Data Processing Agreement

1. Definitions

This Data Processing Agreement ("DPA") forms an integral part of the Terms and Conditions of Dewata AI services and applies between PT DEWATA ARTIFICIAL INTELLIGENCE ("Dewata AI", "Data Processor", "We") and the customer using the Dewata AI platform services ("Customer", "Data Controller", "You").

In this DPA, the following terms have the following meanings:

• Personal Data: Any data about an identified or identifiable individual, either on its own or in combination with other information, whether directly or indirectly through electronic or non-electronic systems, as defined in Law No. 27 of 2022 concerning Personal Data Protection (PDP Law)
• Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or alignment, as well as erasure or destruction
• Data Controller: The Dewata AI Customer who determines the purposes and means of processing end users' Personal Data through the Dewata AI platform
• Data Processor: Dewata AI, which processes Personal Data on behalf of and in accordance with the instructions of the Data Controller
• Data Subject: The individual whose Personal Data is processed; in this context, the end users who interact with chatbots created by the Customer
• Sub-Processor: A third party engaged by Dewata AI to process Personal Data on behalf of the Data Controller
• Personal Data Breach: A security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2. Scope and Purpose of Data Processing

This DPA governs the processing of Personal Data carried out by Dewata AI on behalf of the Customer in connection with the provision of the AI chatbot platform services. Processing of Personal Data is carried out solely for the following purposes:

• Chatbot service provision: Processing messages from end users, generating AI responses based on the Customer's bot configuration, and storing conversation history
• Customer identity resolution: Identifying chatbot widget visitors through browser fingerprinting to provide a continuous conversation experience
• Lead scoring and qualification: Analyzing conversation signals to assess prospect qualification and trigger notifications or promotional offers
• Customer lifecycle tracking: Managing customer stages from visitor through repeat customer
• Channel integration: Processing messages through WhatsApp Business API, Instagram Messaging API, and Telegram Bot API
• E-commerce: Processing product data, orders, and payment links for chatbot e-commerce features
• Human handoff: Facilitating conversation handoff to human agents including conversation summary generation and notifications
• Booking: Processing reservation and booking data created through the chatbot
• RAG/knowledge embeddings: Generating vector embeddings and performing semantic queries on knowledge base documents
• Customer memory: Storing persistent cross-session customer memory (preferences, facts, interaction summaries)
• Workflow automation: Executing rule-based triggers and automated actions based on Customer configuration
• Product sync: Importing product catalogs from external sources (Google Sheets/CSV)
• Admin panel: Platform administration with audit logging

Categories of Personal Data processed:

• Name, email address, and phone number of end users (if collected through lead capture)
• Conversation message content and session metadata
• Browser fingerprint and device identification data
• WhatsApp phone numbers, Instagram IDs, or Telegram IDs of message senders
• Booking data (date, time, service details)
• E-commerce transaction data (orders, payments)
• Lead scores and customer lifecycle classifications
• Knowledge base vector embeddings (derived mathematical representations)
• Customer memory records with confidence scores
• Extended user profile data (full name, phone, company, industry, etc.)
• Workflow configurations and execution audit trails

3. Data Controller Obligations (Customer)

As the Data Controller, the Customer is responsible for:

• Legal basis for processing: Ensuring that there is a valid legal basis for each processing of end user Personal Data through the Dewata AI platform, including obtaining necessary consent in accordance with the PDP Law
• Notice to Data Subjects: Providing clear notice to end users about the processing of their Personal Data, including the use of AI chatbots, browser fingerprinting, lead scoring, and channel integrations
• Data Subject rights: Handling Data Subject rights requests and forwarding relevant requests to Dewata AI when necessary
• Processing instructions: Providing lawful and legally compliant processing instructions to Dewata AI through bot configuration, feature settings, and channel integrations
• Content and system prompts: Ensuring that system prompts, knowledge bases, and content uploaded to the platform do not violate third-party privacy rights or contain sensitive Personal Data that should not be processed
• Domain compliance: Configuring the domain allowlist to restrict chatbot widget usage to legitimate websites
• Credential security: Maintaining the confidentiality of API keys, channel integration credentials, and dashboard account credentials

4. Data Processor Obligations (Dewata AI)

As the Data Processor, Dewata AI commits to:

• Processing per instructions: Processing Personal Data only based on written instructions from the Data Controller, unless otherwise required by applicable law. Instructions are deemed given through bot configuration, feature settings, and channel integration activation
• Confidentiality: Ensuring that all personnel authorized to process Personal Data have committed to confidentiality or are bound by statutory confidentiality obligations
• Security measures: Implementing appropriate technical and organizational measures to protect Personal Data against unauthorized processing, loss, destruction, or accidental damage
• Sub-processors: Not engaging another Sub-Processor without prior general written authorization from the Data Controller. The current list of Sub-Processors is set out in Section 5 of this DPA
• Assistance to the Controller: Assisting the Data Controller in fulfilling obligations relating to Data Subject rights, data protection impact assessments, and consultations with supervisory authorities
• Data deletion: Deleting or returning all Personal Data to the Data Controller upon termination of the service, unless applicable law requires further storage
• Audit: Making available all information necessary to demonstrate compliance with this DPA and allowing and contributing to audits conducted by the Data Controller or an appointed auditor
• Breach notification: Notifying the Data Controller of a Personal Data Breach without undue delay in accordance with Section 7

5. Sub-Processors

Dewata AI uses the following Sub-Processors to provide platform services. By agreeing to this DPA, the Customer provides general authorization for Dewata AI to engage the Sub-Processors listed below:

• Supabase Inc. — Database hosting, authentication, and file storage. Location: United States / per region configuration. Processes: account data, conversation history, bot configuration, customer data, and all data stored in the database
• OpenAI / AI Gateway (Vercel): — AI model processing for generating chatbot responses. Location: United States. Processes: conversation message content, system prompts, and knowledge base context sent as part of API requests
• Meta Platforms, Inc. — WhatsApp Business Cloud API and Instagram Messaging API for channel integration. Location: United States / global. Processes: inbound and outbound messages, WhatsApp phone numbers, Instagram IDs and usernames, access tokens
• Telegram FZ-LLC — Telegram Bot API for Telegram channel integration. Location: United Arab Emirates / global. Processes: inbound and outbound messages, Telegram IDs, user display names, bot tokens
• PT Midtrans (GoTo Financial) — Payment processing for platform subscriptions and credit top-ups. Location: Indonesia. Processes: payment transaction data, payer information
• Vercel Inc. — Application hosting, CDN, and edge computing. Location: United States / global (CDN). Processes: web traffic, access logs, HTTP request data
• Functional Software, Inc. (Sentry) — Application error and performance monitoring. Location: United States. Processes: error reports, performance data, session replays (when errors occur)
• Resend Inc. — Email delivery service for lead and handoff notifications. Location: United States. Processes: recipient email addresses, notification content
• Sanity Inc. — CMS for blog and changelog content. Location: United States / global CDN. Processes: editorial content, article metadata, media assets

Dewata AI will notify the Customer of any changes to the list of Sub-Processors by updating this DPA at least 30 (thirty) days before the change takes effect. The Customer has the right to object to the addition or replacement of a Sub-Processor within 14 (fourteen) days of notification.

Dewata AI ensures that each Sub-Processor is bound by data protection obligations at least equivalent to those set out in this DPA, through written agreements between Dewata AI and each respective Sub-Processor.

6. Data Security Measures

Dewata AI implements the following technical and organizational measures to protect Personal Data against unauthorized processing, loss, or damage:

Technical measures:

• Transit encryption: All data in transit is protected by SSL/TLS encryption
• Storage encryption: Sensitive data such as channel access tokens and merchant credentials are encrypted using AES-256-GCM before being stored in the database
• API key hashing: Customer API keys are hashed using SHA-256 before storage; only the prefix is displayed to users
• Row Level Security (RLS): The database enforces RLS policies ensuring each user can only access their own data
• Input validation: All user input is validated to prevent XSS, SQL injection, and other attack vectors
• Rate limiting: Rate limiting is applied to all endpoints to prevent abuse
• Domain allowlist: Chatbot widgets can only be loaded from domains authorized by the Customer
• Security headers: HTTP security headers including X-Frame-Options, X-XSS-Protection, and HSTS are applied to all responses

Organizational measures:

• Principle of least privilege: Access to Personal Data is restricted to personnel who require access to perform their duties
• Environment separation: Production and development environments are strictly separated
• Monitoring: Error and performance monitoring system through Sentry to detect anomalies and potential security incidents
• Incident handling: Security incident handling procedures covering identification, containment, notification, and remediation
• Periodic review: Security measures are reviewed and updated periodically in accordance with evolving threats and industry best practices

