ADENDUM PERLINDUNGAN DATA

Customer and G-P are Parties to a Master Agreement or into an agreement with similar nature and purpose (hereinafter “Master Agreement”). This DPA supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this DPA, and any other agreement between the Parties on the issues set forth herein, this DPA shall prevail. If Customer already has an executed data protection addendum in effect with G-P, then that agreement shall prevail over this DPA, and this DPA shall have no force or effect, unless otherwise agreed in writing by Customer and G-P.

1. DEFINITIONS

Istilah-istilah yang tidak didefinisikan di sini memiliki arti yang ditetapkan dalam Perjanjian Induk. Kata-kata berikut dalam DPA ini memiliki arti sebagai berikut:

1.1 “ Authorized User ” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the GPP on behalf of the Customer, pursuant the execution of the Master Agreement.

1.2 “ Customer Data ” means any Personal Data related to any Authorized User or identifiable natural person that is transferred, processed, or stored by G-P on behalf of Customer in connection with the Services for the use of the GPP by the Customer.

1.3 “ Data Protection Laws ” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, Swiss Data Protection Laws, US Privacy Laws (including state and federal laws), and Brazil LGPD.

1.4 “ Employer of Record ” means Employer of Record.

1.5 “ Peraturan Pelindungan Data Umum ” means the General Data Protection Regulation (EU) 2016/679.

1.6 “ GPP ” means G-P’s proprietary software , including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either G-P’s proprietary software or the third party services, including their updates, upgrades, platform as a service and, documentation.

1.7 “ EEA ” means the European Economic Area.

1.8 “ LGPD " berarti Undang-Undang Brasil No. 13.709, Undang-Undang Umum tentang Perlindungan Data Pribadi, sebagaimana dapat diubah, digantikan, atau diganti.

1.9 “ Kebijakan Privasi ” means G-P´s privacy policy, as updated from time to time, available at https://www.globalization-partners.com/privacy-policy/

1.10 “ Professionals´ Data ” means Professionals´ Personal Data processed by G-P in the course of the provision of EOR services to Customer.

1.11 " Restricted Transfer" means any transfer of Personal Data to a country outside the EEA, the United Kingdom, Switzerland or Brazil that is not subject to an adequacy decision under the applicable Data protection Laws, and therefore requires appropriate safeguards under applicable data protection laws.

1.12 “ Services” mean the services to be provided by G-P to the Customer under the Master Agreement which may include the provision of EOR services and the access and use of GPP.

1.13 " Standard Contractual Clauses" atau "SCCs" mean (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum (“UK Addendum”) to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such UK Addendum may be revised under Section 18 therein ("UK SCCs"); (iii) where the Swiss Data Protection Laws apply, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection Authority and Information Commissioner´s Office (the "Swiss SCCs); where the Brazilian LGPD applies, the applicable sstandard contractual clauses, attached to Resolution CD/ANPD No. 19/2024 promulgated by the Brazilian National Data Protection Authority (“ANPD”), as they may be amended from time to time (“Brazil SCCs”).

1.14 “ Swiss Data Protection Laws ” or “FADP” means (i) Swiss Federal Data Protection Act (“ FDPA ”); (ii) The Ordinance on the Federal Act on Data Protection (“ FODP “); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

1.15 “ UK Addendum ” means the United Kingdom international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.

1.16 “ UK Data Protection Laws” mean the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws").

1.17 “ US Privacy Laws ” means applicable United States (US) state laws, orders, regulations and regulatory guidance relating to the Processing of Personal Data including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (f) all similar state laws.

1.18 " Controller" "Data Subject", "Personal Data", “Personal Information” “Data Breach”, "Processor", "Process/Processing", “Restricted Transfer”, “Service Provider” dan/atau istilah dan konsep serupa lainnya memiliki arti sebagaimana didefinisikan dalam Hukum Perlindungan Data.

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP

2.1 Peran Para Pihak. When G-P provides the Customer with EOR services, G-P assumes the role of the legal employer for any individuals selected by the Customer (“Professional(s)”) to be hired. With regard to such Professionals‘ Personal Data, G-P is an independent Controller during the course of the employment relationship. Regarding Professional´s Personal Data collected and used by the Customer for its own purposes, Customer is also an independent Controller with independent privacy obligations. When delivering the EOR services, the exchange of Professionals’ Personal Data between G-P and the Customer is under an independent Controller-to-Controller relationship and the provisions of this section 2 (“Independent Controller-Controller Relationship”), shall apply. In no event will the Parties Process Personal Data under this DPA as joint Controllers.

