Data Processing Addendum

This BytePlus Data Processing Addendum (“Addendum”) forms part of the Customer Agreement between BytePlus and Customer and governs the processing by BytePlus of Customer Data in connection with the Agreement. Unless indicated otherwise, if there is any conflict between the provisions of this Addendum and the remainder of the Agreement, this Addendum shall prevail to the extent of such conflict.
This Addendum includes and incorporates the Standard Terms and Conditions and the Exhibits attached hereto. Capitalized terms not defined herein shall have the meaning set forth in Schedule 1 (Definitions and Interpretation).

Standard Terms and Conditions

1. Definitions

1.1 The following defined terms apply to this Addendum:
“Customer Data” means any Personal Data that is Processed by BytePlus on behalf of Customer in connection its provision of Services to Customer under the Agreement;
“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates;
“Local Law Annexes” means the annexes attached hereto which set forth specific supplemental local law requirements relevant to the Processing hereunder;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
“Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Regulator” means any regulator with authority to enforce Data Protection Laws in any particular territory; and
“Relevant Data Transfer” means a transfer of Personal Data (from Customer to BytePlus or from BytePlus to a subcontractor or other party) which would be prohibited by Data Protection Law (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Law) in the absence of appropriate measures being followed by Customer and/or BytePlus to demonstrate that the transfer shall not prevent or impede such data from being handled in accordance with Data Protection Law.

2. Local Law Annexes

2.1 Where and to the extent that any of the local law requirements set out in the Exhibit A (Local Law Annexes) apply to the Processing of Customer Data by Customer and/or BytePlus (as applicable), the terms of that applicable Local Law Annex will apply to BytePlus’s Processing of such Customer Data. If there is any conflict between the terms set forth in the Addendum’s Standard Terms and Conditions and the terms set forth in the Local Law Annexes incorporated herein, the terms of the Local Law Annexes shall prevail.

3. Conditions of Processing

3.1 This Addendum, including the Local Law Annexes, governs the terms under which BytePlus shall Process Customer Data in connection with its provision of the Services. The specific details of such Customer Data and Processing are further described in Exhibit B (Processing Details).

4. Customer obligations

4.1 Customer represents, warrants and undertakes that it has at all times complied and shall continue to comply with Data Protection Laws in respect of the Customer Data Processed in connection with the Agreement. In particular, it has served any necessary notices and obtained any necessary consents, or established legitimate grounds to disclose to, and/or permit the collection of Customer Data by, BytePlus to enable the Processing of the Customer Data by BytePlus for its provision of Services to Customer as set out in this Addendum and as envisaged by the Agreement.
4.2 Customer shall at its own cost:
4.2.1 at all times ensure the accuracy, quality, completeness and legality of the Customer Data that is Processed by BytePlus during the Term of the Agreement; and
4.2.2 maintain and keep up-to-date relevant records to demonstrate its compliance with Data Protection Laws, and provide BytePlus with a copy of such records when requested by BytePlus.
4.3 Without prejudice to any other provision in this Addendum, Customer shall not do anything or omit to do anything that will cause BytePlus to be in breach of any provision or requirement of any Data Protection Laws including regulations issued thereunder, whether now or in the future.

5. BytePlus Obligations

5.1 BytePlus shall only Process Customer Data in accordance with and for the purposes of performing the Services and its obligations as set out under this Addendum and as envisaged by the Agreement and/or for [diagnostics, security and improvement of the Services].
5.2 BytePlus shall comply with Data Protection Laws including any such laws applicable to Relevant Data Transfers when performing its obligations under the Agreement (including this Addendum).
5.3 BytePlus shall, unless prohibited by Applicable Laws, notify Customer about any binding request for disclosure of Customer Data by a Regulator, government agency, or law enforcement authority.
5.4 BytePlus shall implement appropriate technical and organisational measures to protect the Customer Data against accidental, unauthorised or unlawful processing, loss, alteration, destruction, disclosure or damage.
5.5 Upon becoming aware of a Personal Data Breach affecting Customer Data, unless specifically prohibited under Applicable Laws or any Regulator, BytePlus will, without undue delay, notify Customer in writing of the Personal Data Breach.
5.6 The liability of BytePlus for a breach of any of the obligations set forth in this Addendum shall not exceed the liability cap as set out in the Agreement.

