Processing Addendum (DPA)

This Data Processing Addendum (the "DPA") is entered into between Customer ("Customer") and Arena STC. (ArenaCommerce) (each a "Party" and collectively the "Parties") and is incorporated into and forms part of the existing agreement between the Parties, namely the Agreement for the provision of Services by ArenaCommerce (the "Agreement"). This DPA shall be effective and replace any previously applicable data processing and security terms as of the Effective Date of the Agreement.

  1. Definitions

1.1 "Customer Personal Data" refers to any personal data or information that is provided by the Customer or its affiliates to ArenaCommerce for processing in connection with the provision of the Services under the Agreement.

  1. Data Processing

2.1 In connection with the provision of the Services, ArenaCommerce agrees to process Customer Personal Data on behalf of the Customer or its affiliates, solely for the purposes outlined in the Agreement.

2.2 ArenaCommerce shall process Customer Personal Data in accordance with applicable data protection laws and regulations and shall take appropriate technical and organizational measures to ensure the security and confidentiality of the Customer Personal Data.

  1. Obligations of ArenaCommerce

3.1 ArenaCommerce shall only process Customer Personal Data in accordance with the documented instructions provided by the Customer, unless required to do so by applicable laws or regulations. In such cases, ArenaCommerce shall inform the Customer of any legal requirement that may impact the processing of the Customer Personal Data, unless prohibited by law.

3.2 ArenaCommerce shall ensure that its personnel involved in the processing of Customer Personal Data are bound by appropriate confidentiality obligations.

3.3 ArenaCommerce shall implement and maintain appropriate technical and organizational measures to protect the security and confidentiality of the Customer Personal Data. These measures shall be designed to ensure a level of security appropriate to the risks presented by the processing of Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the likelihood and severity of potential risks to the rights and freedoms of individuals.

  1. Subprocessing

4.1 ArenaCommerce may engage subprocessors to assist in the provision of the Services. ArenaCommerce shall ensure that any subprocessor engaged to process Customer Personal Data on its behalf complies with the obligations set forth in this DPA and provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures to protect the rights and freedoms of individuals.

4.2 ArenaCommerce shall remain fully liable to the Customer for the performance of any subprocessor's obligations under this DPA.

  1. Data Subject Rights and Assistance

5.1 ArenaCommerce shall assist the Customer in fulfilling its obligations to respond to requests from individuals exercising their rights under applicable data protection laws, including but not limited to the right of access, rectification, erasure, restriction of processing, and data portability.

5.2 ArenaCommerce shall promptly notify the Customer if it receives any request from an individual in relation to their personal data processed under the Agreement and shall not respond to such request without the Customer's prior written consent, except to confirm that the request relates to the Customer.

  1. Data Security Breach

6.1 In the event of a Data Security Breach involving Customer Personal Data, ArenaCommerce shall notify the Customer without undue delay after becoming aware of the breach. ArenaCommerce shall cooperate with the Customer and provide reasonable assistance to the Customer in relation to the investigation, mitigation, and remediation of the Data Security Breach.

  1. Return or Deletion of Customer Personal Data

7.1 Upon termination or expiry of the Agreement, ArenaCommerce shall, at the Customer's option, delete or return all Customer Personal Data processed under the Agreement, unless required to retain such data by applicable laws or regulations.

  1. Governing Law and Jurisdiction

8.1 This DPA shall be governed by and construed in accordance with the laws of Vietnam. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts in Vietnam.

  1. Entire Agreement

9.1 This DPA constitutes the entire agreement between the Parties with respect to the processing of Customer Personal Data and supersedes any prior agreements or understandings, whether written or oral, relating to the subject matter hereof.

By agreeing to the terms of the Agreement, the Parties acknowledge and agree to be bound by the terms of this Data Processing Addendum.

Signed on behalf of Customer:

Signed on behalf of Arena STC. (ArenaCommerce):

Date: 2023/01/31