2.2 Tanggung Jawab dan Ucapan Terima Kasih . The Parties in their capacity as Controllers shall:

2.2.1 Comply with the applicable Data Protection Laws in relation to the Processing of Professionals´ Personal Data.

2.2.2 Process and share the Professionals´ Personal Data fairly and lawfully for the purpose of (as the case may be) performing or receiving the EOR Services for its own legitimate interests.

2.2.3 Ensure a lawful Processing ground applies to any sharing of Professional´s Personal Data between the Parties.

2.2.4 Assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests.

3. CONTROLLER – PROCESSOR RELATIONSHIP

3.1 Roles of the Parties . G-P also offers various software as a service products via GPPthrough which G-P enables Customer to manage the relationship with those Professionals. When G-P provides Customer with access to GPP, G-P is the Processor for the account related Personal Data uploaded to the GPP by the Customer´s appointed Authorized Users of GPP and the Customer is the Controller of such data and, the provisions of this section 3 (“Controller-Processor Relationship”), shall apply.

3.2 Instructions. G-P will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this DPA, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to G-P regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Customer will ensure that its instructions comply with applicable Data Protection Laws. Customer acknowledges that G-P is not responsible for determining which laws are applicable to Customer’s business. Customer will ensure that G-P’s Processing of Customer Data, when done in accordance with Customer’s instructions, will not cause G-P to violate any applicable law, including applicable Data Protection Laws. However, if G-P is of the opinion that a Customer instruction infringes applicable Data Protection Laws, G-P shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.

3.3 Rincian Pemrosesan . Rincian pokok bahasan Pemrosesan, jangka waktu, sifat dan tujuannya, serta jenis Data Pelanggan dan subjek data adalah sebagaimana tercantum dalam Lampiran I yang dilampirkan pada Perjanjian ini.

3.4 Kepatuhan. Customer and G-P agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to G-P. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for G-P to Process Customer Data as directed by Customer.

3.5 Subprosesor . Customer authorizes G-P to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the G-P group of companies. G-P may continue to use those Subprocessors already engaged by G-P as of the date of this DPA, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, G-P shall be liable to the Customer for the performance of the Subprocessor’s obligations. G-P shall notify Customer of any changes to its list of Subprocessors through GPP. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and G-P cannot reasonably accommodate Customer’s objection, the Parties will discuss Customer’s concerns in good faith with a view to resolving the matter.

3.6 Langkah-langkah keamanan teknis dan organisasi . Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data, G-P shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data, as detailed in Annex II attached hereto. G-P will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.

3.7 Kerahasiaan G-P wajib memastikan bahwa orang-orang yang berwenang mengakses Data Pelanggan (i) telah berkomitmen untuk menjaga kerahasiaan atau berada di bawah kewajiban kerahasiaan hukum yang sesuai dan (ii) mengakses Data Pelanggan hanya berdasarkan instruksi tertulis dari G-P, kecuali diwajibkan oleh hukum yang berlaku.

3.8 Pelanggaran Data Pribadi. G-P will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach .

3.9 Penghapusan Data Pribadi. Setelah penghentian Layanan (untuk alasan apa pun), G-P akan, sesegera mungkin, mengembalikan atau menghapus Data Pelanggan yang tersimpan di GPP kecuali jika hukum yang berlaku mengharuskan penyimpanan Data Pelanggan untuk jangka waktu yang lebih lama. Untuk penyimpanan tersebut, ketentuan dalam DPA ini akan terus berlaku untuk Data Nasabah tersebut.

3.10 Permintaan Subjek Data . G-P shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. G-P will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the GPP.

3.11 Permintaan pihak ketiga Jika G-P menerima permintaan dari pihak ketiga atau perintah dari pengadilan, tribunal, regulator, atau badan pemerintah mana pun yang memiliki yurisdiksi yang berwenang yang tunduk pada G-P terkait dengan Pemrosesan Data Pelanggan berdasarkan Perjanjian ini, G-P akan segera mengalihkan permintaan tersebut kepada Pelanggan. G-P tidak akan menanggapi permintaan tersebut tanpa otorisasi sebelumnya dari Pelanggan kecuali diwajibkan secara hukum untuk melakukannya. Kecuali dilarang secara hukum, G-P akan memberitahukan Pelanggan terlebih dahulu sebelum melakukan pengungkapan Data Pelanggan dan akan bekerja sama secara wajar dengan Pelanggan untuk membatasi ruang lingkup pengungkapan tersebut hanya pada apa yang diwajibkan secara hukum.

3.12 Penilaian Dampak Perlindungan Data dan Konsultasi Sebelumnya Sejauh yang dipersyaratkan oleh Hukum Perlindungan Data, G-P akan memberikan bantuan yang wajar kepada Pelanggan untuk melakukan penilaian dampak perlindungan data terkait dengan Pemrosesan Data Pelanggan yang dilakukan oleh G-P dan/atau konsultasi sebelumnya yang diperlukan dengan otoritas pengawas. G-P berhak membebankan biaya yang wajar kepada Pelanggan atas penyediaan bantuan tersebut.

3.13 Audit. Customer may audit G-P compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001 certification, SOC2 certificate), within twelve (12) months as of the date of Customer’s request. Alternatively, in the event the documentation provided subject to this Section 3.13 is not sufficient for the purpose of demonstrating compliance, the Customer may conduct its own audit in addition to the provided third party certifications or reports, provided that such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting G-P’s day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense; v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or Processing activities contemplated hereunder; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon G-P’s reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR services company, agency, a related organization or consultant. Nothing in this DPA will require G-P to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other G-P’s customer; (ii) G-P’ internal accounting or financial information; (iii) any trade secret of G-P or its affiliates; (iv) any information that, in G-P’ reasonable opinion, could compromise the security of any G-P’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.

3.14 Hukum Privasi AS. Under this section 3, the Parties agree that G-P is a “Service Provider” or “Processor” as such terms are defined under applicable US Privacy Laws. Accordingly, to the extent US Privacy Laws apply to the Processing of Customer Data by G-P, G-P shall not (a) retain, use, or disclose any Customer Data outside the direct business relationship between G-P and Customer, or for any purpose other than for the purpose set out in Annex I attached hereto, and G-P shall only Process Customer Data only as long as it provides services to the Customer; (b) sell any Customer Data; (c) share any Customer Data; or (d) combine the Customer Data that G-P receives from, or on behalf of, Customer with “personal data” (as such term or equivalent is defined under applicable Data Protection Laws) that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that G-P may combine Customer Data if it is within the scope of providing the services to Customer. Where applicable, each Party shall notify the other party if it makes a determination that it can no longer meet its obligations under US Privacy Laws.

4. INTERNATIONAL DATA TRANSFERS

4.1 Perlindungan yang tepat . G-P is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws, G-P shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement.

4.2 Data Privacy Framework. Professionals and Customer Data are stored in GPP which is hosted in U.S. G-P is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). G-P´s certification can be confirmed publicly on the DPF website https://www.dataprivacyframework.gov/list . The EU-U.S. Data Privacy Framework was considered adequate by the European Commission, being a lawful data transfer mechanism pursuant to Article 45 of the GDPR, the UK GDPR, and the FADP, respectively. If the DPF Framework(s) are invalidated, suspended, or otherwise no longer recognized as providing adequate protection for international data transfers, the Processor agrees to enter into and comply with the SCCs issued or approved by the European Commission, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable. The Parties shall cooperate in good faith to implement any supplementary measures required to ensure an essentially equivalent level of protection for the transferred data.

4.3 Klausul Kontrak Standar. The Parties agree that when the transfer of personal data from Customer (as "data exporter") to G-P (as "data importer") is a Restricted Transfer and applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

a. In relation to transfers of Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

i. Modules One and Two shall apply;

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 9 of Module Two, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 3.5 of this DPA;

iv. in Clause 11, the optional language will not apply;

v. in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Master Agreement;

vi. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

vii. in Clause 18(b), disputes shall be resolved before the courts of Ireland;

viii. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and

ix. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;

x. Annex III of Module Two of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA.

b. In relation to transfers of personal data protected by the UK Data protection Laws or the Swiss Data Protection Laws , the EU SCCs as implemented under sub-paragraphs (a) above will apply with the following modifications:

i. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);

ii. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);

iii. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);

iv. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

v. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);

vi. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);

vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and

viii. with respect to transfers to which UK Data Protection Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss Data Protection Laws apply, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

ix. In relation to data that is protected by the UK GDPR, the EU SCCs will apply as follows: (i) apply as completed in accordance with the paragraphs (i) to (viii) above; and (ii) be deemed amended as specified by Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of this DPA. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".

c. In relation to transfers of personal data protected by the Brazil LGPD, either directly or via onward transfer, to a country outside of Brazil that is not subject to an adequacy decision issued by the ANPD, the Brazil SCCs will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

i. Clause 2 of the Brazil SCCs is satisfied by the information set forth in Annex I, which describes the data transfer;

ii. In Clause 3 of the Brazil SCCs, Option B shall apply, with onward transfers permitted in accordance with Section 3.5 (“Subprocessors”) of this DPA. The subject matter, nature, and duration of processing are set forth at Annex I of this DPA;

iii. Clause 4 of the Brazil SCCs is satisfied by the information set forth in Annex I of this DPA. Where G-P is a Controller, it will be the “Designated Party”, as defined in the Brazil SCCs, and for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting) of the Brazil SCCs. Customer remains responsible for compliance with Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 Incident Reporting) of the Brazil SCCs for any personal data of which it may otherwise be Controller;

iv. In Clause 9 of the Brazil SCCs, the optional docking clause will not apply; and

v. Section III (Security Measures) of the Brazil SCCs will be deemed completed with the information set forth in Annex II of this DPA.

4.4 Unforeseen Data Transfers . If, in the course of providing the Services, either Party identifies that a transfer of Personal Data occurs or is likely to occur that is not already addressed by the mechanisms set forth in Sections 4.1 through 4.3 of this DPA, the Parties shall promptly notify each other and shall cooperate in good faith to implement, without undue delay, such additional transfer mechanisms or supplementary measures as may be required under applicable Data Protection Laws to ensure the lawfulness of such transfer. Neither Party shall be required to proceed with any such unforeseen transfer until the appropriate mechanism has been agreed and put in place.

Lampiran I

Deskripsi Pengolahan Data

INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP DETAILS (This section regards to the details of Personal Data that is being shared between the Parties in their capacities as Controllers)
Pesta	Eksportir Data: Entitas pelanggan yang melaksanakan Perjanjian Induk Data Importer: Globalization Partners LLC.
Rincian Kontak Pihak-pihak terkait	Rincian kontak sebagaimana tercantum dalam Perjanjian Induk.
Aktivitas yang Relevan dengan Data yang Ditransfer	Activities related to the EOR Services.
Roles	Data Exporter: Controller. Data Importer: Controller.
Kegiatan Pengolahan	The Personal Data processed / transferred may be subject to the following Processing activities: any operation with regard to Personal Data irrespective of the means applied and procedures, in particular the collecting, organizing, storage, holding, use, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, compliance, legal and audit functions.
Durasi Pemrosesan	The term of the Master Agreement and on a continuous basis.
Sifat dan Tujuan Pemrosesan	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the Processing is to provide the EOR Services in accordance with the Master Agreement.
Categories of Data Subjects	Professionals.
Types of Personal Data	Contact details (which may include name, address, email address, telephone, fax, emergency contact details, and associated local time zone information). Employment details (which may include education, CV, job title, grade, demographic, location data, nationality and export compliance status, salary, bonus). Data subjects' email content. Details of services provided to or for the benefit of data subjects.
Kategori Data Khusus (jika sesuai)	N/A
Retensi	Data Pribadi akan disimpan setidaknya selama periode penyimpanan minimum yang diamanatkan secara hukum yang berlaku, yang konsisten dengan undang-undang pembatasan yang berlaku dan memenuhi praktik bisnis yang baik.
Otoritas Pengawas yang Kompeten	The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).
Transfer ke Subprosesor	Untuk transfer ke prosesor, subjek, sifat, dan durasi pemrosesan sama dengan yang dijelaskan di atas.
Rincian kontak privasi G-P	privacy@G-P.com Kepada: Kantor Privasi Global.

