats, or misrepresentation;
- •Impersonating another entity or person in any certification-related communication;
- •Applying for certification on behalf of an entity that does not meet the eligibility criteria;
- •Displaying a certification mark in respect of a lapsed, suspended, or revoked certificate; and
- •Misrepresenting the scope, meaning, or implications of a Data Bureau certificate to customers, regulators, or counterparties.
10.3 Confidentiality
Assessment records, internal review notes, and appeals panel deliberations are confidential. Data Bureau will not disclose the substantive content of assessment records to third parties without the consent of the Certificate Holder, except where required by law, by a Singapore regulatory authority, or where the public interest so requires.
Certificate Holders may request a copy of their own assessment record by writing to certify@databureau.com.sg. Assessment records are retained for a minimum of 7 years from the date of assessment.
11. Declarations
Certain certification criteria across the Data Bureau programme portfolio are assessed by signed declaration. The following provisions apply to all declarations submitted in connection with Data Bureau certification:
- •Declarations are legally binding instruments. Each declaration submitted by an applicant or Certificate Holder constitutes a representation of fact.
- •Providing a false declaration is a misrepresentation that voids the certificate and constitutes grounds for immediate revocation under Section 6.1.
- •Data Bureau reserves the right to pursue civil remedies for losses arising from false declarations, including recovery of certification fees, costs of investigation, and any losses suffered by third parties who relied on the certification.
- •Where a declaration is subsequently found to be false and the matter is material to a regulatory obligation, Data Bureau may refer the matter to the relevant Singapore authority.
12. Limitation of Liability
Certification by Data Bureau represents an assessment of conformance to defined standards at the time of assessment. It is not a guarantee of future performance, ongoing compliance, financial stability, or the absence of future adverse events.
Data Bureau's liability in relation to any certification decision, including renewal, suspension, revocation, or appeals outcome, is limited to the certification fees paid by the applicant or Certificate Holder for the relevant assessment. Data Bureau accepts no liability for consequential loss, reputational damage, or loss of business arising from any certification decision.
13. Policy Governance
| Attribute | Detail |
|---|---|
| Policy Owner | Chairman & CEO, Data Bureau (Singapore) Pte. Ltd. |
| Effective Date | 17 April 2026 |
| Version | 1.0.0 |
| Review Cycle | Annual, or upon material change to any applicable certification standard |
| Amendment | Amendments to this Policy are published on the Data Bureau website with a minimum of 30 days' notice to Certificate Holders prior to the effective date of the amendment. Certificate Holders who do not object within 30 days of notification are deemed to have accepted the amendment. |
| Supersession | This Policy supersedes all prior renewal, revocation, and appeals provisions contained in individual certification standards where those provisions are inconsistent with this Policy. |
14. Contact
| Purpose | Contact |
|---|---|
| Renewal Applications | certify@databureau.com.sg |
| Material Change Notifications | certify@databureau.com.sg |
| Suspension or Revocation Enquiries | certify@databureau.com.sg |
| Appeals (Notice of Appeal) | certify@databureau.com.sg — Subject: DB-POL-001 Appeal |
| General Certification Enquiries | databureau.com.sg |