Last updated: 01-08-2026

Data Processing Agreement

Version 1.0

Preamble

This Data Processing Agreement ("DPA") is made and entered into as of 01-08-2026 and forms part of the commercial Agreement (the "Agreement") in accordance with Article 17 of the Law on Personal Data Protection of the Kingdom of Cambodia ("PDPL"). The customer, on behalf of itself (collectively, "Customer", "You", "Your", or "Data Controller") acknowledges that it has read, understood, and agreed to comply with this DPA, and is entering into a binding legal agreement with Privexus ("Privexus", "Us", "We", "Our", "Service Provider", or "Data Processor") to reflect the parties' agreement with regard to the Processing of Personal Data (as such terms are defined below). Both parties shall be referred to as the "Parties" and each, a "Party".

Whereas

Whereas, Privexus shall provide the services set forth in the Agreement (collectively, the "Services") for Customer, as described in the Agreement.

Whereas, in the course of providing the Services pursuant to the Agreement, Privexus may process Personal Data on behalf of Customer, in the capacity of a "Data Processor" as defined under the PDPL; and the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

Whereas, Article 17 of the PDPL requires a data controller and a data processor to enter into a written contract specifying the subject matter of the contract, duration of personal data processing, nature and purpose of the processing, types of personal data, categories of data subject, notification procedure for personal data protection breach, as well as the obligations and rights of the data controller.

Now therefore, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the Parties, intending to be legally bound, agree as follows:

1. Interpretation and definitions

1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

1.2 For the purposes of this DPA, the following definitions apply:

  • Personal Data refers to any information relating to an identified or identifiable natural person, including an identifier such as a name, identification number, location data, online identifier (IP address, email address, account name), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Processing refers to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.
  • Data Subject refers to an identified or identifiable natural person to whom Personal Data relates.
  • Data Controller refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  • Data Processor refers to a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
  • Sub-processor refers to any natural or legal person engaged by the Data Processor to process Personal Data on behalf of the Data Controller, including any further sub-processor engaged by a Sub-processor.
  • Personal Data Protection Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
  • Services refers to the privacy management, data governance, records management, cybersecurity, and AI governance services provided by Privexus to Customer as described in the Agreement.

2. Roles and responsibilities of the parties

2.1 The Parties acknowledge and agree that, with regard to the Processing of Personal Data under this DPA:

  • Customer is the Data Controller.
  • Privexus is the Data Processor.

2.2 Customer shall comply with its obligations as a Data Controller under the PDPL, including but not limited to:

  • Determining the purposes and means of the Processing of Personal Data.
  • Ensuring that there is a lawful basis for the Processing of Personal Data.
  • Providing Data Subjects with appropriate privacy notices.
  • Responding to requests from Data Subjects exercising their rights under the PDPL.
  • Maintaining a record of processing activities as required under the PDPL.

2.3 Privexus shall comply with its obligations as a Data Processor under the PDPL and shall Process Personal Data only on behalf of and in accordance with the documented instructions of Customer.

3. Subject matter, nature, duration, and purpose of the processing

3.1 The subject matter, nature, duration, and purpose of the Processing of Personal Data under this DPA are set out below and further detailed in Annex 1:

  • Subject matter: The provision of the Services by Privexus to Customer as described in the Agreement.
  • Nature: Storage, retrieval, analysis, transmission, and other processing of Personal Data as necessary to provide the Services.
  • Duration: 01-08-2026 through 31-07-2027, and shall automatically renew for successive one-year terms unless either Party provides written notice of non-renewal at least sixty days before the end of the then-current term.
  • Purpose: Privacy management, data governance, records management, cybersecurity, AI governance, and any other purpose set out in the Agreement or subsequently agreed in writing by the Parties.

4. Types of personal data

4.1 The Personal Data Processed under this DPA includes, without limitation, the following types of Personal Data, as further detailed in Annex 1:

  • Contact information, including name, email address, telephone number, and postal address.
  • Identification data, including national ID numbers, passport numbers, and tax identification numbers.
  • Financial data, including payment details, billing addresses, and transaction history.
  • Employment data, including job title, salary, employment history, and performance records.
  • Technical data, including IP address, device identifiers, browser type, and cookies.
  • Behavioral data, including browsing history, preferences, and usage patterns.
  • Communications data, including emails, chat logs, and call recordings.
  • Any other Personal Data that Customer submits to the Services in its sole discretion.

5. Categories of data subjects

5.1 The Personal Data Processed under this DPA relates to the following categories of Data Subjects, as further detailed in Annex 1:

  • Employees of Customer.
  • Customers of Customer.
  • Prospective customers of Customer.
  • Business contacts of Customer.
  • Suppliers and vendors of Customer.
  • Website visitors.
  • Application users.
  • Contractors of Customer.
  • Job applicants.

6. Documented instructions

6.1 Privexus shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data, unless required to do so by applicable law.

6.2 Customer hereby instructs Privexus to Process Personal Data for the purposes set out in this DPA and the Agreement.

6.3 If Privexus is required by applicable law to Process Personal Data beyond the instructions of Customer, Privexus shall inform Customer of such requirement before Processing, unless that law prohibits such information on important grounds of public interest.