7. Data Breach Notification

In the event of a Personal Data Breach involving Personal Data processed on behalf of the Data Controller, Dewata AI will:

• Prompt notification: Notify the Data Controller without undue delay and within a maximum of 72 (seventy-two) hours of confirming the Personal Data Breach, via the email address registered on the Customer's account
• Breach information: Include in the notification the following information to the extent available:
  • The nature of the breach, including the categories and approximate number of Data Subjects affected
  • The categories and approximate number of Personal Data records affected
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects
  • The name and contact details of the data protection officer or contact point for further information
• Notification assistance: Assist the Data Controller in fulfilling breach notification obligations to Data Subjects and supervisory authorities in accordance with Articles 46 and 47 of the PDP Law (notification within 3x24 hours)
• Documentation: Document all Personal Data Breaches, including the facts surrounding the breach, its effects, and the remedial actions taken
• Remedial measures: Take reasonable steps to contain, remedy, and mitigate the effects of the Personal Data Breach

8. Data Subject Rights

Dewata AI will assist the Data Controller in fulfilling its obligations to respond to Data Subject requests regarding their rights under the PDP Law, including:

• Right of access: Providing access to the Data Subject's Personal Data processed through the platform, including conversation history, customer data, and lead scores
• Right to rectification: Correcting inaccurate or incomplete Personal Data based on requests forwarded by the Data Controller
• Right to erasure: Deleting the Data Subject's Personal Data upon request, subject to applicable retention obligations under law
• Right to portability: Providing Personal Data in a structured, commonly used, and machine-readable format for data portability purposes
• Right to restriction: Restricting the processing of specific Personal Data in accordance with legitimate requests from the Data Controller
• Right to object: Ceasing specific processing (such as lead scoring or browser fingerprinting) in accordance with objections communicated through the Data Controller

Dewata AI will respond to Data Subject rights requests forwarded by the Data Controller within 14 (fourteen) business days of receipt. If the request is complex or numerous, the timeframe may be extended with notice to the Data Controller.

If Dewata AI receives a request directly from a Data Subject, Dewata AI will forward the request to the relevant Data Controller without undue delay, unless otherwise required by applicable law.

9. Cross-Border Data Transfer

In connection with the provision of services, Personal Data may be transferred to and processed outside the territory of the Republic of Indonesia. Dewata AI ensures that all cross-border data transfers are carried out in accordance with Article 56 of the PDP Law and its implementing regulations.

Destination countries and processing purposes:

• United States: Supabase (database), OpenAI/Vercel (AI processing), Meta (WhatsApp/Instagram API), Sentry (monitoring), Resend (email), Sanity (CMS)
• United Arab Emirates / Global: Telegram (Bot API)
• Global (CDN): Vercel (hosting and content distribution)
• Indonesia: Midtrans (payment processing)

Safeguards for cross-border transfers:

• Data processing agreements with each Sub-Processor that include data protection obligations equivalent to or higher than the PDP Law
• Encryption of data in transit (SSL/TLS) and sensitive data at rest (AES-256-GCM)
• Access restriction based on the principle of least privilege
• Ongoing monitoring of Sub-Processor compliance
• Mechanisms to cease transfers if the destination country no longer provides an adequate level of protection

By agreeing to this DPA, the Customer consents to the cross-border data transfers described above, in accordance with the provisions of the PDP Law.

10. Term and Termination

This DPA takes effect from the date the Customer begins using Dewata AI services and will remain in force for as long as Dewata AI processes Personal Data on behalf of the Customer.

Upon termination of services:

• Data deletion: Dewata AI will delete all Personal Data processed on behalf of the Data Controller within 30 (thirty) days after termination of services, unless applicable law requires further retention
• Data export: Prior to deletion, the Customer may request an export of Personal Data in a structured and machine-readable format. Export requests must be submitted before the service termination date
• Deletion confirmation: Upon completion of deletion, Dewata AI will provide written confirmation to the Customer that Personal Data has been deleted
• Retention exceptions: Financial transaction data will be retained for a minimum of 10 years in accordance with Government Regulation No. 80 of 2019, and non-financial transaction-related data will be retained for a minimum of 5 years

The confidentiality and data protection obligations established in this DPA will survive termination of this DPA for as long as Personal Data remains stored by Dewata AI or its Sub-Processors.