6. Sub-processing

6.1 Customer hereby grants BytePlus general written authorisation to engage sub-processors for the Processing of Customer Data under the Agreement. Customer hereby authorises BytePlus’s engagement of the sub-processors listed in Exhibit D (BytePlus Sub-Processors) provided that: (i) BytePlus agrees to provide at least seven (7) days’ prior notice of the addition or removal of any sub-processor (including details of the processing it performs or will perform); and (ii) Customer imposes data protection terms on any sub-processor it appoints that require it to protect the Customer Data to the standard required by Data Protection Laws.
6.2 In the event that BytePlus engages a sub-processor for carrying out specific Processing activities on behalf of Customer, where that sub-processor fails to fulfil its obligations, BytePlus shall remain fully liable under the Data Protection Laws to Customer for the performance of that sub-processor’s obligations.

7. Indemnity

7.1 Each Party shall, on demand, defend, indemnify and keep indemnified the other Party and its Affiliates and sub-processors and all of their respective directors, officers, employees, contractors, stockholders, agents and representatives (the “Indemnified Parties”), during the Term and thereafter during any limitation period allowed under Applicable Law from and against any of the following and hold harmless the Indemnified Parties in respect of: any settlement amounts or amounts (including interest) awarded by a court or tribunal of competent jurisdiction or arbitrator to a third party, costs of investigation, litigation, settlement and external legal fees (on a solicitor-client basis), disbursements, administrative costs directly incurred by the Indemnified Parties in respect of a claim; and any other costs, losses or damages suffered by the Indemnified Parties to the extent the same are assessed against, or incurred by the Indemnified Parties in respect of the following:
7.1.1 any breach by the other Party of its respective obligations under this Addendum; and/or
7.1.2 any action or omission by the other Party or (in the case of the Customer) its Authorized Users that causes the Indemnified Parties to be in breach of any Data Protection Laws.

8. Termination

8.1 This Addendum will remain in force for the Term of the Agreement or for so long as BytePlus Processes Customer Data, whichever term is longer.
8.2 Following termination of the Agreement or after the end of the provision of any Services under the Agreement, whichever is later, Customer shall be responsible for exporting any Customer Data it wishes to retain from the Services within 30 days. Notwithstanding the foregoing, Customer hereby instructs BytePlus to delete any Customer Data from its systems following the expiry of 60 days (unless Data Protection Laws requires the Customer Data to be retained by BytePlus beyond this period) following the termination of the Agreement or the end of the provision of any Services under the Agreement (whichever is later).

9. Governing Law and Jurisdiction

This Addendum and any dispute or claim in connection with it shall be governed by and be construed in accordance with the laws of the Agreement. Each Party herby submits to the jurisdiction of the dispute resolution venue(s) as set out in the Agreement.

Exhibit A - Local Law Annexes

PART A - EEA AND UK ANNEX

In addition to the Addendum’s Standard Terms and Conditions, Customer and BytePlus will comply with the following terms to the extent that any of the Customer Data Processed by BytePlus pursuant to the Agreement is within the jurisdictional scope of EU Data Protection Laws (“EU Personal Data”).

1. Definitions and Interpretation

1.1 All terms defined in the Addendum’s Standard Terms and Conditions shall have the same meaning when used in this Annex, except where otherwise provided below:
“Controller” has the meaning given to that term in EU Data Protection Laws;
“EU Data Protection Laws” means, as applicable, (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) any and all national data protection laws made pursuant to (i) or (ii) (including, after EU law ceases to apply the United Kingdom (“UK”), the UK GDPR and the UK Data Protection Act 2018); in each case as may be amended or superseded from time to time;
“EU Personal Data” has the meaning set forth in the preamble to this Annex;
“Processor” has the meaning given to the term in EU Data Protection Laws;
“Regulator” means the data protection supervisory authority, which has jurisdiction over Customer’s Processing of EU Personal Data;
“Special Category Data” has the meaning given to the term in EU Data Protection Laws;
“Third Countries” means countries which are neither members of the European Economic Area (“EEA”) or (after European Union law ceases to apply to the UK) the UK, excluding countries approved as providing adequate protection for Personal Data by the European Commission and/or (after EU law ceases to apply in the UK) the equivalent competent UK authority, from time to time; and
“UK GDPR” means the GDPR as it applies in UK domestic law by virtue of the UK’s European Union (Withdrawal) Act 2018.