6.4 To the extent that Privexus cannot comply with a request from Customer relating to Processing of Personal Data, or where Privexus considers such a request to be unlawful, Privexus shall inform Customer, providing relevant details of the problem, and may, without liability to Customer, temporarily cease all Processing of the affected Personal Data, other than securely storing those data.

7. Confidentiality

7.1 Privexus shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.2 Privexus may disclose Personal Data to legal counsel, data protection advisors, accountants, investors, or potential acquirers on a need-to-know basis under an obligation of confidentiality.

8. Security measures

8.1 Privexus shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • The pseudonymization and encryption of Personal Data.
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services.
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

8.2 Detailed security measures, including the technical, organizational, and legal measures implemented by Privexus, are set out in Annex 2 of this DPA.

9. Sub-processors

9.1 Customer hereby authorizes Privexus to engage Sub-processors to Process Personal Data. Privexus shall maintain a list of Sub-processors and shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors.

9.2 Customer may reasonably object to Privexus's use of a Sub-processor for reasons related to the PDPL by notifying Privexus promptly in writing within ten business days after receipt of Privexus's notice.

9.3 Privexus shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA, in accordance with Article 17 of the PDPL.

9.4 The list of authorized Sub-processors as of 01-08-2026 is set out in Annex 3.

10. Personal data protection breach notification

10.1 Privexus shall notify Customer without undue delay, and in any event within seventy-two hours, after becoming aware of a Personal Data Protection Breach.

10.2 The notification shall include, to the extent known:

  • The nature of the Personal Data Protection Breach, including where possible the categories and approximate number of Data Subjects concerned.
  • The name and contact details of the Personal Data Protection Officer or other contact point.
  • The likely consequences of the Personal Data Protection Breach.
  • The measures taken or proposed to be taken to address the Personal Data Protection Breach, including measures to mitigate its possible adverse effects.
  • The categories and approximate number of Personal Data records concerned.

10.3 Privexus shall cooperate with Customer and take all reasonable steps to assist Customer in complying with Customer's obligations under the PDPL.

11. Data subject requests

11.1 Privexus shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising the Data Subject's rights under the PDPL.

11.2 If Privexus receives a request from a Data Subject to exercise their rights under the PDPL, Privexus shall, to the extent legally permitted, promptly notify and forward such request to Customer.

11.3 To the extent legally permitted, Customer shall be responsible for any costs arising from Privexus's provision of such assistance.

12. International transfers

12.1 Any transfer of Personal Data outside the Kingdom of Cambodia shall be subject to appropriate safeguards under Article 23 of the PDPL.

12.2 Personal Data may be transferred to Singapore and other jurisdictions as set out in Annex 3, based on:

  • The necessity for the performance of a contract between the Data Subject and the Data Controller.
  • Appropriate safeguards assessed by the Data Controller.
  • Standard Contractual Clauses between Privexus and the data importer.

12.3 The data controller shall maintain evidence to demonstrate to the Ministry of Post and Telecommunications that appropriate safeguards are in place, including risk assessments for cross-border transfers, contracts with data importers, records of technical and organizational measures, and consent records where applicable.

13. Return or deletion of personal data

13.1 Upon termination of the Services, Privexus shall, at the choice of Customer, return all Personal Data to Customer or delete all Personal Data, and delete any existing copies, unless retention is required by applicable law.

13.2 Return shall be made in a structured, commonly used format within thirty days of termination, and deletion shall be completed within sixty days, with written certification provided upon request.

13.3 To the extent required or allowed by applicable law, Privexus may retain one copy of the Personal Data for evidence purposes or for the establishment, exercise, or defense of legal claims.

14. Audit rights

14.1 Privexus shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

14.2 Audit frequency shall be annual, with at least thirty days advance notice. Scope includes all systems and processes handling Customer's Personal Data.

14.3 Nothing in this DPA will require Privexus either to disclose to Customer, or provide access to, any data of any other customer of Privexus, internal accounting or financial information, any trade secret of Privexus, or any information that could compromise the security of any of Privexus's systems or premises.

15. Liability

15.1 Each Party shall be liable for damages caused by its Processing of Personal Data in violation of this DPA, the Agreement, or the PDPL. Liability shall be allocated in accordance with the laws of the Kingdom of Cambodia and the Agreement.

15.2 Privexus shall not be liable for any claim brought by a third party, including a Data Subject, arising from any act or omission of Privexus to the extent that such claim is the result of Customer's instructions.

16. Governing law and dispute resolution

16.1 This DPA shall be governed by and construed in accordance with the laws of the Kingdom of Cambodia.

16.2 Any dispute arising out of or in connection with this DPA shall be resolved by arbitration in Phnom Penh under the rules of the Cambodia National Arbitration Centre (CAMARB).

Annex 1. Details of the processing (Article 17 PDPL)

This Annex sets forth the required elements of a data processing contract as specified in Article 17 of the PDPL.

1. Subject matter of the contract.

The provision of the Services by Privexus to Customer as set out in the Agreement.

