Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") supplements the master services agreement between Dewata Tech ("Processor") and the Client ("Controller"). It applies whenever Dewata Tech processes Personal Data on behalf of the Client in connection with website development, hosting, analytics, lead capture, property booking systems, and related services.

This DPA is structured to satisfy obligations under Indonesian Law No. 27 of 2022 on Personal Data Protection ("UU PDP"). For international clients, the DPA also references the principles of the European Union's General Data Protection Regulation (GDPR), particularly Article 28 governing the Controller and Processor relationship. Where this DPA conflicts with the master services agreement, this DPA prevails specifically for matters of data protection.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

• Controller: The Client, who determines the purposes and means of processing Personal Data, as defined in Article 1 paragraph 4 of UU PDP.
• Processor: Dewata Tech, who processes Personal Data on behalf of and on the documented instructions of the Controller, as defined in Article 1 paragraph 5 of UU PDP.
• Personal Data: Any data relating to an identified or identifiable natural person, whether directly or indirectly, of either a general or specific nature, in line with Article 1 paragraph 1 of UU PDP.
• Data Subject: The natural person to whom the Personal Data relates, including website visitors, leads, villa booking guests, property clients, and the Controller's employees.
• Sub-Processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller, including hosting providers, analytics platforms, and advertising platforms.
• Data Breach: A security incident leading to unauthorized access, loss, alteration, or disclosure of Personal Data being processed.

3. Scope and Subject Matter

This DPA governs the processing of Personal Data carried out by Dewata Tech while delivering services to the Client. The scope of processing covers:

• Website and application hosting: Storage of content, media files, and databases containing the Personal Data of the Client's visitors or customers.
• Analytics and tracking: Collection of visitor behaviour data via Google Analytics 4, Microsoft Clarity, and Meta Pixel on the Client's instructions.
• Lead capture and contact forms: Processing names, emails, phone numbers, company details, and inquiry messages submitted through the Client's forms.
• Booking and property management systems: For villa, hotel, and real estate clients, processing of guest booking data, prospective buyers, and property inquiries.
• Transactional email and notifications: Sending booking confirmations, inquiry replies, and system notifications on behalf of the Client.

The duration of processing matches the term of the services agreement, plus any retention period agreed for backup and legal compliance purposes.

4. Roles and Responsibilities

The Client acts as the Controller, determining the purposes, lawful bases, and means of processing Personal Data. The Client is responsible for the validity of Data Subject consent, transparency toward Data Subjects, and compliance with UU PDP and any other regulations applicable to the Client's business.

Dewata Tech acts as the Processor, processing Personal Data solely on the Client's documented written instructions. Dewata Tech will not use the Client's Personal Data for Dewata Tech's internal purposes, will not sell or share data with third parties beyond the approved Sub-Processors, and will not perform any additional processing without the Client's prior written consent.

5. Processor Obligations

As Processor, Dewata Tech commits to the following obligations:

• Process Personal Data only on the Controller's documented written instructions, including for transfers of Personal Data to other countries, unless required to act otherwise by Indonesian law.
• Ensure confidentiality by requiring all staff, contractors, and personnel with access to Personal Data to sign a non-disclosure agreement.
• Implement appropriate technical and organizational security measures as set out in Section 8 of this DPA.
• Notify the Controller of any data breach within seventy-two (72) hours of becoming aware of it, in line with Article 46 paragraph 3 of UU PDP, providing details on the nature of the breach, the categories and approximate number of Data Subjects affected, and mitigation steps taken.
• Assist the Controller in fulfilling its obligations to Data Subjects and supervisory authorities, including support for any required Data Protection Impact Assessment (DPIA).
• Delete or return all Personal Data at the end of the service term, at the Controller's choice, unless retention is required by applicable law.

6. Sub-Processors

The Controller grants general authorization for Dewata Tech to use the following Sub-Processors when processing Personal Data:

• Vercel Inc. (United States and Singapore APAC): Edge hosting and deployment for Next.js applications.
• Hostinger International Ltd. (Indonesia, Singapore): Shared and VPS hosting for Client websites, with primary servers in Jakarta.
• Cloudflare, Inc. (global): Content Delivery Network, DNS, DDoS protection, and Web Application Firewall.
• Sanity.io (United States, EU): Headless CMS for Client website and blog content.
• Google LLC (global): Google Analytics 4, Google Tag Manager, and Google Workspace where used by the Client.
• Microsoft Corporation (global): Microsoft Clarity for session replay and heatmaps.
• Meta Platforms, Inc. (global): Meta Pixel, Conversions API, and the WhatsApp Business Platform.
• Supabase, Inc. (Singapore, United States): Database, authentication, and storage for custom applications.

Dewata Tech will notify the Controller in writing at least thirty (30) days before adding or replacing a Sub-Processor. The Controller may object in writing on reasonable data protection grounds. If the objection cannot be resolved, the Controller may terminate the affected service without penalty. Each Sub-Processor is bound by data protection obligations equivalent to this DPA through a written contract.