2. Customer obligations

2.1 Customer represents, warrants and undertakes that it has complied and shall continue to comply with EU Data Protection Laws, in particular Customer shall:
2.1.1 maintain and serve a publicly accessible privacy notice satisfying the transparency requirements of the GDPR, which describes the purposes for which Customer shall Process EU Personal Data in connection with its use of the applicable Services;
2.1.2 ensure that EU Personal Data is collected and processed fairly and lawfully in accordance with EU Data Protection Laws, including in relation to children; and
2.1.3 establish a lawful basis to process the EU Personal Data under the GDPR;
in each case, as necessary to enable Customer to disclose (or permit BytePlus to collect) the EU Personal Data for BytePlus to Process for the purposes of its provision of the Services as set out in this Addendum and as envisaged by the Agreement.
2.2 Customer shall not disclose to BytePlus any EU Personal Data which may be considered Special Category Data.
2.3 Customer shall, in respect of Customer’s use of any Services that involve the collection or storage of information from end user’s devices using BytePlus cookies, pixels, software development kits, or similar tracking technologies (collectively “BytePlus Technologies”):
(a) not use, configure or deploy any BytePlus Technologies in a way that will result in BytePlus collecting any Special Category Data;
(b) provide clear and comprehensive information to end users that the Customer’s services deploy such BytePlus Technologies for the provision of the Services;
(c) obtain any consents as are required under EU Data Protection Laws to permit use of the BytePlus Technologies;
(d) refresh any consents obtained in accordance with this Section 2.3(c) above at least every 12 months;
(e) provide end users with the ability to opt-out of the use of BytePlus Technologies in accordance with requirements under EU Data Protection Laws; and
(f) ensure that all BytePlus Technologies are disabled or removed from the Customer’s services following the expiry or termination of the Agreement.
2.4 Customer will, upon reasonable request by BytePlus, share with BytePlus further details regarding the source of the EU Personal Data, any conditions attached to the use (such as purpose limitation), information provided to individuals when collecting the data, records of consent if relevant, and the legal basis upon which it was collected and shared with BytePlus.
2.5 It is solely Customer’s obligation to ensure that the EU Personal Data Processed by BytePlus is proportionate to the Services being provided under the Agreement.
2.6 Customer shall take reasonable steps to ensure that all EU Personal Data Processed by BytePlus is accurate having regard to the purposes for which they are Processed.

