Data Processing Agreement

This Data Processing Agreement ("DPA") applies where PT. TRUSTGUARD PRO TRADE ("Company", "we", "us", "our") processes personal data on behalf of a B2B client in connection with software development, implementation, integration, support, maintenance or related technology services.

This DPA forms part of the applicable proposal, Statement of Work, service agreement, order form or other written agreement between the Company and the client.

1. Parties and Roles

For the purposes of this DPA:

• the client acts as the Controller of personal data, unless otherwise agreed in writing;
• the Company acts as the Processor of personal data processed on behalf of the client;
• the client determines the purposes and means of processing;
• the Company processes personal data only to provide the agreed services and in accordance with the client's documented instructions.

2. Scope of Processing

The Company may process personal data only as necessary to provide the agreed services, including software development, testing, deployment, integration, technical support, maintenance, troubleshooting and project management.

The processing may include access to personal data contained in:

• client systems or applications;
• test or staging environments;
• technical logs;
• support tickets;
• project documentation;
• databases or files provided by the client;
• access credentials or system access details provided strictly for project delivery, subject to access controls and secure handling procedures.

3. Categories of Personal Data

Depending on the project, personal data may include:

• names and contact details;
• business contact information;
• user account data;
• technical identifiers;
• log data;
• communication data;
• data uploaded to systems developed or maintained by the Company;
• any other data provided by the client for the agreed project.

The Company does not intentionally process sensitive personal data unless the client expressly provides it for a specific project and appropriate safeguards are agreed.

4. Categories of Data Subjects

Personal data may relate to:

• the client's employees, contractors or representatives;
• the client's customers, users or business contacts;
• website or application users;
• other individuals whose data is provided by or on behalf of the client.

5. Processing Instructions

The Company shall process personal data only:

• in accordance with the applicable agreement and this DPA;
• on the client's documented instructions;
• for the purpose of providing the agreed services;
• as required by applicable law.

If the Company believes that an instruction violates applicable data protection law, it will notify the client unless prohibited by law.

6. Confidentiality

The Company shall ensure that personnel who may access personal data are subject to appropriate confidentiality obligations.

Access to personal data shall be limited to personnel who need such access for the purpose of providing the agreed services.

7. Security Measures

The Company shall apply reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration or disclosure.

These measures may include, where appropriate:

• access control and limited access on a need-to-know basis;
• secure credential handling;
• confidentiality obligations;
• controlled development environments;
• separation of development, testing and production environments where applicable;
• backups and recovery procedures where agreed;
• secure communication channels;
• incident escalation procedures;
• reasonable measures to prevent unauthorized system access.

Project-specific security requirements may be agreed separately in the applicable agreement, Statement of Work or security addendum.

Further information about our security approach, compliance practices and operational controls is available in our Trust Statement.

8. Sub-processors

The Company may use trusted third-party service providers where necessary to provide the services, including hosting providers, development tools, communication platforms, project management systems, backup providers and professional advisers.

The Company shall ensure that sub-processors are subject to appropriate confidentiality and data protection obligations.

Where required by applicable law or by the applicable agreement, the Company will provide information about relevant sub-processors and allow the client to raise reasonable objections on data protection grounds.

9. International Transfers

The Company may process or transfer personal data outside the country where the client or data subjects are located.

Where required by applicable data protection law, the Company shall use appropriate safeguards for international transfers, such as contractual data protection obligations, standard contractual clauses or other lawful transfer mechanisms.

10. Personal Data Breach

The Company shall notify the client without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the client.

The notification shall include, where reasonably available:

• a description of the incident;
• the categories of affected data;
• the likely consequences;
• measures taken or proposed to address the incident;
• contact details for further coordination.

The client remains responsible for determining whether notification to regulators or affected individuals is required, unless otherwise agreed in writing.

11. Assistance to the Client

Taking into account the nature of the processing and the information available to the Company, the Company shall reasonably assist the client with:

• data subject access, deletion, correction or objection requests;
• security-related inquiries;
• data protection impact assessments, where applicable;
• regulatory requests, where legally required and reasonably related to the services.

The Company may charge reasonable fees for assistance that is outside the ordinary scope of the agreed services, unless prohibited by applicable law or agreed otherwise.

12. Deletion or Return of Data

Upon termination or completion of the applicable services, the Company shall delete or return personal data processed on behalf of the client, unless retention is required by law or necessary for legitimate record-keeping, dispute resolution, security, backup or compliance purposes.

Deletion from backups may occur in accordance with the Company's normal backup retention and deletion cycles.

13. Audit and Compliance Information

Upon reasonable request, the Company may provide information necessary to demonstrate compliance with this DPA.

Any audit or inspection shall be subject to reasonable notice, confidentiality, security requirements, operational limitations and mutual agreement on scope and timing.

The Company may refuse or limit any request that would compromise the security, confidentiality or rights of other clients, systems, personnel or third parties.

14. Client Responsibilities

The client is responsible for:

• having a lawful basis for collecting and providing personal data to the Company;
• giving all required notices to data subjects;
• obtaining all required consents, where applicable;
• ensuring that its processing instructions are lawful;
• determining the purposes and means of processing;
• responding to data subject and regulator requests, unless otherwise agreed.

15. Order of Precedence

If there is a conflict between this DPA and the applicable service agreement, the data protection provisions that provide greater protection for personal data shall prevail, unless the parties expressly agree otherwise in writing.

16. Changes to This DPA

The Company may update this DPA from time to time to reflect changes in law, services, technology or business operations.

The updated version will be published on the Company's website or otherwise made available to clients.

17. Contact

For questions regarding this DPA, please contact:

Our general privacy practices are described in our Privacy Policy.