Last updated: June 4, 2025

Data Processing Agreement (Indonesia)

This Data Processing Agreement (“Data Processing Agreement”) is concluded between PT Quipper Edukasi Indonesia, a limited liability company domiciled in Jakarta and established under the laws of the Republic of Indonesia (“Controller”); and You as the subscriber or users or general visitors of our services (“Customer”).

(together as the “Parties” and individually as “Party”).

WHEREAS

  1. The performance of the subscription and/or general access to Controller’s platform may involve processing of Personal Data (as defined below) carried out by the Controller or any Processor appointed by Controller.
  2. In light of the above, this Data Processing Agreement which is attached to the Controller’s platform shall be considered as standard terms and conditions that automatically agreed by the Customer.
  1. Definitions and Interpretation
    1. In this Data Processing Agreement, unless the subject or context otherwise requires, the following words and expressions shall have the following meanings respectively ascribed to them:
      1. Applicable Laws and Regulations” means the applicable laws and regulations relating to the collection, use, share, disclosure, transfer, or otherwise processing of Personal Data in Indonesian jurisdiction.
      2. Controller” means any entities that, whether individually or jointly determines the purpose and exercise control over the processing of Personal Data.
      3. Data Subject” means all individuals whose Personal Data (as defined below) will be collected by the Controller and processed by the Processor or Subprocessor in accordance to the terms and conditions herein.
      4. Data Subject Rights Request” means any written communication or notices by Data Subject who wished to exercise the rights they have in relation to their Personal Data under the Applicable Laws and Regulations.
      5. Data Transfer” means the assignment, disclosure, or making available Personal Data from one Party to another entity.
      6. Personal Data” means any data or information related to identified or identifiable individuals, separately or in combination with other information, directly or indirectly through an electronic or non-electronic system. For the purpose of this Data Processing Agreement, Personal Data shall mean the data relating to the Data Subject that will be processed by the Processor or Subprocessor in accordance with the terms and conditions herein.
      7. Personal Data Breach” means any security breaches leading to failure to protect a Personal Data in terms of confidentiality, integrity, and availability of the Personal Data, including security breaches, whether intentional or unintentional, leading to disposal, loss, alteration, disclosure, or unauthorized access to the Personal Data which are being sent, stored or processed.
      8. Processor” means any person, public body/ governmental bodies and international organization acting individually or jointly in processing Personal Data on behalf of the Controller.
      9. Processing Activities” means any collection, acquisition, filtering, analysis, storage, updates, rectification, display, announcement, transfer, dissemination, disclosure, erasure, or disposal of Personal Data as instructed by Controller to the Processor in accordance with stipulations under this Agreement.
      10. Recipient” has the meaning given to it in Article 9.
      11. Subprocessor” means any entities that may be subcontracted by the Processor to conduct any of the Processing Activities on behalf of the Controller or Processor.
    2. In this Data Processing Agreement: (i) references to Articles, Recitals and Annexes shall be deemed to refer to the articles, recitals and annexes of this Data Processing Agreement; (ii) whenever the words “include”, “includes” or “including” are used in this Data Processing Agreement, they will be deemed to be followed by the words “without limitation”; (iii) the Annexes to this Data Processing Agreement shall be incorporated into and deemed part of this Data Processing Agreement and all references to this Data Processing Agreement shall include the Annexes; (iv) words importing the singular only shall also include the plural and vice versa where the context requires; (v) Article headings are inserted for convenience only and shall not affect the interpretation of this Data Processing Agreement; (vi) unless expressly indicated otherwise, all references to a number of days mean calendar days, and the words “month” or “monthly” as well as all references to a number of months means calendar months; (vii) dates and times are to Indonesia time; and (viii) whenever terms are defined in the Applicable Laws and Regulations are used in this Agreement, such terms shall have the same meaning as in the Applicable Laws and Regulations.
  2. Purpose and Scope of Application
    1. This Data Processing Agreement governs the processing of Personal Data by Controller for the purpose of provision of Services by the Controller, which such Services may require Controller to proceed the personal data of Data Subject by using the services from Processor.
    2. This Data Processing Agreement shall take priority over any similar provisions contained in other agreements between the Parties.
  3. Controller as the Controller of the Personal Data
    1. As the Controller of the Personal Data, Controller determines the purposes and means of the Processing Activities of the Personal Data as set out in Annex I herein.
    2. Controller undertakes that the Personal Data that is transferred to and to be processed by the Processor as outlined in Annex I of this Data Processing Agreement has been collected, used, disclosed, or otherwise processed in accordance with Applicable Laws and Regulations.
  4. Controller and Processor’s General Obligations Relating to the Processing Activities
    1. Controller shall only conduct data processing strictly:
      1. in accordance with the business purposes; and/or
      2. as may be required by Applicable Laws and Regulations.
    2. Controller shall not conduct data processing of any Personal Data for any other purposes or using any other methods not specified within this Data Processing Agreement.
    3. Controller must not disclose the Personal Data to any data subject or to a third-party or as required by the Applicable Laws and Regulations.
    4. Controller warrants that the Processor and/or Subprocessor will apply the same obligations as stated in clause 4.1. to 4.3. of this Data Processing Agreement.
  5. Controller and Processor’s Obligations Relating to its Personnel
    1. Controller shall ensure the reliability of any employee or its personnel who may have access to Personal Data and ensure in each case that access is strictly limited to those individuals who need to know or need to access the relevant Personal Data, as strictly necessary for the purposes of Processing Activities set out herein.
    2. Controller shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Any access to the Personal Data shall therefore without delay be denied or removed from any employee or personnel if the authorization is removed from such employee or personnel.
    3. Controller shall keep an updated record of all employees and personnel who have accessed the Personal Data.
    4. Controller warrants that the Processor and/or Subprocessor will apply the same obligations as stated in clause 5.1. to 5.3. of this Data Processing Agreement.
  6. Controller and Processor’s Obligation Relating to the Security of the Processing Activities
    1. Controller shall make sure that the Processor must implement, maintain, and periodically assess and update technical and organizational security measures in relation to the Processing Activities to ensure the compliance with the Applicable Laws and Regulations.
    2. Controller shall make sure that the Processor shall perform a security assessment and thereafter implement the appropriate measures to counter the identified risk in relation to the Processing Activities.
    3. In assessing the adequacy of the security level, Controller shall make sure that Processor shall give due consideration to the state-of-the-art technology and industry best-practice standard for the Processing Activities stipulated under this Data Processing Agreement.
    4. The Parties agree that Processor shall at a minimum implement the technical and organizational security measures specified in Annex II of this Data Processing Agreement.
  7. Engagement of Subprocessor

    The Controller shall make sure that:

    1. Processor may only engage any Subprocessor based on contractual relationship in the form of a subprocessing agreement between Processor and the engaged Subprocessor.
    2. Processor shall ensure that any engaged Subprocessor fulfills the required personal data protection obligations under the Applicable Laws and Regulations and is subject to the same obligation applicable to the Controller under this Data Processing Agreement.
    3. Processor shall not be relieved of any liabilities or obligation under this Data Processing Agreement by reason of engaging a Subprocessor. Controller shall be responsible for any Processing Activity of the Subprocessor. Processor shall notify on the first opportunity of any failure by the Subprocessor to perform any of its obligations under the subprocessing agreement or data protection obligations under the Applicable Rules and Regulations.
    4. The engagement/appointment of a Subprocessor by the Processor that results in cross-border Data Transfer shall be conducted in accordance with Clause 9 of this Data Processing Agreement.
  8. Personal Data Breach
    1. In the event of Controller becoming aware of or reasonably suspect a Personal Data Breach is occurring or is likely to occur at the facilities of the Processor or facilities of the Subprocessor pertaining to the Processing Activities of Personal Data, Controller shall:
      1. make sure the Processor notifying without undue delay all relevant information pertaining to the Personal Data Breach,
      2. promptly and at its own expense (i) handle, contain, and close the Personal Data Breach using industry best-practice as soon as possible, (ii) take reasonable steps to mitigate the effects of and potential harms from the Personal Data Breach, (iii) perform any post-incident assessments as reasonably required by industry best-practices,
      3. determine whether notification obligation as required by Applicable Laws and Regulation is required, and
      4. providing access to its premises and/or systems for the purpose of investigation by the authority.
    2. Controller has right to cease all Processing Activities of Personal Data for an indefinite amount of time during and after the occurrence of a Personal Data Breach.
    3. This article shall survive the expiry or termination of this Data Processing Agreement.
  9. Cross Border Data Transfer
    1. The Controller shall solely be permitted to conduct Processing Activities of Personal Data on documented instructions from the Data Controller, including as regards Data Transfer of personal data to any third countries. The Controller cannot within the framework of this Data Processing Agreement:
      1. disclose Personal Data to any parties in a third country or in an international organization;
      2. assign the processing of Personal Data to a Processor and/or Subprocessor in a third country,; or
      3. have the Personal Data processed in other divisions, subsidiaries, or affiliates of the processor which is located in a third country.
    2. When conducting any cross-border Data Transfer with any third-party recipients (including but not limited to Subprocessor or subsidiaries or affiliates of the Controller) (“Recipient”), Controller must ensure that there exist adequate safeguards for the cross-border Data Transfer in accordance with the Applicable Laws and Regulations.
      1. Personal Data is only transferred to a Recipient located in a country with equal or higher standard of personal data protection than the Applicable Laws and Regulations; or
      2. Adequate binding instrument executed between Controller and the relevant Recipient, such as standard contractual clause and/or binding corporate rules in accordance with the Applicable Laws and Regulations.
  10. Data Storage and Record
    1. Controller shall store the Personal Data no longer than strictly necessary (i) for the provision of Services; (ii) if a storage period is agreed between the Parties, no longer than such storage period; or (iii) in accordance with minimum retention period as required under the Applicable Laws and Regulations.
    2. Controller will keep detailed, accurate and up-to-date written records regarding any Processing Activities of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organizational security measures.
    3. Controller shall conduct audit and assessments on Processor periodically to ensure the compliance to the extent mandated by Applicable Laws and Regulations.
  11. Commencement and Termination
    1. This Data Processing Agreement shall automatically become effective once the Customer accesses Controller’s platform or subscribes Controller’s services.
    2. When this Data Processing Agreement or the Subscription is terminated, subject to the mechanisms provided under Annex I of this Agreement, Controller must move to terminate all Processing Activities on the first chance as soon as it is technically practicable and dispose of any existing copies unless Applicable Laws and Regulations require Controller to retain such Personal Data.
    3. Irrespective of the termination of this Agreement, obligations in this Data Processing Agreement shall apply as long as the Processor is still performing Processing Activities until the termination of all Processing Activities and the disposal of any Personal Data by Controller and any Subprocessor.
  12. Communication
    1. Controller appoints the following individuals as communication officer to facilitate an efficient and timely notification between the Parties: [email protected]; +62811 1902 7360
    2. All required communications, notifications, or the sending of documents as referenced under this Data Processing Agreement or obligated by Applicable Laws and Regulations intended to be sent to the other Party must be sent either physically or electronically to the address of the individuals as referenced in Article 13.1 of this Agreement. The Party who received any communication, notification, or documents must duly notify the sending Party the receipt of communication, notification, or documents on the first chance that they are aware of such.
  13. General Provision
    1. Governing Law. This Data Processing Agreement is governed by, and shall be construed in accordance with the laws of the Republic of Indonesia.
    2. Dispute Resolution.
      1. Any dispute, controversy, or claim arising out of, relating to, or in connection with this Data Protection Agreement, including any question regarding its existence, validity, or termination, shall be referred to and resolved by the dispute resolution mechanism as stipulated under the Master Service Agreement.
      2. Each Parties shall continue to perform its respective obligation under this Data Processing Agreement despite the existence of any dispute.
    3. Amendment
      1. In the event that there are any changes to Applicable Laws and Regulation that renders any provisions of this Data Processing Agreement to be unlawful or unpracticable, the Parties must amend such provisions to be compliant with Applicable Laws and Regulations.
      2. No amendment of this Data Processing Agreement will be effective unless it is in writing and signed by both Parties.
    4. Waiver. Any failure by either Party to enforce, at any time or for any period of time, any of the provisions of this Data Processing Agreement shall not be construed as a waiver of that provision or any other provision of this Data Processing Agreement.
    5. Entire Agreement. This Data Processing Agreement shall constitute the entire agreement between the Parties relating to the subject matter hereof and supersedes and replaces in full all prior understandings, communications and agreements the Parties with respect to the subject matter hereof.
    6. Severability. If any provision of this Data Processing Agreement or part thereof is rendered void, unlawful or unenforceable by any legislation to which it is subject, it shall be rendered void, unlawful or unenforceable to that extent and it shall in no way affect or prejudice the enforceability of the remainder of such provision or the other provisions of this Data Processing Agreement.
    7. Assignment. Except as set out in Article 7, the rights and the obligations of each Party under this Data Processing Agreement may not be assigned, transferred, subcontracted or otherwise disposed of, in whole or in part, without the prior written consent of the other Party.
    8. Survivability. Any provisions of this Data Processing Agreement that is expressly stated to, or which by its nature shall, survive expiry or termination of this Data Processing Agreement shall remain applicable even after such expiry or termination.
    9. Language. This Data Processing Agreement is prepared and executed in English and Indonesian languages. In the event of discrepancy of meaning between the English and Indonesian language, the Indonesian version shall prevail.

