Data Processing Agreement

Last updated: Mei 2026

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms are aligned with Indonesia's Personal Data Protection Law (UU PDP, Law No. 27 of 2022):

  • "Controller" means the Customer — the entity that determines the purposes and means of processing personal data through applications deployed on Delt.
  • "Processor" means PT Sarang Nalar Karya (trading as Cognerest, operating the Delt platform) — the entity that processes personal data on behalf of the Controller.
  • "Sub-processor" means a third party engaged by the Processor to assist in processing personal data.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by UU PDP.
  • "Data Subject" means the individual whose personal data is processed.
  • "Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion.

2. Scope of Processing

This DPA applies when Delt processes personal data on behalf of the Customer. This occurs when the Customer's application, deployed on Delt infrastructure, collects, stores, or processes personal data from the Customer's end-users.

  • Types of data: Application data and end-user data as determined by the Customer's application logic.
  • Purpose: Hosting and running the Customer's application, including building and deploying the application, provisioning SSL certificates, and managing compute environments.
  • Duration: For the term of the Customer's Delt account, plus the data retention period specified in Section 8.

3. Processor Obligations

As a data processor, Delt shall:

  • Process personal data only on documented instructions from the Controller, unless required by law.
  • Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 4.
  • Assist the Controller in responding to data subject requests (access, correction, deletion, portability) within reasonable timeframes.
  • Notify the Controller of personal data breaches within 72 hours as described in Section 7.
  • Delete or return all personal data upon termination as described in Section 8.
  • Make available information necessary to demonstrate compliance with this DPA.

4. Security Measures

Delt implements the following technical and organizational measures to protect personal data:

  • Encryption at rest: All data stored in Supabase (PostgreSQL) is encrypted at rest.
  • Environment variable encryption: Application secrets are encrypted using Supabase Vault (pgsodium) before storage. Plaintext values are never persisted.
  • Encryption in transit: All communications are encrypted via TLS.
  • Tenant isolation: Each Customer's application runs in a dedicated, isolated compute environment with enforced resource quotas, preventing cross-tenant access to data or resources.
  • Row-Level Security: Database tables enforce Row-Level Security (RLS) policies ensuring data isolation at the database level.
  • Webhook validation: All external webhooks are validated using HMAC signature verification (SHA-256 for GitHub, SHA-512 for Midtrans) to prevent unauthorized data manipulation.

5. Sub-Processors

Delt engages the following sub-processors to provide the Service:

  • Amazon Web ServicesCloud compute, storage, build services, and queue processing (location per Customer's region selection)
  • SupabaseAuthentication, database, secrets management, and serverless functions (Singapore)
  • CloudflareDNS, SSL, CDN, and DDoS protection (global edge network)
  • PaddlePayment processing, tax compliance, and invoicing for international customers (United Kingdom)
  • MidtransPayment processing for Indonesian customers (Indonesia)
  • GitHubSource code integration (United States)

Delt will notify the Controller via email of any intended changes to sub-processors at least 30 days before the change takes effect. The Controller may object to the change within that period. If the objection cannot be reasonably resolved, the Controller may terminate the agreement.

6. Controller Obligations

The Controller shall:

  • Ensure that the processing of personal data through the Service complies with applicable data protection laws, including UU PDP.
  • Provide clear and lawful instructions to Delt regarding the processing of personal data.
  • Obtain all necessary consents from data subjects before processing their personal data through applications deployed on Delt.
  • Notify Delt promptly of any data subject requests that require Delt's assistance.

7. Data Breach Notification

In the event of a personal data breach affecting the Controller's data, Delt will notify the Controller within 72 hours (3 × 24 hours) of becoming aware of the breach, in accordance with UU PDP requirements. The notification will include:

  • The nature and scope of the breach
  • The categories and approximate number of data subjects affected
  • The categories of personal data affected
  • Measures taken or proposed to address the breach
  • Recommendations for the Controller to mitigate potential adverse effects

8. Data Deletion on Termination

Upon termination of the Customer's Delt account, Delt will delete all Customer personal data within 30 days, including:

  • Application resources (deployments, services, compute environments, and associated data)
  • Supabase Vault entries (encrypted environment variables)
  • Deployment artifacts in container registry
  • Account and project configuration data

Billing and transaction records are retained as required by Indonesian tax regulations and are exempt from the deletion obligation.

9. Audit Rights

The Controller has the right to audit Delt's compliance with this DPA, subject to the following conditions:

  • Audits require at least 30 days advance written notice.
  • Audits are conducted during normal business hours.
  • Audits are limited to no more than once per calendar year.
  • Delt may satisfy audit requests by providing relevant compliance documentation, security reports, or third-party audit results in lieu of on-site access.

10. Cross-Border Data Transfers

Application workloads are hosted in the cloud region selected by the Customer at project creation (available regions include Singapore, United States, and future regions in Europe and Japan). Control plane data (account information, billing, authentication) is processed in Singapore (Supabase). Some processing occurs outside the Customer's selected region through sub-processors — in particular, GitHub (United States) for source code integration and Cloudflare (global) for DNS and CDN.

Where personal data is transferred outside the Customer's jurisdiction, Delt ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) for EU/EEA transfers, contractual commitments per UU PDP Article 56 for Indonesian transfers, and equivalent protection documentation for Japanese transfers under APPI.

11. GDPR Processor Obligations (Article 28)

Where the Customer is established in the EU/EEA or processes personal data of EU/EEA data subjects, the following GDPR Article 28 obligations apply in addition to Section 3:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries (unless required by EU or Member State law).
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Take all measures required pursuant to GDPR Article 32 (security of processing).
  • Respect the conditions for engaging sub-processors as set out in Section 5, including prior specific or general written authorization.
  • Assist the Controller by appropriate technical and organizational measures for the fulfilment of data subject requests under GDPR Chapter III.
  • Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation).
  • At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits.

12. Standard Contractual Clauses

For transfers of personal data from the EU/EEA to countries not recognized as providing adequate protection under GDPR Article 45, the parties agree that the Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision 2021/914) are incorporated by reference into this DPA. Delt acts as the data importer and the Customer acts as the data exporter. The applicable module is Module 2 (Controller to Processor). The parties agree to complete Annex I and Annex II of the SCCs as described in this DPA.

13. Breach Notification SLA

Delt commits to the following breach notification timeline:

  • Within 72 hours of becoming aware of a personal data breach: initial notification to the Controller containing the nature of the breach, categories of data affected, and immediate remediation steps taken.
  • Within 5 business days: detailed follow-up report including approximate number of data subjects affected, likely consequences, and comprehensive remediation plan.
  • Delt will cooperate with the Controller in notifying affected data subjects and relevant supervisory authorities as required by applicable law.

This timeline satisfies GDPR (72 hours), UU PDP (72 hours), and APPI (3-5 business days) requirements.

14. Data Deletion and Return on Termination

Upon termination of the Customer's Delt account or upon written request by the Controller:

  • Delt will delete all Customer personal data within 30 days, including application resources, encrypted environment variables, container images, and project configuration.
  • Upon request prior to deletion, Delt will provide the Controller with a copy of their data in a commonly used, machine-readable format (JSON export of project configuration and metadata).
  • Delt will certify in writing that all personal data has been deleted, except where retention is required by applicable law.
  • Billing and transaction records are retained as required by applicable tax regulations and are exempt from the deletion obligation.

After the 30-day deletion period, recovery of deleted data is not possible.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

16. Term and Amendments

This DPA is effective for the duration of the Customer's use of the Delt Service. Delt may update this DPA to reflect changes in legal requirements or processing practices. Material changes will be communicated via email at least 30 days before taking effect.

17. Contact

For questions about this Data Processing Agreement, contact us at privacy@cognerest.com.

PT Sarang Nalar Karya (Cognerest)
Republic of Indonesia