Data Processing Agreement

1. Definitions

• "Controller" means the Customer who determines the purposes and means of processing personal data
• "Processor" means Zapdor (the Company) who processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "PDPL" means the Personal Data Protection Law (Indonesia) 2022

2. Scope and Purpose

This DPA governs the processing of personal data by Zapdor in connection with the security scanning services provided to the Customer.

2.1 Data Controller and Processor Roles

• Customer (Controller): Determines the purposes and means of processing
• Zapdor (Processor): Processes personal data only as instructed by the Controller
• Joint Controllers: Where applicable, both parties may act as joint controllers

3. Types of Personal Data Processed

3.1 Customer Data

• Customer account information (name, email, company details)
• Billing and payment information
• Contact information for support and communication

3.2 Scan Data

• Target URLs, IP addresses, and domain names
• Scan results and vulnerability findings
• Technical metadata and timestamps
• User-generated content and notes

3.3 System Data

• Log files and audit trails
• Performance metrics and usage statistics
• Security event logs and access records

4. Lawful Basis for Processing

4.1 Contractual Necessity

• Processing necessary for the performance of the service contract
• Legitimate interest in providing security scanning services

4.2 Legal Obligations

• Compliance with applicable data protection laws
• Response to legal requests and court orders

5. Data Subject Rights

5.1 Right to Access

• Data subjects may request access to their personal data
• Response provided within 30 days of request

5.2 Right to Rectification

• Data subjects may request correction of inaccurate data
• Updates processed within 30 days of request

5.3 Right to Erasure

• Data subjects may request deletion of their personal data
• Deletion processed within 30 days of request, subject to legal obligations

5.4 Right to Portability

• Data subjects may request their data in a structured format
• Data provided in commonly used, machine-readable format

6. Data Security Measures

6.1 Technical Safeguards

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security reviews and monitoring
• Secure backup and disaster recovery procedures

6.2 Organizational Safeguards

• Staff training on data protection
• Confidentiality agreements for all personnel
• Regular security awareness programs
• Incident response procedures

7. Data Retention

7.1 Retention Periods

• Customer Data: Retained for the duration of the service contract plus 7 years
• Scan Data: Retained for 2 years after scan completion
• Log Data: Retained for 1 year for security and compliance purposes
• Billing Data: Retained for 7 years for tax and legal compliance

8. International Data Transfers

8.1 Transfer Mechanisms

• Adequacy Decisions: Transfers to countries with adequate protection
• Standard Contractual Clauses: For transfers to third countries
• Binding Corporate Rules: For intra-group transfers
• Certification Schemes: Where applicable and recognized

9. Data Breach Notification

9.1 Notification Requirements

• Controller Notification: As soon as reasonably possible
• Supervisory Authority: As required by applicable law
• Data Subjects: Without undue delay for high-risk breaches

10. Audit and Compliance

10.1 Audit Rights

• Controller may audit Processor's compliance
• 30 days advance notice required
• Audit costs borne by Controller unless non-compliance found

10.2 Security Measures

• Industry-standard security practices
• Regular security reviews and updates
• Data encryption in transit and at rest
• Access controls and authentication

11. Termination and Data Return

11.1 Contract Termination

• All personal data returned or deleted upon termination
• Return in structured, commonly used format
• Deletion verified and documented

12. Contact Information

Data Protection Contact:

• Email: robby.ardison@hotmail.com
• Address: Jakarta, Indonesia

Supervisory Authority:

• Indonesia: Komisi Informasi (KIP)
• EU: Relevant national supervisory authority
• Other jurisdictions: As applicable