CONTROLLER - PROCESSOR RELATIONSHIP DETAILS (This section regards to the details of Personal Data that is being processed by G-P on behalf of the Customer)
Pesta	Eksportir Data: Entitas pelanggan yang melaksanakan Perjanjian Induk Data Importer: Globalization Partners LLC.
Rincian Kontak Pihak-pihak terkait	Rincian kontak sebagaimana tercantum dalam Perjanjian Induk.
Aktivitas yang Relevan dengan Data yang Ditransfer	Aktivitas yang berkaitan dengan Layanan Pemberi Kerja Tercatat dan penggunaan GPP yang diberikan kepada Pelanggan sebagai layanan.
Roles	Data Exporter: Controller Data Importer: Processor
Kegiatan Pengolahan	Data Pribadi yang diproses/ditransfer dapat menjadi subjek aktivitas pemrosesan berikut: setiap operasi terkait Data Pribadi terlepas dari cara dan prosedur yang diterapkan, khususnya pengumpulan, pengorganisasian, penyimpanan, penguasaan, penggunaan, pengambilan, konsultasi, pengarsipan, transmisi, pemblokiran, penghapusan, atau penghancuran data, pengoperasian dan pemeliharaan sistem, kepatuhan, fungsi hukum dan audit.
Durasi Pemrosesan	The term of the Master Agreement and on a continuous basis.
Sifat dan Tujuan Pemrosesan	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the processing is to provide GPP as a Service to the Customer in accordance with the Master Agreement.
Categories of Data Subjects	Authorized Users of the GPP who may include Customer’s employees and/or contractors.
Types of Personal Data	Rincian kontak (seperti nomor telepon dan email). Data karyawan/kontraktor (seperti jabatan dan nama perusahaan). Data penggunaan (seperti data tentang perangkat Pengguna Resmi dan bagaimana perangkat tersebut berinteraksi dengan GPP). Data lokasi (seperti lokasi yang berasal dari alamat IP). Data konten (seperti konten file Pelanggan mengenai Profesional dan komunikasi terkait). Kredensial (seperti kata sandi, petunjuk kata sandi, dan informasi keamanan serupa yang digunakan untuk autentikasi dan akses akun ke GPP). Any Personal Data supplied by Authorized Users.
Kategori Data Khusus (jika sesuai)	N/A
Retensi	Data Pribadi akan disimpan setidaknya selama periode penyimpanan minimum yang diamanatkan secara hukum yang berlaku, yang konsisten dengan undang-undang pembatasan yang berlaku dan memenuhi praktik bisnis yang baik.
Otoritas Pengawas yang Kompeten	The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).
Transfer ke Subprosesor	Untuk transfer ke prosesor, subjek, sifat, dan durasi pemrosesan sama dengan yang dijelaskan di atas.
Rincian kontak privasi G-P	privacy@G-P.com Kepada: Kantor Privasi Global.

Lampiran II

Langkah-langkah Teknis dan Organisasi

G-P has been certified and attested to confirm compliance with SOC 2 and ISO 27001 standards, by independent auditors. Such certifications demonstrate our commitment to securing Customer Data. G-P’s security program is designed to:

Protect the confidentiality, integrity, and availability of Customer Data in G-P’s possession or to which G-P has access;

Melindungi dari ancaman atau bahaya yang diantisipasi terhadap kerahasiaan, integritas, dan ketersediaan Data Pelanggan;

Melindungi dari akses, penggunaan, pengungkapan, pengubahan, atau penghancuran Data Pelanggan yang tidak sah atau melanggar hukum;

Melindungi dari kehilangan atau kerusakan yang tidak disengaja, atau kerusakan pada Data Pelanggan; dan

Informasi perlindungan sebagaimana diatur dalam peraturan apa pun yang mengatur G-P .

Berikut ini menjelaskan fungsi, proses, kontrol, sistem, prosedur, dan langkah-langkah yang telah diambil G-P untuk memastikan keamanan Pemrosesan Data Pelanggan:

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

Privacy by Design and Default:

G-P takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. Processes and functionalities are set up in such a way that the data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are considered at an early stage.

b) Encryption of Personal Data:

Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.

Database and storage encryption:

On all databases used by G-P an encryption "at rest" according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system.

Encryption of mobile data media:

The use of mobile data carriers for storing customer data is not permitted.

Encryption of data carriers on laptops:

Appropriate state-of-the-art hard disk encryption is installed on all employees' laptops.