ANNEX I: SCOPE OF PROCESSING ACTIVITIES

  1. Category of Data Subject

    The category of Data Subject whose Personal Data are to be transferred by Controller and processed by the Processor are:

    • Candidates/applicants
    • Clients: i) legal entity (schools, corporation, etc.); ii) individual (individual person, children)
  2. Category of Personal Data to be Processed

    The category of Personal Data to be transferred by the Controller and processed by the Processor are, including but not limited to are:

    • General Personal data:
      • Name, address, birthdate (age), gender
      • Contact details (phone number, e-mail address)
      • Affiliation information (work place, affiliation, job title, school, etc. )
      • ID No. (driving license, passport information, social ID, etc.)
      • Credit card information
      • Bank account
      • Location data (GPS information etc.)
      • Online identifier (IP address, cookie)
      • Information on personal preferences (purchasing data, etc.)
      • Information of evaluation and grades
      • Racial or ethnic origin
      • Political opinion
      • Religion or creed
      • Trade union membership
      • data of natural person’s sex life or sexual orientation
    • Sensitive Data:
      • Health information (medical history, surgical history, medical examination result, etc.)
      • Genetic Data (data about genetic characteristics of a natural person, genome data, etc.)
      • Biometric data (facial images, dactyloscopy data, etc.)
      • Data relating to criminal convictions and offenses
      • Children personal data
      • Personal data on person with disabilities
  3. Purpose of Processing Activities

    Processor conducts Processing Activities of Personal Data on behalf of the Controller with the purposes of including but not limited to:

    • approachment and acquisition of clients
    • sales closing
    • account registration on Controller’s platform
    • account deletion
    • engagement management with Controller’s clients (students and teachers)
    • conduct survey related to Controller’s products or services
    • sourcing and hiring of candidates (employees)
    • mandatory report to the authority (e.g. tax report, and labor report)
    • data storage on Processor’s cloud storage/system
  4. Methods for Processing Activities
    • The Processor shall transfer Personal Data and result of Processing Activities to Controller using tools supporting encryption.
    • The Processor shall conduct Processing Activities using tools: case by case upon discussion with the data processor.
    • The Processor shall store Personal Data using data storage which supports encryption and authorization.
    • The Processor shall conduct Processing Activities only on electronic systems located in: case by case upon discussion with the data processor.
    • The Processor shall conduct deletion and disposal of Personal Data using tools which can track history of the operation.
  5. Time period of Processing Activities

    Processing Activities by the Processor on behalf of the Controller may be performed when this Data Processing Agreement is in force.

