Data Processing Agreement

This Data Processing Agreement (“DPA”) applies where PT NEXT TECH SOFTWARE (“Company”, “Processor”, “we”, “us”, “our”) processes personal data on behalf of a B2B client (“Client”, “Controller”, “you”) in connection with software development, implementation, integration, support, maintenance or related technology services

This DPA forms part of the applicable proposal, Statement of Work, service agreement, order form or other written agreement between the Company and the Client

1. Company Information

This website and the related technology services are operated by:

2. Parties and Roles

For the purposes of this DPA:

The Client acts as the Controller of personal data, unless otherwise agreed in writing

The Company acts as the Processor of personal data processed on behalf of the Client

The Client determines the purposes and means of processing

The Company processes personal data only to provide the agreed services and in accordance with the Client’s documented instructions

3. Scope of Processing

The Company may process personal data only as necessary to provide the agreed services, including software development, testing, deployment, integration, technical support, maintenance, troubleshooting and project management

The processing may include access to personal data contained in client systems or applications, test or staging environments, technical logs, support tickets, project documentation, databases, files, access credentials or system access details provided by the Client strictly for project delivery, subject to access controls and secure handling procedures

4. Categories of Personal Data

Depending on the project, personal data may include:

• Names and contact details
• Business contact information
• User account data
• Technical identifiers
• Log data
• Communication data
• Data uploaded to systems developed, tested, maintained or supported by the Company
• Any other data provided by the Client for the agreed project

The Company does not intentionally process sensitive personal data unless the Client expressly provides it for a specific project and appropriate safeguards are agreed

5. Categories of Data Subjects

Personal data may relate to:

• The Client’s employees, contractors or representatives
• The Client’s customers, users or business contacts
• Website or application users
• Other individuals whose data is provided by or on behalf of the Client

6. Processing Instructions

The Company shall process personal data only in accordance with the applicable agreement, this DPA, the Client’s documented instructions, the agreed project scope and applicable law

If the Company believes that an instruction violates applicable data protection law, it will notify the Client unless prohibited by law

The Company shall not use personal data processed on behalf of the Client for unrelated commercial purposes

7. Confidentiality

The Company shall ensure that personnel who may access personal data are subject to appropriate confidentiality obligations

Access to personal data shall be limited to personnel who need such access for the purpose of providing the agreed services

Confidentiality obligations continue after the relevant project or engagement ends, to the extent required by applicable law or the applicable agreement

8. Security Measures

The Company shall apply reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure

These measures may include access control, limited access on a need-to-know basis, secure credential handling, confidentiality obligations, controlled development environments, separation of development, testing and production environments where applicable, backups and recovery procedures where agreed, secure communication channels, incident escalation procedures and reasonable measures to prevent unauthorised system access

Additional information about the Company’s general security, confidentiality, access control, credential handling and incident response practices is available in the Trust Statement

Project-specific security requirements may be agreed separately in the applicable agreement, Statement of Work or security addendum

9. Sub-processors

The Company may use trusted third-party service providers where necessary to provide the services, including hosting providers, development tools, communication platforms, project management systems, backup providers, security tools and professional advisers

The Company shall ensure that sub-processors are subject to appropriate confidentiality and data protection obligations

Where required by applicable law or by the applicable agreement, the Company will provide information about relevant sub-processors and allow the Client to raise reasonable objections on data protection grounds

10. International Transfers

The Company may process or transfer personal data outside the country where the Client or data subjects are located

Where required by applicable data protection law, the Company shall use appropriate safeguards for international transfers, such as contractual data protection obligations, standard contractual clauses or other lawful transfer mechanisms

11. Personal Data Breach

The Company shall notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Client

The notification shall include, where reasonably available, a description of the incident, the categories of affected data, the likely consequences, measures taken or proposed to address the incident and contact details for further coordination

The Client remains responsible for determining whether notification to regulators or affected individuals is required, unless otherwise agreed in writing or required by applicable law

12. Assistance to the Client

Taking into account the nature of the processing and the information available to the Company, the Company shall reasonably assist the Client with data subject requests, security-related inquiries, data protection impact assessments where applicable and regulatory requests where legally required and reasonably related to the services

The Company may charge reasonable fees for assistance that is outside the ordinary scope of the agreed services, unless prohibited by applicable law or agreed otherwise

13. Deletion or Return of Data

Upon termination or completion of the applicable services, the Company shall delete or return personal data processed on behalf of the Client, unless retention is required by law or necessary for legitimate record-keeping, dispute resolution, security, backup or compliance purposes

Deletion from backups may occur in accordance with the Company’s normal backup retention and deletion cycles

14. Audit and Compliance Information

Upon reasonable request, the Company may provide information necessary to demonstrate compliance with this DPA

Any audit or inspection shall be subject to reasonable notice, confidentiality, security requirements, operational limitations and mutual agreement on scope and timing

The Company may refuse or limit any request that would compromise the security, confidentiality or rights of other clients, systems, personnel or third parties

15. Client Responsibilities

The Client is responsible for having a lawful basis for collecting and providing personal data to the Company

The Client is responsible for giving all required notices to data subjects, obtaining all required consents where applicable, ensuring that its processing instructions are lawful, determining the purposes and means of processing and responding to data subject and regulator requests unless otherwise agreed

The Client is also responsible for ensuring that any personal data provided to the Company is accurate, relevant and limited to what is necessary for the agreed project

16. Relationship with Other Documents

This DPA applies specifically to the processing of personal data by the Company on behalf of the Client

The Company’s general handling of personal data outside client-controlled project data is described in the Privacy Policy

The Company’s general security, confidentiality and operational practices are described in the Trust Statement

General terms applicable to the website and services are described in the Terms of Service, unless a separate written agreement provides otherwise

17. Order of Precedence

If there is a conflict between this DPA and the applicable service agreement, the data protection provisions that provide greater protection for personal data shall prevail, unless the parties expressly agree otherwise in writing

If a signed agreement, Statement of Work or data protection addendum contains more specific data processing terms, those specific terms will apply to the relevant project

18. Changes to This DPA

The Company may update this DPA from time to time to reflect changes in law, services, technology or business operations

The updated version will be published on the Company’s website or otherwise made available to clients

19. Contact

For questions regarding this DPA, please contact: