Skip to main content

Data Processing Addendum

Last updated: February 14, 2025

Effective date: August 23, 2024

Note: The Terms, Policy, or Agreement are available in Indonesian and English. In case of any discrepancies between the translations, the Indonesian version shall prevail.

This Data Processing Addendum ("DPA") is an integral part of the Organizational Use Agreement and the Personal Use Agreement (collectively referred to as the "Agreement") between the Customer and/or the User and PT Dilan Teknologi Indonesia ("DiLan").

A. Background and General Provisions

  1. Background. This Data Processing Addendum ("DPA") governs the processing of Personal Data by PT Dilan Teknologi Indonesia ("DiLan") in accordance with the Agreement between DiLan and the Customer ("Customer") and/or the User ("User"), in compliance with the applicable laws and regulations in Indonesia, including but not limited to Law No. 27 of 2022 concerning Personal Data Protection (PDP Law), and related regulations.
  2. Duration and Continuity. This DPA shall be in effect as of the effective date of the Agreement and shall remain in effect until the termination of the Agreement or the return or deletion of Personal Data pursuant to the terms of this DPA.

B. Definitions

  1. "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
  2. "Processor" means the entity which processes Personal Data on behalf of the Controller.
  3. "Personal Data" means any information relating to an identified or identifiable individual.
  4. "Security Incident" means an event that breaches information security leading to unauthorized access, disclosure, alteration, or destruction of data.

C. Obligations and Responsibilities

  1. Controller Instructions. DiLan shall only process Personal Data based on the written instructions from the Controller unless required otherwise by applicable law.
  2. Confidentiality. All personnel authorized by DiLan to process Personal Data shall be bound by confidentiality obligations.
  3. Security Measures. DiLan shall implement appropriate technical and organizational measures, including encryption and other mechanisms, to protect Personal Data against Security Incidents in accordance with the PDP Law and related regulations.
  4. Subprocessors. The Controller consents that DiLan may engage subprocessors to process Personal Data. DiLan shall ensure that subprocessors are subject to data protection obligations equivalent to those set forth in this DPA.

D. Rights and Responsibilities of the Controller

  1. Access Rights. The Controller has the right to access and audit DiLan's compliance with the provisions of this DPA.
  2. Data Subject Requests. If DiLan receives a request from a data subject, DiLan shall promptly notify the Controller and shall not respond to the request unless authorized by the Controller.

E. Data Transfers

Personal Data may only be transferred to countries with an equivalent level of Personal Data protection to Indonesia, or based on the written consent of the data subject, unless required otherwise by applicable law.

F. Security Incidents

  1. Notification. DiLan shall notify the Controller without undue delay after becoming aware of a Security Incident.
  2. Follow-up Actions. DiLan shall cooperate with the Controller to investigate, address, and mitigate the impact of the Security Incident and implement necessary corrective measures.

G. Data Deletion

Upon the termination or expiration of the Agreement, DiLan shall delete or return all Personal Data in accordance with the Controller's instructions and the provisions of the PDP Law.

H. Other Provisions

  1. Governing Law. This DPA is governed by and shall be construed in accordance with the laws of the Republic of Indonesia.
  2. Amendments. DiLan reserves the right to amend this DPA at any time. Any material changes to this DPA shall be communicated to the Controller no later than 30 (thirty) days before such changes take effect. The Controller has the right to terminate the Agreement if it disagrees with the changes, by providing written notice to DiLan within 30 (thirty) days of receiving notification of the changes.
  3. Dispute Resolution. Any disputes arising from or in connection with this DPA shall be resolved by mutual agreement. If mutual agreement cannot be reached, the disputes shall be resolved through arbitration in accordance with the applicable regulations in Indonesia.

Appendix I

Description of Data Processing

  1. Purpose of Processing. The processing is undertaken to provide the Services described in the Agreement.
  2. Categories of Data Subjects. The Personal Data processed may include employees, customers, suppliers, consultants, and contractors.
  3. Categories of Personal Data. The Personal Data processed may include names, addresses, phone numbers, email addresses, identification data, financial data, and other relevant data as per the Services provided.
  4. Retention Period. Personal Data shall be retained as long as necessary to fulfill the purposes of processing and shall be deleted in accordance with the data retention policy or as instructed by the Controller upon termination of the Agreement.
  5. Types of Personal Data Processed by DiLan:
    • a. Basic personal information (such as name, address, phone number, email address)
    • b. Financial data (such as payment information, bank account details)
    • c. Other data as permitted by the Controller and as required for the Services provided.
  6. Purpose of Data Processing:
    • a. To provide Services to Customers and Users as per the Agreement.
    • b. To comply with legal and regulatory obligations.
    • c. For the purposes of service analysis and development.

Appendix II

Technical and Organizational Security Measures

  1. DiLan implements the following security measures:
    • a. Data Encryption. Data is encrypted in transit and at rest using appropriate encryption technologies (e.g., TLS for data transmission and AES-256 for data storage).
    • b. Access Control. Access to Personal Data is restricted to authorized personnel and requires multi-factor authentication.
  2. Data Backup. Personal Data is regularly backed up to ensure data recovery in case of incidents.
  3. Pseudonymization and Anonymization. Implementation of pseudonymization and anonymization techniques to protect the identity of Personal Data, if necessary.
  4. Security Incident Log. Notification of incidents and mitigation actions are systematically reported and recorded.
  5. Data Retention Policy. Implementation of strict data retention policies to ensure that Personal Data is only retained as long as necessary for the purposes of processing.
  6. Process for Handling Security Incidents:
    • a. Risk Assessment. Rapid assessment to determine the impact of the incident.
    • b. Communication and Notification. Notify the Controller and relevant parties in accordance with applicable regulations.
    • c. Recovery Actions. Taking necessary recovery actions to remedy and prevent similar future incidents.
  7. Documentation. Keeping records of all processing activities for internal and external audits.
  8. Data Deletion. Customers may request data deletion by completing the form provided through DiLan's customer support services. The support team will validate the request, gather necessary information, and ensure that data is deleted in accordance with the implemented secure deletion procedures.
Contact us

Contact for Questions

If you have questions or concerns about our Terms, Policies, or Agreements, please contact us through Terms & Privacy Form.