3. Byteplus Obligations

3.1 BytePlus shall, in relation to its Processing of EU Personal Data as Processor:
(a) Process the EU Personal Data for the purpose of the provision of Services as documented in the Agreement (which shall constitute the documented instructions of the Customer), unless BytePlus is required to Process such EU Personal Data by EU Data Protection Laws to which BytePlus is subject; in such case, BytePlus shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that its personnel authorised to Process the EU Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement appropriate technical and organisational security measures to ensure a level of security appropriate to the risk including, as appropriate, (i) the pseudonymisation of EU Personal Data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (iii) restoring the availability and access to EU Personal Data in a timely manner in the event of a physical or technical incident; and (iv) regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;
(d) taking into account the nature of the Processing, assist Customer by providing appropriate technical and organisational measures, insofar as this is possible, to enable Customer to respond to requests from Data Subjects exercising rights laid down in the EU Data Protection Laws in relation to the EU Personal Data; and
(e) taking into account the nature of the Processing and the information available to BytePlus, provide reasonable assistance to Customer in ensuring compliance with the obligations to (i) implement appropriate technical and organisational security measures; (ii) notify (if required) Personal Data Breaches affecting EU Personal Data to Regulators and/or individuals; and (iii) conduct data protection impact assessments and, if required, prior consultation with Regulators.
3.2 Customer acknowledges that BytePlus is regularly audited against industry security standards by independent third party auditors. BytePlus shall supply a summary copy of its audit report(s) to Customer on an annual basis upon request, which reports shall be subject to the confidentiality provisions of the Agreement.
3.3 BytePlus shall inform Customer if, in its opinion, an instruction of Customer infringes the EU Data Protection Laws.
3.4 Customer hereby authorises BytePlus to transfer and Process EU Personal Data in Third Countries in accordance with this Section 3.4. BytePlus shall not transfer any EU Personal Data to any Third Countries unless it has taken such measures as necessary to ensure the transfer is in-compliance with EU Data Protection Laws. For the purposes of transfers of EU Personal Data to BytePlus and/or any sub-processors as applicable:
3.4.1 the Parties agree to be bound by with Standard Contractual Clauses (as approved by the European Commission for the transfer of Personal Data to Processors established in third countries by Decision 2010/87/EU as may be amended, updated or replaced from time to time), (the “Controller-Processor Standard Contractual Clauses”) which are hereby incorporated into this Addendum by reference;
3.4.2 the Parties agree that for the purposes of the Controller-Processor Standard Contractual Clauses incorporated into this Addendum:
(a) the Customer shall be the “data exporter”;
(b) BytePlus (and/or any sub-processors as applicable) shall be the “data importer”;
(c) the data processing descriptions set out in Exhibit B (Processing Details) of this Addendum shall form Appendix 1 of the Controller-Processor Standard Contractual Clauses (or any equivalent appendices contained in any amended, updated or replacement versions of the Controller-Processor Standard Contractual Clauses);
(d) Section 3.1(c) of this Part A (EEA and UK Annex) and Exhibit C (Technical and Organisational Security Measures) of this Addendum shall form Appendix 2 of the Controller-Processor Standard Contractual Clauses (or any equivalent appendices contained in any amended, updated or replacement versions of the Controller-Processor Standard Contractual Clauses); and
(e) Customer authorises BytePlus to enter into the Controller-Processor Standard Contractual Clauses for and on its behalf directly with any sub-processors.

4. Supplementary Measures

Government data access
4.1 If BytePlus becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all EU Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of EU Personal Data to such Authority, BytePlus shall:
(a) immediately notify the Customer of such Authority’s data access request;
(b) inform the Authority that it is Processor of the EU Personal Data and that the Customer have not authorised them to disclose the EU Personal Data to the Authority;
(c) inform the Authority that any and all requests or demands for access to EU Personal Data should be notified to or served upon the Customer (the original Controller) in writing; and
(d) not provide the Authority with access to EU Personal Data unless and until authorised by the Customer.
4.2 In the event BytePlus is under a legal prohibition or a mandatory legal compulsion that prevents them from complying with Clauses 4.1(a) to (d) of this Part A (EEA and UK Annex) in full, Customer shall use reasonable and lawful efforts to challenge such prohibition or compulsion (the Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request).
4.3 If BytePlus makes a disclosure of EU Personal Data to an Authority (whether with Customer’s authorisation or due to a mandatory legal compulsion), BytePlus shall only disclose such EU Personal Data to the extent BytePlus is legally required to do so and in accordance with applicable lawful process.
4.4 Clauses 4.1 and 4.2 of this Part A (EEA and UK Annex) shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to Customer Data, BytePlus has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, BytePlus shall notify the Customer as soon as possible following such Authority’s access and provide the Customer with full details of the same, unless and to the extent BytePlus is legally prohibited from doing so.
4.5 BytePlus shall not knowingly disclose EU Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
4.6 BytePlus shall have in place, maintain and comply with a policy governing personal data access requests from Authorities it shall which at minimum prohibits:
(a) massive, disproportionate or indiscriminate disclosure of EU Personal Data relating to data subjects in Europe; and
(b) disclosure of personal data relating to data subjects in Europe to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such personal data.

PART B - US ANNEX

In addition to the Addendum’s Standard Terms and Conditions, Customer and BytePlus will comply with the following terms to the extent that any of the Customer Data Processed by BytePlus pursuant to the Agreement is within the jurisdictional scope of U.S. Data Protection Laws (“US Personal Data”).

1. Definitions and Interpretation

1.1 All terms defined in the Addendum’s Standard Terms and Conditions shall have the same meaning when used in this Annex, except where otherwise provided below:
“Business” has the meaning given to that term in US Data Protection Laws;
“Business Purpose” has the meaning given to that term in US Data Protection Laws;
“Commercial Purpose” has the meaning given to that term in US Data Protection Laws;
“Consumer” has the meaning given to that term in US Data Protection Laws;
“Personal Information” has the meaning given to that term in US Data Protection Laws;
“Process” has the meaning given to that term in US Data Protection Laws;
“Sell” has the meaning given to that term in US Data Protection Laws;
“Service Provider” has the meaning given to that term in US Data Protection Laws;
“US Data Protection Laws” means Title 1.81.5 - California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100-1798.199 (“CCPA”), as amended, repealed, consolidated or replaced from time to time; and
“US Personal Data” has the meaning set forth in the preamble to this Annex.

2. CCPA

2.1 The Parties agree that when Customer discloses US Personal Data to BytePlus:
(a) BytePlus is a “Service Provider” for the purposes of the CCPA; and
(b) such disclosure is necessary to perform one or more Business Purpose(s).
2.2 BytePlus agrees that it shall:
(a) Process all US Personal Data on behalf of Customer only;
(b) not Sell any US Personal Data; and
(c) not collect, retain, use or disclose US Personal Data except as necessary to perform the Business Purpose(s) unless otherwise permitted under the CCPA, including all implementing regulations.

PART C - Singapore ANNEX

In addition to the Addendum’s Standard Terms and Conditions, Customer and BytePlus will comply with the following terms to the extent that any of the Customer Data collected, processed, used or disclosed by BytePlus pursuant to the Agreement is within the jurisdictional scope of Singapore Personal Data Protection Act (“PDPA”).

1. DEFINITIONS AND INTERPRETATION

1.1 All terms defined in the Addendum’s Standard Terms and Conditions shall have the same meaning when used in this Annex, except where otherwise provided below:
(a) [“Controller” means a natural or legal person which, alone or jointly with others, determines the means and purposes of the means of Processing of Personal Data; and
(b) “Processor” means a natural or legal person, which Processes Personal Data on behalf of a Controller;]

2. ROLES

2.1 The Parties acknowledge and agree that:
(a) BytePlus shall process Personal Data as further described in Exhibit B (Processing Details) in the capacity of a Processor for and on behalf of the Customer for the purposes of providing the Services to Customer, and
(b) Customer remains at all times the Controller primarily responsible for the Personal Data.

3. Purpose

3.1 The Parties acknowledge and agree that BytePlus may process, use and/or disclose the Personal Data of the Data Subjects for the following purposes (“Purposes”):
(a) BytePlus’s provision of Services to Customer under the Agreement or BytePlus’s performance of its obligations under the Agreement;
(b) verifying the identity of the Data Subjects;
(c) responding to, handling, and processing queries, requests, applications, complaints, and feedback from the Data Subjects;
(d) complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to assist in law enforcement and investigations conducted by any governmental and/or regulatory authority; and
(e) any other incidental business purposes related or connected to the above.
3.2 The Parties acknowledge and agree that, in connection with the foregoing Purposes, BytePlus may transfer the Personal Data of the Data Subjects to third parties including BytePlus’s affiliates, third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in Singapore or abroad.

4. CUSTOMER OBLIGATIONS

4.1 Prior to disclosing any Personal Data to BytePlus, Customer shall:
(a) inform the Data Subjects to whom the Personal Data relates about the Purposes for which their Personal Data will be collected, used and disclosed;
(b) obtain written records of consents (including without limitation to the date and time such consent was given as well as any supporting documentation) (“Consents”) from the Data Subjects whose Personal Data are being disclosed that such Data Subjects:
(i) permit Customer to disclose the Data Subject’s Personal Data to BytePlus and its
affiliates (whether in Singapore or overseas) for the Purposes; and
(ii) permit BytePlus and its affiliates (whether in Singapore or overseas) to process, use,
disclose and/or transfer to sub-processors the Data Subject’s Personal Data for the
Purposes,
to the fullest extent that such Consents may be required under any applicable Data Protection
Laws.
4.2 Customer acknowledges and agrees that BytePlus shall be under no obligation to, and shall be entitled to refuse to process, use or disclose any Personal Data:
(a) for which there are no Consents or for which BytePlus reasonably believes there are no Consents;
or
(b) in a way that does not comply with this Addendum or applicable Data Protection Laws,
provided that BytePlus shall promptly notify Customer of such refusal in writing stating its reasons, and such refusal shall not constitute a basis for Customer to allege that BytePlus has repudiated this Addendum
or the Agreement.
4.3 Customer represents and warrants that:
(a) in relation to any Personal Data of Data Subjects that Customer will be or may be disclosing or
discloses to BytePlus,
(i) Customer has obtained the fully informed consent of such Data Subjects in accordance
with Section 4.1 of this Part C (Singapore Annex); and
(ii) Customer is validly acting on behalf of such Data Subjects in connection with this
Addendum;
(b) any Personal Data of Data Subjects that Customer will be or is disclosing to BytePlus are
accurate and complete at the time of such disclosure, and Customer shall give BytePlus notice
in writing as soon as reasonably practicable should it be aware that any such Personal Data has
been updated and/or changed after such disclosure;
(c) it will act at all times in accordance with applicable Data Protection Laws; and
(d) Customer shall not attempt to access, upload, distribute or make available for distribution any
proprietary and/or confidential data unless Customer has sufficient rights and proper
authorisation to do so.

PART D - JAPAN annex

In addition to the Addendum’s Standard Terms and Conditions, Customer and BytePlus will comply with the following terms, to the extent that any of Customer Data Processed by BytePlus pursuant to the Agreement is within the jurisdictional scope of the Personal Information Protection Act of Japan (“PIPA”).

1. DEFINITIONS AND INTERPRETATION

1.1 All terms defined in the Addendum’s Standard Terms and Conditions shall have the same meaning when used in this Annex, except where otherwise provided below:
(A) “Controller” means a natural or legal person which, alone or jointly with others, determines the
means and purposes of the means of Processing of Personal Data; and
(B) “Processor” means a natural or legal person, which Processes Personal Data on behalf of a
Controller.

2. ROLES

2.1 The Parties acknowledge and agree that:
(a) BytePlus shall process Personal Data as further described in Exhibit B (Processing Details) in
the capacity of a Processor for and on behalf of the Customer for the purposes of providing the
Services to Customer, and
(b) Customer remains at all times the Controller primarily responsible for the Personal Data.

3. BYTEPLUS OBLIGATIONS

3.1 BytePlus shall make all information necessary to demonstrate compliance with the obligations laid down in Clause 5 of Standard Terms and Conditions and in PIPA available to Customer, and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
3.2 If BytePlus is to entrust all or part of the handling of Personal Information to a sub-processor, Customer may make a written confirmation request to BytePlus concerning the status of the security control measures of the sub-processor.
3.3 At the Customer’s request, BytePlus shall cause the sub-processor to be subject to an audit of its handling of Personal Information.

4. INTERNATIONAL DATA TRANSFER

4.1 In the event BytePlus is located in countries other than Japan and other designated countries (as of June 2020, the EEA Member States and the United Kingdom), BytePlus shall:
(a) handle the Personal Data solely for the purpose specified by BytePlus, and shall not handle the Personal Data for any other purposes;
(b) maintain organisational, personal, physical, and technological security control measures for the handling of the Personal Information, the standards of which, as maintained by BytePlus, shall not fall below the standards designated by Customer;
(c) conduct necessary and appropriate supervision of employees, such as education or training of
employees handling the Personal Information;
(d) confirm that only Customer has the responsibility to ensure the accuracy of or delete the Personal Data, and the authority to respond to any of: the disclosure, correction of contents, addition or deletion, suspension of use, elimination or suspension of the provision thereof to a third party, when there is a request from the Data Subject of the Personal Data or the agent thereof;
(e) not provide the Personal Data to a third party, except when permitted by the PIPA, or when the
Data Subjects give their prior consent;
(f) not entrust all or any part of the handling of Personal Data to a third party except where the third party is a party to an agreement which provides for BytePlus Obligations contained in Clause 5 of the Standard Terms and Conditions and in Section 3 of this Japan Annex; and
(g) not entrust all or any part of the handling of Personal Data to a third party that is located in
countries other than Japan and the other designated countries (as of June 2020, the EEA Member
States and the United Kingdom) except where BytePlus shall impose the same obligations laid
down in this Section 4.1 on the sub-processor by means of a contract.