2. Duration of personal data processing.

01-08-2026 through 31-07-2027, automatically renewing as described in clause 3.1.

3. Nature and purpose of the processing.

Nature: collection, storage, retrieval, analysis, transmission, and any other processing as necessary to provide the Services.

Purpose: privacy management, data governance, records management, cybersecurity, AI governance, compliance with legal obligations, and the performance of the Agreement.

4. Types of personal data.

Contact information, identification data, financial data, employment data, technical data, behavioral data, communications data, and any other Personal Data submitted by Customer in its sole discretion.

5. Categories of data subjects.

Employees, customers, prospective customers, business contacts, suppliers, website visitors, application users, contractors, and job applicants of Customer.

6. Notification procedure for personal data protection breach.

Notification timeframe: seventy-two hours from becoming aware of the breach.

Notification method: email to Customer's designated contact, followed by written confirmation.

Contact person: as designated by Customer.

Contact email: .... as designated by Customer from time to time.

7. The frequency of data processing.

Continuous or as required for the performance of the Services.

8. The period for which the personal data will be retained.

As described in this DPA and the Agreement, and in accordance with clause 13.

9. For transfers to Sub-processors.

As detailed in Annex 3.

Annex 2. Security measures

This Annex sets forth the technical, organizational, and legal measures implemented by Privexus to protect Personal Data in accordance with Article 20 of the PDPL.

1. Technical measures

MeasureStatus
Encryption in transit (TLS 1.3)Implemented
Encryption at rest (AES-256)Implemented
Key managementImplemented
Role-based access controlImplemented
Multi-factor authenticationImplemented
Web application firewallsImplemented
Intrusion detection systemImplemented
Automated vulnerability scanningImplemented
Annual penetration testingImplemented
Patch managementImplemented
Encrypted backupsImplemented
DDoS protectionImplemented
Network segmentationImplemented

2. Organizational measures

MeasureStatus
Information security policiesImplemented
Security awareness trainingImplemented
Background checksImplemented
Incident response planImplemented
24/7 security operationsImplemented
Change management processImplemented
Vendor risk managementImplemented
Business continuity planningImplemented
Data classification schemeImplemented

3. Legal measures

MeasureStatus
Confidentiality agreementsImplemented
Sub-processor data processing agreementsImplemented
Privacy impact assessmentsImplemented
Regulatory compliance programImplemented
Audit trail maintenanceImplemented
Data retention policiesImplemented

Annex 3. Sub-processor list and cross-border data transfer safeguards

1. Authorized Sub-processors as of 01-08-2026

Entity NameSub-Processing ActivitiesCountry of hosting
AppwriteCloud hosting, database, and storage servicesSingapore
Proton MailEmail deliveryEurope
ABA BankPayment processingCambodia (storage location: unknown)

2. Legal basis for cross-border transfer

The transfer of Personal Data outside the Kingdom of Cambodia under this DPA is based on the following conditions as permitted by Article 23 of the PDPL:

  • The necessity for the performance of a contract between the Data Subject and the Data Controller.
  • The Data Controller has assessed that appropriate safeguards are in place.

3. Destination countries

Personal Data may be transferred to the following countries:

  • Singapore, in connection with Appwrite cloud hosting, database, and storage services.
  • Europe, in connection with Proton Mail email delivery services.
  • Cambodia, in connection with ABA Bank payment processing services, with storage location currently unknown and to be confirmed in writing by ABA Bank on or before .... (date of confirmation).

4. Appropriate safeguards

The following appropriate safeguards have been assessed and implemented to protect the Personal Data being transferred:

  • Encryption of Personal Data in transit and at rest.
  • Access controls and authentication measures.
  • Contractual commitments from the data importer to maintain equivalent data protection standards.
  • Regular security assessments and audits.

5. Data importer obligations

The data importer (Privexus or its Sub-processors located outside the Kingdom of Cambodia) agrees to:

  • Process Personal Data only in accordance with the documented instructions of the data exporter.
  • Implement appropriate technical and organizational measures to protect Personal Data.
  • Notify the data exporter promptly of any Personal Data Protection Breach.
  • Assist the data exporter in responding to Data Subject requests.
  • Delete or return all Personal Data upon termination of the processing.
  • Allow for audits and inspections as required.

6. Evidence and documentation

The Data Controller shall maintain evidence to demonstrate to the Ministry of Post and Telecommunications that appropriate safeguards are in place, including:

  • Risk assessments for cross-border transfers.
  • Contracts with data importers.
  • Records of technical and organizational measures.
  • Consent records where applicable.

Signature blocks

IN WITNESS WHEREOF, the Parties have caused this Data Processing Agreement to be executed by their duly authorized representatives as of 01-08-2026.

For and on behalf of the Data Controller

FieldDetails
Legal name
Country of incorporation
Registered address
Representative name
Representative position
Signature
Date

For and on behalf of the Data Processor

FieldDetails
Legal namePrivexus
Country of incorporationKingdom of Cambodia
Registered address
Representative name
Representative positionPersonal Data Protection Officer
Signature
Date01-08-2026

Document version 1.0, last updated 01-08-2026. This DPA is entered into and effective as of 01-08-2026.