7. Data Subject Rights

Dewata Tech will assist the Controller in fulfilling Data Subject rights as set out in Articles 5 to 15 of UU PDP, including:

• The right to information about the identity, lawful basis, purpose of the request and use of Personal Data, and the accountability of the requesting party.
• Right of access: receiving a copy of the Personal Data being processed in a readable format.
• Right to rectification: requesting correction or updating of inaccurate or incomplete Personal Data.
• Right to erasure: requesting the deletion of Personal Data in accordance with UU PDP provisions.
• Right to restriction of processing and the right to object to processing, including automated profiling.
• Right to data portability: receiving Personal Data in a structured, commonly used, and machine-readable format.

If a Data Subject contacts Dewata Tech directly with a request relating to their rights, Dewata Tech will forward the request to the Controller within five (5) business days, unless the Controller's written instructions specify otherwise. Dewata Tech provides the tools, access logs, and data extracts the Controller needs to respond within the thirty (30) day window required by UU PDP.

8. Security Measures

Dewata Tech applies technical and organizational security measures appropriate to the level of risk, following industry best practices:

• Encryption of data in transit using TLS 1.3 across all HTTP, API, and webhook traffic.
• Encryption of data at rest in production databases and backups, using AES-256 or equivalent.
• Multi-Factor Authentication (MFA) is mandatory for all administrative access to hosting panels, the CMS, databases, and code repositories.
• Role-Based Access Control with the principle of least privilege, plus audit logs for every access to Personal Data.
• Encrypted daily backups with a minimum thirty (30) day retention, stored in a geography separate from production.
• HTTP security headers including Content Security Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, and X-Content-Type-Options.
• Routine security patching of the operating system, npm dependencies, the Node.js runtime, and the Next.js framework.
• Continuous security monitoring through Cloudflare WAF, Vercel alerting, and a monthly review of access logs.

9. Data Transfer and Storage

The primary storage locations for Personal Data are:

• Primary storage: Hostinger data center in Jakarta, Indonesia, for Indonesian Client website hosting and the main database.
• Edge and APAC: Vercel edge network in the Singapore region (sin1) to accelerate content delivery to APAC visitors.
• Geographical backup: Backup region in the United States for disaster recovery redundancy.
• Logging and analytics: Google Analytics and Microsoft Clarity store data on each provider's global infrastructure.

For cross-border transfers of Personal Data, Dewata Tech complies with Article 56 of UU PDP, which requires either an equivalent level of data protection in the receiving country, an international agreement, or the consent of the Data Subject. For clients subject to GDPR, Dewata Tech relies on the European Commission's Standard Contractual Clauses (SCCs) as the lawful basis for transferring data to countries outside the European Economic Area.

10. Term and Termination

This DPA takes effect on the signing of the master services agreement and remains in force for as long as Dewata Tech processes Personal Data on the Client's behalf. The DPA terminates automatically when the master services agreement ends, except for provisions that by their nature survive termination, such as confidentiality and audit rights.

On termination, Dewata Tech will provide a complete export of Client Personal Data in JSON, CSV, or SQL dump format on request, within fourteen (14) business days. Once the export is received and confirmed by the Client, Dewata Tech will delete all Personal Data from production systems and backups within thirty (30) days, unless retention is required by Indonesian law. A certificate of deletion will be supplied to the Client on request.

11. Liability and Audit Rights

The Client, as Controller, has the right to audit Dewata Tech's compliance with this DPA, subject to the following conditions:

• Written notice at least fourteen (14) business days before the audit takes place.
• Audits are carried out on business days, outside critical operational windows, and must not disrupt service to other Clients.
• Third-party auditors must be bound by confidentiality and must not be a direct competitor of Dewata Tech.
• Audit frequency is limited to a maximum of one audit per year, except following a data breach incident.
• The audit scope is limited to compliance with this DPA and UU PDP / GDPR, and may not exceed those needs.

As an alternative to an on-site audit, Dewata Tech may provide third-party audit reports or completed compliance questionnaires. Each party's liability for breaches of this DPA follows the liability provisions of the master services agreement, while remaining within the limits and exceptions provided by UU PDP and the applicable provisions of GDPR.

12. Data Protection Officer (DPO) Contact

For questions, requests, or notifications relating to this DPA and the processing of Personal Data, contact the Dewata Tech Data Protection Officer:

• Company name: Dewata Tech
• DPO email: contact@dewatatech.com
• Phone and WhatsApp: +62 851-7975-5016
• Office address: Jl. Sakura Gg. I No.3, Dangin Puri Kangin, Denpasar Utara, Bali 80233, Indonesia
• Response hours: Monday to Friday, 09:00 to 18:00 WITA (Central Indonesia Time)

For data breach incidents or urgent requests relating to Data Subject rights, use the WhatsApp channel with a subject prefixed "URGENT DPO" to receive priority response outside business hours.