Encrypted exchange of information and files:

In principle, the exchange of information and files is directly encrypted via a special application. If personal data or confidential information must be transferred to servers which cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP), encrypted envelope service or another encrypted mechanism according to the state of the Art.

E-Mail Encryption:

In principle, all e-mails sent by employees of G-P are encrypted with TLS. Exceptions may be if the receiving mail server does not support TLS. The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption

c) Admission Control

Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.

Use of authentication methods

Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. Authentication procedure for IT system: Multifactor authentication log-in to IT system.

Automatic blocking in case of inactivity

Laptops used by G-P employees locked with password or PIN protection when not in use by the user. In addition, an automatic screen lock with password protection is set up after 15 minutes of inactivity.

Use of anti-virus software

Laptops used by G-P employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. As a matter of principle, no computers may be operated without resident virus protection unless other equivalent state-of-the-art security measures have been taken or there is no risk. Default security settings must not be deactivated or circumvented.

"Clean Desk Policy"

Employees of G-P are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which G-P is required by law to hold in hard copy are stored in locked cabinets.

d) Access Controls Within the Platform

Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.

Peran dan Wewenang

Roles and Authorization Platform – Customer Access Customer users can view and edit customer account information.

Roles and Authorization Platform – Professional Access Professional users can view and edit their own professional information.

Professionals can also gain Customer access role upon requirement + approval

Roles and Authorization Platform – Internal Access

Internal access users have varied roles. They have varied access to create, view, edit, and approve the following:

Informasi pelanggan

Informasi penagihan

Informasi mitra

Informasi catatan personel profesional

Akses ke sistem admin umumnya dibatasi untuk karyawan terlatih di bidang dukungan pelanggan dan pengembangan produk.

e) Firewall as a Service

G-P uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.

f) Record of Log-In to the Platform

G-P maintains a record of all login activity.

g) Separability

Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.

Separation of development, test and operating environments

Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. The transfer of the anonymized data must be encrypted or via a trustworthy network.

Software to be transferred to the operating environment must first be tested in an identical test environment ("staging"). Programs for error analysis or the creation/compilation of software may only be used in the operating environment if this cannot be avoided. This is especially the case if error situations depend on data that would be falsified due to the requirements for anonymization when transferring to test environments.

Separation in networks

G-P separates its networks according to tasks. The following networks are used permanently: operating environment ("Production"), test environment ("Staging", “Sandbox”), development environment (“Dev”) office IT staff. In addition to these networks, further separate networks are created as required, e.g., for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated either physically or by means of virtual networks.

h) Availability control

G-P takes the following steps to ensure that personal data is protected against accidental destruction or loss.

Data protection procedures/ backups

To ensure adequate availability G-P implements daily snapshots of its database with replication to a different region. Measures are also taken to ensure employees with job-based need to review data are granted access only to replica datasets.

Geo-redundansi sehubungan dengan infrastruktur server untuk data produktif dan cadangan

IT incident management ("Incident Response Management")

There is a concept and documented procedures for handling incidents and safety- relevant events. This includes the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security- relevant events and the definition of corresponding responsibilities and reporting channels in the event of a violation of the protection of personal data within the framework of the legal requirements.

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

G-P telah menerapkan langkah-langkah organisasi berikut untuk memastikan organisasi beroperasi dengan cara yang memenuhi persyaratan privasi data dan perlindungan.

a) Organizational Instructions

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. Documentation includes how to identify and manage data privacy issues, best practices for ensuring privacy compliance, and policies for addressing privacy incidents.

b) Commitment to confidentiality and data protection

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. All employees and contractors are bound in writing to confidentiality and data protection as well as other relevant laws. All employees receive privacy & security training. Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes. The employees and contractors of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

c) Data protection training

All employees receive privacy & security training which remains available for review at any time in G-P training platform.

d) Physical Access Controls

G-P has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.

Electronic door protection

The entrance doors to the premises of G-P offices are always locked and electronically secured. The doors are opened via a personal electronic transponder.

Controlled distribution of keys

A central, documented allocation of keys to the employees of G-P takes place. These electronic transponders/keys could be deactivated centrally by each office manager or the People Resources department.

Supervision and accompaniment of external persons

External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of G-P. G-P applies its written Visitor’s Policy when visitors are invited to the premises.

Securing of premises with increased need for protection

Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. Cabinets and drawers where legal documents, contracts, and confidential documentation are held are to be locked at all times except when they are in use.