PART E - INDONESIA annex

In addition to the Addendum’s Standard Terms and Conditions, the following terms will apply to the extent that BytePlus will be collecting, processing, using and/or disclosing Personal Data within the territory of the Republic of Indonesia in connection with the Agreement.

1. DEFINITIONS AND INTERPRETATION

1.1 All terms defined in the Addendum’s Standard Terms and Conditions shall have the same meaning when used in this Annex, except where otherwise provided below:
(a) “Controller” means a natural or legal person which, alone or jointly with others, determines the means and purposes of processing of Personal Data.
(b) “Data Protection Laws” means all Applicable Laws relating to the protection of Personal Data,
including any such laws of the Republic of Indonesia (as may be amended from time to time).
(c) “Data Subject” means a “data owner”, being the identified or identifiable natural person to whom the Personal Data relates, as set out under applicable Data Protection Laws.
(d) “Personal Data” means any data about an individual who is identified and/or can be identified from that data independently or in combination with other information, directly or indirectly, through an electronic and/or non-electronic system.
(e) “process” means such activities relating to Personal Data as described under Data Protection Laws, including (i) acquisition and collection; (ii) processing and analysis; (iii) storage; (iv) correction and renewal; (v) display, announcement, transfer, dissemination or disclosure; and/or (vi) erasure or destruction, of Personal Data.
(f) “Processor” means a natural or legal person, which Processes Personal Data on behalf of a Data Controller.
AMENDMENTS AND ADDITIONS TO THE Addendum’S STANDARD TERMS AND CONDITIONS:

2. ROLES

2.1 The Parties acknowledge and agree that:
(a) BytePlus shall process Personal Data as further described in Exhibit B (Processing Details) in
the capacity of a Processor for and on behalf of the Customer for the purposes of providing the
Services to Customer, and
(b) Customer remains at all times the Controller primarily responsible for the Personal Data.

3. PURPOSE

3.1 The Parties acknowledge and agree that BytePlus may process, use and/or disclose the Personal Data of the Data Subjects for the following purposes (“Purposes”):
(a) BytePlus’s provision of Services to Customer under the Agreement or BytePlus’s performance
of its obligations under the Agreement;
(b) verifying the identity of the Data Subjects;
(c) responding to, handling, and processing queries, requests, applications, complaints, and
feedback from the Data Subjects;
(d) complying with any applicable laws, regulations, codes of practice, guidelines, or rules, or to
assist in law enforcement and investigations conducted by any governmental and/or regulatory
authority; and
(e) any other incidental business purposes related or connected to the above.
3.2 The Parties acknowledge and agree that, in connection with the foregoing Purposes, BytePlus may transfer the Personal Data of the Data Subjects to third parties including BytePlus’s affiliates, third party service providers and agents, and relevant governmental and/or regulatory authorities, whether in the Republic of Indonesia or abroad.

