DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered into between:

1. You (the “Merchant,” “Data Controller”) and

2. BON Loyalty, a company registered in Hanoi, Vietnam with a registered address at Number 9, Alley 6, Residential Group 3, Duc Thang Ward, Bac Tu Liem District, Hanoi City, Vietnam (“Processor”).

Collectively referred to as the “Parties” and individually as a “Party.”

WHEREAS:

(A) The Controller operates an e-commerce business and engages the Processor to provide a loyalty app service, which involves the processing of customer data.

(B) The Parties seek to comply with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

(C) This DPA forms part of the service agreement between the Parties (“Main Agreement”) and governs the Processor’s processing of personal data on behalf of the Controller.

NOW, THEREFORE, the Parties agree as follows:

1. DEFINITIONS

1.1. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) processed by the Processor on behalf of the Controller under this DPA.

1.2. “Processing” means any operation or set of operations performed on Personal Data, such as collection, storage, use, disclosure, or deletion, as defined in Article 4(2) GDPR.

1.3. Terms such as “Controller,” “Processor,” “Data Subject,” and “Personal Data Breach” have the meanings assigned under GDPR.

2. SUBJECT MATTER AND DURATION

2.1. The Processor shall process Personal Data to provide the loyalty app services, including managing customer rewards, sending automated emails and communications, and analyzing user engagement and usage behaviors, as instructed by the Controller.

2.2. This DPA remains in effect for the duration of the Main Agreement and until all Personal Data is deleted or returned in accordance with Clause 9.

3. NATURE AND PURPOSE OF PROCESSING

3.1. The Processor shall process Personal Data to deliver the loyalty app services, including:

• Collecting and storing customer data for loyalty program enrollment.
• Sending automated emails and notifications.
• Generating analytics on customer engagement and reward redemption.
• Monitor customers’ interactions with the loyalty app embeds and extensions on the merchant’s online store to conduct reports on customers’ behavior and the loyalty program’s performance.
• All monitored metrics are done anonymously, which means no emails or names are collected.

3.2. Processing shall be carried out only on the Controller’s documented instructions, unless required by EU or Member State law.

4. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

4.1. Types of Personal Data: Names, email addresses, gender, phone number, address (optional), order history, loyalty points, and behavioral data (e.g., browsing or redemption activity, etc.).

4.2. Categories of Data Subjects: Customers of the Controller’s e-commerce platform

5. OBLIGATIONS OF THE PROCESSOR

5.1. The Processor (BON Loyalty) shall:

   a) Process Personal Data only on written instructions from the Controller, including with regard to transfers to third countries, unless required by law (in which case, the Processor shall inform the Controller before processing, unless prohibited by law). The Controller shall ensure that all personal data provided to the Processor is collected and processed in compliance with applicable data protection laws, and the Processor shall act only on documented instructions from the Controller.

   b) Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.

   c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.

   d) Assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III, including rights to access, rectification, erasure, and data portability.

   e) Assist the Controller in ensuring compliance with GDPR Articles 32–36, including security, breach notifications, and data protection impact assessments.

   f) The Processor shall notify the Controller of a confirmed personal data breach without undue delay, providing details as required by Article 33(3) GDPR. A personal data breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed under this DPA.

g) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

6. SUB-PROCESSING

6.1. The Processor shall not engage sub-processors without consent from the Controller.

6.2. The list of sub-processors is not fixed and can be extended without prior notice to the Controller.

6.3. Current sub-processors (if applicable): 

• Digital Ocean: Host and store application data, customer profiles, and transaction records. Data Processed: Customer data, transaction logs, and loyalty program metrics
• Google Analytics (California): Monitor customer behavior and loyalty program engagement. Data Processed: User interactions, purchase history, and demographic data.

• Klaviyo: Send notifications, promotional emails, and reward updates to customers only when the merchant gives consent. Data Processed: customer’s name, email address, birthday, loyalty points, tier, and referral link.
• Dotdigital: Set up and send out loyalty email campaigns, such as points-based rewards notifications or tiered promotions, only when the merchant gives consent. Data Processed: Customer engagement data, campaign metrics, and behavioral data.
• Customer.io: Facilitating marketing email campaigns
• Crisp: Customer support chat

7. DATA TRANSFERS

7.1. The Processor may transfer Personal Data to Vietnam, outside the EEA, only in compliance with GDPR Chapter V.

7.2. The Parties incorporate the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU) as Annex I to this DPA to ensure lawful data transfers. The Processor shall comply with the obligations of the data importer under the SCCs.

7.3. The Processor shall implement supplementary measures to ensure an adequate level of protection for transferred Personal Data, including encryption and pseudonymization where feasible.

8. AUDITS

8.1. Should the information provided under Clause 5.1(g) be insufficient, the Controller may conduct a direct audit of the Processor’s data processing facilities and practices, subject to at least 30 days’ prior written notice and during normal business hours (9 AM – 6 PM, UTC+7). Such an audit shall be at the Controller’s expense, limited in scope to the Processing of Personal Data under this DPA, and conducted in a manner that does not unreasonably interfere with the Processor’s business operations. The Controller and its mandated auditor must enter into a standard confidentiality agreement with the Processor before any audit.

8.2. The Processor shall cooperate fully with such audits and provide access to relevant documentation and systems.

9. LIABILITY

9.1. Each party’s liability under this DPA shall be limited to the extent of its respective fault, as determined by applicable law.

9.2. The Processor shall be liable to the Controller for any failure by a sub-processor to fulfill its data protection obligations.

9.3. The Processor shall bear the costs of breach notifications only to the extent that the breach results from its failure to comply with this DPA. The Controller shall bear costs arising from its instructions or vulnerabilities in its systems

10. GOVERNING LAW AND JURISDICTION

This DPA is governed by the laws of Vietnam. However, if applicable Data Protection Laws mandate a specific governing law or jurisdiction, such requirements shall prevail.