Skip to main content

Data Processing Addendum

Last updated: April 19, 2025

Note: If the Terms, Policy, or Agreement are available in multiple languages and any discrepancies exist between translations, the English version shall prevail.

This Data Processing Addendum ("DPA") is an integral part of the Terms of Use (collectively referred to as the "Agreement") between the Customer and/or the User and BabySea ("BabySea").

A. Background and General Provisions

  1. Background. This Data Processing Addendum ("DPA") governs the processing of Personal Data by BabySea ("BabySea") in accordance with the Agreement between BabySea and the Customer ("Customer") and/or the User ("User"), in compliance with the applicable laws and regulations in Indonesia, including but not limited to Law No. 27 of 2022 concerning Personal Data Protection (PDP Law), and related regulations.
  2. Duration and Continuity. This DPA shall be in effect as of the effective date of the Agreement and shall remain in effect until the termination of the Agreement or the return or deletion of Personal Data pursuant to the terms of this DPA.

B. Definitions

  1. "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
  2. "Processor" means the entity which processes Personal Data on behalf of the Controller.
  3. "Personal Data" means any information relating to an identified or identifiable individual.
  4. "Security Incident" means an event that breaches information security leading to unauthorized access, disclosure, alteration, or destruction of data.

C. Obligations and Responsibilities

  1. Controller Instructions. BabySea shall only process Personal Data based on the written instructions from the Controller unless required otherwise by applicable law.
  2. Confidentiality. All personnel authorized by BabySea to process Personal Data shall be bound by confidentiality obligations.
  3. Security Measures. BabySea shall implement appropriate technical and organizational measures, including encryption and other mechanisms, to protect Personal Data against Security Incidents in accordance with the PDP Law and related regulations.
  4. Subprocessors. The Controller consents that BabySea may engage subprocessors to process Personal Data. BabySea shall ensure that subprocessors are subject to data protection obligations equivalent to those set forth in this DPA.

D. Rights and Responsibilities of the Controller

  1. Access Rights. The Controller has the right to access and audit BabySea's compliance with the provisions of this DPA.
  2. Data Subject Requests. If BabySea receives a request from a data subject, BabySea shall promptly notify the Controller and shall not respond to the request unless authorized by the Controller.

E. Data Transfers

Personal Data may only be transferred to countries with an equivalent level of Personal Data protection to Indonesia, or based on the written consent of the data subject, unless required otherwise by applicable law.

F. Security Incidents

  1. Notification. BabySea shall notify the Controller without undue delay after becoming aware of a Security Incident.
  2. Follow-up Actions. BabySea shall cooperate with the Controller to investigate, address, and mitigate the impact of the Security Incident and implement necessary corrective measures.

G. Data Deletion

Upon the termination or expiration of the Agreement, BabySea shall delete or return all Personal Data in accordance with the Controller's instructions and the provisions of the PDP Law.

H. Other Provisions

  1. Governing Law. This DPA is governed by and shall be construed in accordance with the laws of the Republic of Indonesia.
  2. Amendments. BabySea reserves the right to amend this DPA at any time. Any material changes to this DPA shall be communicated to the Controller no later than 30 (thirty) days before such changes take effect. The Controller has the right to terminate the Agreement if it disagrees with the changes, by providing written notice to BabySea within 30 (thirty) days of receiving notification of the changes.
  3. Dispute Resolution. Any disputes arising from or in connection with this DPA shall be resolved by mutual agreement. If mutual agreement cannot be reached, the disputes shall be resolved through arbitration in accordance with the applicable regulations in Indonesia.

Appendix I

Description of Data Processing

  1. Purpose of Processing. The processing is undertaken to provide the Services described in the Agreement.
  2. Categories of Data Subjects. The Personal Data processed may include employees, customers, suppliers, consultants, and contractors.
  3. Categories of Personal Data. The Personal Data processed may include names, addresses, phone numbers, email addresses, identification data, financial data, and other relevant data as per the Services provided.
  4. Retention Period. Personal Data shall be retained as long as necessary to fulfill the purposes of processing and shall be deleted in accordance with the data retention policy or as instructed by the Controller upon termination of the Agreement.
  5. Types of Personal Data Processed by BabySea:
    • a. Basic personal information (such as name, address, phone number, email address)
    • b. Financial data (such as payment information, bank account details)
    • c. Other data as permitted by the Controller and as required for the Services provided.
  6. Purpose of Data Processing:
    • a. To provide Services to Customers and Users as per the Agreement.
    • b. To comply with legal and regulatory obligations.
    • c. For the purposes of service analysis and development.

Appendix II

Technical and Organizational Security Measures

  1. BabySea implements the following security measures:
    • a. Data Encryption. Data is encrypted in transit and at rest using appropriate encryption technologies (e.g., TLS for data transmission and AES-256 for data storage).
    • b. Access Control. Access to Personal Data is restricted to authorized personnel and requires multi-factor authentication.
  2. Data Backup. Personal Data is regularly backed up to ensure data recovery in case of incidents.
  3. Pseudonymization and Anonymization. Implementation of pseudonymization and anonymization techniques to protect the identity of Personal Data, if necessary.
  4. Security Incident Log. Notification of incidents and mitigation actions are systematically reported and recorded.
  5. Data Retention Policy. Implementation of strict data retention policies to ensure that Personal Data is only retained as long as necessary for the purposes of processing.
  6. Process for Handling Security Incidents:
    • a. Risk Assessment. Rapid assessment to determine the impact of the incident.
    • b. Communication and Notification. Notify the Controller and relevant parties in accordance with applicable regulations.
    • c. Recovery Actions. Taking necessary recovery actions to remedy and prevent similar future incidents.
  7. Documentation. Keeping records of all processing activities for internal and external audits.
  8. Data Deletion. Customers may request data deletion by completing the form provided through BabySea's customer support services. The support team will validate the request, gather necessary information, and ensure that data is deleted in accordance with the implemented secure deletion procedures.
Contact for Questions
If you have any questions or concerns about our Terms, Policies, or Agreements, please contact us:
Send Message