4. CUSTOMER OBLIGATIONS

4.1 Prior to disclosing any Personal Data to BytePlus, Customer shall:
(a) inform the Data Subjects to whom the Personal Data relates about the Purposes for which their Personal Data will be collected, used, processed, and disclosed;
(b) obtain written records of expressed consents (including without limitation to the date and time
such consent was given as well as any supporting documentation) (“Consents”) from the Data
Subjects whose Personal Data are being disclosed that such Data Subjects:
(i) permit Customer to disclose the Data Subject’s Personal Data to BytePlus and its
affiliates (whether in the Republic of Indonesia or overseas) for the Purposes; and
(ii) permit BytePlus and its affiliates (whether in the Republic of Indonesia or overseas) to
process, use, disclose and/or transfer to sub-processors the Data Subject’s Personal
Data for the Purposes,
to the fullest extent that such Consents may be required under any applicable Data Protection
Laws.
4.2 Customer acknowledges and agrees that BytePlus shall be under no obligation to, and shall be entitled to refuse to process, use or disclose any Personal Data:
(a) for which there are no Consents or for which BytePlus reasonably believes there are no Consents;
or
(b) in a way that does not comply with this Addendum or applicable Data Protection Laws,
provided that BytePlus shall promptly notify Customer of such refusal in writing stating its reasons, and such refusal shall not constitute a basis for Customer to allege that BytePlus has repudiated this Addendum or the Agreements.
4.3 Customer represents and warrants that:
(a) in relation to any Personal Data of Data Subjects that Customer will be or may be disclosing or
discloses to BytePlus,
(i) Customer has obtained the fully informed consent of such Data Subjects in accordance
with Section 4.1 of this Part E (Indonesia Annex); and
(ii) any Personal Data of Data Subjects that Customer will be or is disclosing to BytePlus
are accurate and complete at the time of such disclosure, and Customer shall give
BytePlus notice in writing as soon as reasonably practicable should it be aware that any
such Personal Data has been updated and/or changed after such disclosure;
(b) it will act at all times in accordance with applicable Data Protection Laws; and
(c) Customer shall not attempt to access, upload, distribute or make available for distribution any
proprietary and/or confidential data unless Customer has sufficient rights and proper
authorisation to do so.
(d) Customer shall comply at all times to any provisions in the Data Protection Laws including
requirements in relation to obtaining consent from the Data Subjects for processing the personal
data, storing of personal data and transfer of personal data to BytePlus.

5. BYTEPLUS OBLIGATIONS

5.1 Upon becoming aware of a personal data breach relating to Customer’s Personal Data (the “Personal Data Breach”), unless specifically prohibited under Applicable Laws or any regulatory authority, BytePlus will without undue delay (or at the latest within 14 (fourteen) days) notify Customer in writing of the Personal Data Breach.

6. TERMINATION

6.1 This Addendum will remain in force for the duration of the Agreement or so long as BytePlus is processing Personal Data for Customer, whichever is later.
6.2 Upon termination of the Addendum or after the end of provision of any Services under the Agreement, BytePlus shall return all relevant personal data in BytePlus’s possession to data provider or delete and stop processing all of the relevant personal data in BytePlus’s possession, at the Customer’s request following expiry of the retention period under applicable laws and regulations.

EXHIBIT B - PROCESSING DETAILS

1. PROCESSING OPERATIONS

The Personal Data Processed by BytePlus will be subject to the following basic Processing activities:
BytePlus will process Personal Data for the purposes of providing the Services to Customer in accordance with the Customer Agreement and the Order Form, as initiated by Customer from time to time.

2. DATA SUBJECTS

The Personal Data Processed by BytePlus concern the following categories of Data Subjects:
 The data subjects may include Customer’s customers, employees, suppliers and/or end users.

3. CATEGORIES OF DATA

The Personal Data Processed by BytePlus includes the following categories of data:
Personal data uploaded to the Services under Customer’s Accounts, such as:
3.1 DataRangers:
 Device and network information and behavioural information related to their use of
Customer’s applications used to provide data analytics services.
3.2 ByteAir
 Customer end-user data such as gender, age, address, cookie information, device
information.
 User behaviour data such as address, user ID, cookie information, device information,
websites visited, content clicks, product purchase information, preferences.
3.3 ByteTranslate
 Any personal data contained in documents or content that Customer translate through
the ByteTranslate API.
3.4 VideoCloud
 Any personal data contained in videos created using the VideoCloud SDK.
 Devices (including device IDs, user IDs, IP addresses, operating systems etc.) used for
service quality monitoring.

EXHIBIT C - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

BytePlus has implemented and will maintain the following technical and organisational measures:
a) access controls and policies to manage what access is allowed to our network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls;
b) physical security of our facilities;
c) measures to control access rights for BytePlus employees and contractors; and
d) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures implemented.

EXHIBIT D - BYTEPLUS SUB-PROCESSORS

Sub-processor name

BytePlus Product(s) that Sub-processor supports

Description of services provided

Location of processing

Alibaba Cloud (Singapore) Private Limited

DataRangers
Recommend

Data Storage, Caching Services

Singapore


Did this page help you?