Closed doors and windows

Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.

e) Recoverability

G-P ensures that systems in use can be restored in the event of physical or technical failure.

Regular tests of the data recovery ("Restore-Tests")

Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster.

Emergency plan ("Disaster Recovery Concept")

There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. G-P ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours.

Review and evaluation measures

Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.

f) Privacy Team

The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.

g) Risk Management

There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.

3) INDEPENDENT REVIEW OF INFORMATION SECURITY

Performance of audits

Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes.

b) Review of compliance with security policies and standards

Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. Where possible, these checks are carried out on a random and unexpected basis.

c) Verification of compliance with technical specifications

Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. Detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.

d) Processing on instruction

The employees of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

e) Careful supplier selection

G-P adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. This process includes feedback from the Finance and Legal/Privacy Departments and incorporates risk assessment, security prequalification and documentation certification steps. Suppliers who will process protected data will be required to demonstrate their adherence to applicable data privacy laws, including Article 28 GDPR for covered data

Lampiran III

Daftar Subprosesor

Subprosesor	Informasi Lokasi dan Kontak	Deskripsi Pemrosesan
Acumatica	3933 Lake Washington Blvd NE #350, Kirkland, WA 98033, USA	Jasa Keuangan
Amazon Web Layanan	P.O. Kotak 81226 Seattle, WA 98108-1226, AS	Hosting - Penyedia Layanan Cloud
Microsoft	Microsoft Corporation Satu Cara Microsoft Redmond, Washington 98052 USA Telepon: (+1) 425-882-8080.	Dukungan Proses Bisnis untuk komunikasi (email) dan manajemen layanan
Atlassian	350 Lantai Jalan Semak 13 San Francisco, CA 94104, AS +1 415 701 1110	Dukungan Proses Bisnis untuk manajemen layanan
DocuSign	DocuSign International (EMEA (Eropa, Timur Tengah, dan Afrika)) Ltd, Perhatian: Tim Privasi, 5 Hanover Quay, Ground Floor, Dublin 2, Republik Irlandia	Manajemen Dokumen
Salesforce.com	Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA 1-800-387-3285	Dukungan Proses Bisnis untuk manajemen Hubungan Pelanggan (CRM)
Zendesk	989 Market St San Francisco, CA 94103, AS zendesk.com 888-670-4887	Pertanyaan helpdesk untuk dukungan Pelanggan
Layanan Sekarang	2225 Lawson Lane Santa Clara, CA , 95054 AMERIKA SERIKAT	Business Process Support for IT service and operations management, the employee and customer experiences through ( automated cloud-based workflow)
Databricks	160 Spear Street, 15th Floor San Francisco, CA 94105 1-866-330-0121 AMERIKA SERIKAT	Infrastruktur gudang data cloud.
Datadog	620 8^th Ave 45 ^th Floor New York, NY 10018 AMERIKA SERIKAT	Alat pemantauan dan debugging layanan
Wise	Avenue Louise 54, Kamar s52, 1050 Brussels Belgia	Pemroses pembayaran online
Google	1600 Amphitheatre Pkwy, Mountain View, CA 94043	Dukungan Proses Bisnis untuk komunikasi (email) dan penyimpanan dokumen internal

Bahasa Privasi MSA​​

ADENDUM PERLINDUNGAN DATA​​

1. DEFINITIONS​​

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP​​

3. CONTROLLER – PROCESSOR RELATIONSHIP​​

4. INTERNATIONAL DATA TRANSFERS​​

Lampiran I​​

Lampiran II​​

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​

b) Encryption of Personal Data:​​

c) Admission Control​​

d) Access Controls Within the Platform​​

e) Firewall as a Service​​

f) Record of Log-In to the Platform​​

g) Separability​​

h) Availability control​​

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​

a) Organizational Instructions​​

b) Commitment to confidentiality and data protection​​

c) Data protection training​​

d) Physical Access Controls​​

e) Recoverability​​

f) Privacy Team​​

g) Risk Management​​

3) INDEPENDENT REVIEW OF INFORMATION SECURITY​​

b) Review of compliance with security policies and standards​​

c) Verification of compliance with technical specifications​​

d) Processing on instruction​​

e) Careful supplier selection​​

Lampiran III​​

Bahasa Privasi MSA