  6. Data Retention, Return, Erasure, and Disposal
    1. Processor shall only store the Personal Data in a form which permits identification of the Data Subject for as long as the relevant purposes as mentioned in Article 3 of this Annex remain, and in accordance with minimum retention period as required under the Applicable Laws and Regulations.
    2. Processor shall return all Personal Data after the time period of Processing Activities as specified under Article 5 of Annex I has elapsed and is not extended and shall delete all copies of Personal Data along with its processing result from Processor system.
    3. Processor shall dispose of all Personal Data if this Data Processing Agreement is terminated.
    4. In addition to the obligation of erasure and disposal of Personal Data as mentioned under Article 6.1 and 6.2 of Annex I of this Data Processing Agreement, Controller has the right to order Processor to erase and/or dispose of Personal Data in order to comply with Data Subject’s Rights Request or other legal obligation under Applicable Laws and Regulations.
    5. Processor shall report to Controller of any Personal Data erasure or disposal activities in a written format in such a way that it may serve as proof that Processor has conducted Personal Data erasure or disposal.
    6. Processor shall retain Personal Data only during the duration of this Data Processing Agreement, or as required by a legal obligation under Applicable Laws and Regulations by first notifying Controller of such legal obligation.

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

  1. Processor shall implement data handling policy or an equivalent organizational measure which must at least provide the following in accordance with the minimum standard set by Applicable Laws and Regulations:
    1. The fulfillment of Data Subject’s Rights Request
    2. Data retention
    3. Internal compliance audit
    4. Data security
      1. Personnel access record
    5. Personal Data accuracy and completeness verification policy
    6. Compliance documentation
      1. Policy on record of processing activity
      2. Policy of data protection impact assessment
  2. Processor shall implement a Personal Data Breach policy or response plan which must at least govern the following in accordance with the best industry practice standard on:
    1. Division of roles and responsibilities of internal parties during a Personal Data Breach,
    2. Mechanism and steps to take during a Personal Data Breach,
    3. Mechanism to conduct Personal Data Breach Documentation, and
    4. Mechanism to evaluate and update the Personal Data Breach policy.
  3. Processor shall implement security technical measures which must consists of the following in accordance with the best industry practice standard:
    1. Using technical means to protect the information including but not limited to encryption and anonymization techniques.
    2. Taking all practicable measures to restore personal data which have been modified or destroyed as a result of unauthorized access.
    3. The IT department shall ensure that the creator of the files containing Personal Data, the person who modified and accessed the file and the date of creation and modification can be identified.
    4. Data Transfer must be done in a secure manner. For example, when transferring a file containing Personal Data, password protection must be used. Passwords must not be communicated in the same e-mail.
  4. Processor shall implement physical security measures on the physical premises of the processing activity in accordance with the best industry practice standard:
    1. Ensuring the security of the premises where the information systems used to process personal data are located. Such security shall prevent any uncontrolled access to such premises by persons having no rights to access such premises.
    2. Approving the list of persons who are authorized to access the information systems where the personal data are processed.
    3. Personal Data in hard copy or data carrier must be kept locked away in a secure place outside working hours. Documents and records containing Personal Data must not be left unlocked on desks after working hours. If an employee leaves his/her desk temporarily, he/she must ensure that unauthorized persons do not have access to Personal Data during his/her absence. Company laptops and mobile phones must not be left unattended. Laptops and mobile phones containing Personal Data must not be left unattended in a vehicle.
    4. Employees must not disclose to unauthorized persons or make available to such persons their passwords to company devices or applications. It is expressly forbidden to write passwords anywhere or to send them to others by text message or e-mail.
© 2025. All rights reserved