TraceESG

Data Processing Agreement (DPA)

B2B addendum to the Terms of Service · Aligned with GDPR Art. 28 · Vietnam PDPL Article 26

1. Parties

Controller: The Customer named in the TraceESG subscription order. Processor: Công ty TNHH TraceESG Việt Nam (MST 0123456789).

2. Subject matter and duration

Processor processes Personal Data on behalf of Controller for the duration of the Service contract and for 30 days thereafter (data export window).

3. Nature and purpose of processing

Hosting, scoring, reporting, certification, traceability, and notification services as described in the public service description at traceesg.com.

4. Categories of Data Subjects

Controller's employees, customers, suppliers, smallholders, auditors, and end-consumers scanning QR codes.

5. Categories of Personal Data

  • Identification: name, email, phone, employee ID
  • Authentication: argon2id hash, MFA secrets (AES-256-GCM encrypted)
  • Geo-location: GPS coordinates from photo evidence
  • Activity: audit log of actions taken in the system

6. Sub-processors

Processor uses sub-processors listed at /legal/subprocessors. New sub-processors are notified 30 days in advance.

7. Technical and Organisational Measures (TOMs) — Annex II equivalent

  • Encryption in transit: TLS 1.3, HSTS preload
  • Encryption at rest: AES-256-GCM (sensitive fields) + AES-256 server-side (S3)
  • Access control: RBAC + tenant RLS in Postgres + MFA TOTP
  • Audit: Tamper-evident HMAC-SHA256 chained log, daily Bitcoin anchor
  • Backups: WAL archiving (RPO 15 min) + nightly snapshots (RTO 4h)
  • Vulnerability mgmt: Annual pen-test + monthly dependency scan
  • Personnel: NDA signed, background-checked, least-privilege access

8. International data transfers

Transfers outside Vietnam/EU rely on Standard Contractual Clauses (Module 2 + 3). Transfer Impact Assessment available on request.

9. Data subject rights assistance

Processor will assist Controller in responding to data subject requests within 72 hours (PDPL) / 1 month (GDPR). API endpoint provided: POST /api/gdpr/respond.

10. Personal data breach notification

Processor notifies Controller without undue delay (max 24 hours after discovery) at the email registered to the Account.

11. Audit rights

Controller may audit annually with 30-day notice. Processor provides SOC 2 Type II report (when certified) to satisfy this without on-site visit.

12. Termination — return or deletion of data

Within 30 days of contract end, Controller may export all data via /api/gdpr/export (JSON). Thereafter, Processor deletes all personal data except audit chain (pseudonymized, retained 7 years per Luật Kế toán).

13. Governing law

This DPA is governed by Vietnamese law. EU-based Controllers may opt into GDPR/Irish law via signed addendum.

14. Signing

For Enterprise customers requiring a counter-signed copy, request via legal@traceesg.com. For Starter/Professional, acceptance of the Terms of Service constitutes acceptance of this DPA.

Data Processing Agreement — TraceESG