1. Definitions
For the purposes of this DPA, the following terms have the meanings set out below:
- Controller means the customer who determines the purposes and means of processing Personal Data through the Kuluara platform.
- Processor means PT Tom Marvolo Riddle Group, which processes Personal Data on behalf of the Controller through the Kuluara platform.
- Data Subject means an identified or identifiable natural person whose Personal Data is processed through the Kuluara platform.
- Personal Data means any information relating to a Data Subject that is processed through the Kuluara platform, including but not limited to names, email addresses, phone numbers, messages, and CRM records.
- Processing means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Applicable Data Protection Lawmeans all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Indonesia Personal Data Protection Law No. 27 of 2022 ("UU PDP"), and any implementing regulations thereof.
2. Scope and roles
This DPA applies to the Processing of Personal Data by Kuluara on behalf of the Controller in connection with the provision of the Kuluara CRM platform. Kuluara acts as a Processor for all CRM data that the Controller imports, creates, or receives through the platform, including contact records, deal records, messages received via WhatsApp, Telegram, Instagram, email, and Google API integrations, as well as files and attachments exchanged through connected channels.
The Controller determines the purposes and means of Processing. Kuluara processes Personal Data strictly on the Controller's behalf and in accordance with the Controller's documented instructions, as described in this DPA and the Terms of Use.
The categories of Data Subjects include: the Controller's end customers, leads, contacts, and business partners whose information is stored in the Kuluara platform.
The types of Personal Data processed include: names, email addresses, phone numbers, postal addresses, company information, messages (WhatsApp, Telegram, Instagram, email), deal and pipeline data, notes, tags, custom fields, files, attachments, and any other information the Controller enters into the platform.
3. Processing instructions
Kuluara shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Kuluara shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
The Controller's instructions for Processing are set out in this DPA, the Terms of Use, and any additional written instructions agreed upon by both parties. Kuluara shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes Applicable Data Protection Law.
4. Confidentiality
Kuluara shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their obligations under this DPA and the Terms of Use.
Kuluara shall not disclose Personal Data to any third party except as expressly permitted by this DPA, as instructed by the Controller, or as required by applicable law.
5. Security measures
Kuluara implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:
- Encryption at rest: All data stored in the Kuluara database is encrypted at rest using AES-256 encryption, provided by Supabase (AWS infrastructure).
- Encryption in transit: All data transmitted between clients, servers, and third-party APIs is encrypted using TLS 1.3 (minimum TLS 1.2).
- Access controls: Row Level Security (RLS) policies enforced at the database level ensure that each workspace can only access its own data. Role-based access controls limit data access to authorized team members.
- Authentication: Secure token-based authentication with support for multi-factor authentication (MFA). OAuth 2.0 for third-party integrations.
- Audit logging: Authentication events, data access, and administrative actions are logged for security monitoring and incident investigation.
- Regular backups: Automated database backups with point-in-time recovery capability. Backup data is encrypted at rest.
- Vulnerability management: Regular dependency scanning and security reviews to identify and remediate vulnerabilities.
- Infrastructure security: Hosting on enterprise-grade infrastructure (Supabase/AWS, Vercel, Google Cloud Platform) with physical security, network isolation, and DDoS protection.
6. Sub-processors
The Controller grants Kuluara general authorization to engage Sub-processors for the Processing of Personal Data. Kuluara shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification.
Where Kuluara engages a Sub-processor, Kuluara shall impose on the Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA. Kuluara remains fully liable to the Controller for the performance of the Sub-processor's obligations.
Current Sub-processors
- Supabase (Supabase, Inc.) — Database hosting, authentication, and real-time data services. Data region: AWS ap-southeast-1 (Singapore).
- Vercel (Vercel, Inc.) — Application hosting and edge function execution. Infrastructure: Global edge network.
- Google Cloud Platform (Google LLC) — Webhook processing server for inbound messages from messaging platforms. Data region: asia-southeast2 (Jakarta, Indonesia).
- Meta Platforms (Meta Platforms, Inc.) — WhatsApp Business API, Instagram Messaging API, Meta Lead Ads, Meta Ads reporting.
- Telegram (Telegram FZ-LLC) — Telegram Bot API message delivery.
- TikTok (ByteDance Ltd.) — TikTok Business API for lead and content synchronization.
- LINE (LY Corporation) — LINE Messaging API for Official Account conversations.
- Twilio (Twilio Inc.) — Telephony, VoIP, and SMS delivery services.
- Zoom (Zoom Video Communications, Inc.) — Meeting metadata and recording links via Zoom Marketplace API.
- Microsoft (Microsoft Corporation) — Teams meetings and calendar via Microsoft Graph API.
- Stripe (Stripe, Inc.) — Payment processing and invoicing. PCI-DSS compliant.
7. Data subject rights
Kuluara shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
Where Kuluara receives a request from a Data Subject directly, Kuluara shall promptly redirect the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller.
Kuluara provides the Controller with self-service tools to export, correct, and delete Personal Data within the platform. Where additional assistance is required, the Controller may contact Kuluara at info@kuluara.com.
8. Breach notification
In the event of a Personal Data breach, Kuluara shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
- The name and contact details of Kuluara's point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Kuluara shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. Kuluara shall document all Personal Data breaches, including the facts, effects, and remedial actions taken.
9. Data deletion and return
Upon termination or expiration of the Terms of Use, or upon the Controller's written request, Kuluara shall:
- Data export: Make available to the Controller all Personal Data in a structured, commonly used, machine-readable format (JSON or CSV) within 30 days of the request.
- Data deletion: Delete all Personal Data from primary systems within 30 days of the request or termination, unless retention is required by applicable law. Personal Data in backup systems shall be purged within 90 days.
Kuluara shall provide written confirmation of deletion upon the Controller's request. Data that must be retained for legal compliance purposes (such as billing records required by Indonesian tax law) shall be clearly identified and retained only for the minimum period required by law.
10. Audit rights
Kuluara shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
The Controller may request compliance documentation, including security certifications, audit reports, and evidence of technical and organizational measures, at any time by contacting info@kuluara.com.
On-site audits may be conducted upon 30 days' prior written notice, during normal business hours, and subject to reasonable confidentiality and security requirements. The Controller shall bear the costs of any on-site audit unless the audit reveals a material breach of this DPA by Kuluara.
11. International data transfers
Kuluara may transfer Personal Data to countries outside of the Controller's jurisdiction as necessary to provide the Kuluara platform. Current transfer destinations include Singapore (Supabase/AWS), Indonesia (Google Cloud Platform), the United States (Vercel, Meta, Telegram infrastructure), and global edge locations (Vercel).
EEA transfers
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, Kuluara relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA. The Controller acts as the data exporter and Kuluara acts as the data importer under Module Two (Controller to Processor) of the SCCs.
Indonesia transfers
For transfers governed by Indonesian law, Kuluara implements safeguards in accordance with Government Regulation No. 46 of 2024 on the implementation of the PDP Law, including ensuring that the recipient jurisdiction provides an equivalent level of personal data protection, or that appropriate contractual protections are in place.
12. Governing law and jurisdiction
This DPA shall be governed by and construed in accordance with the laws of the Republic of Indonesia, without regard to its conflict of laws principles. Any dispute arising out of or in connection with this DPA shall be resolved by the competent courts of Denpasar, Bali, Indonesia, unless otherwise required by Applicable Data Protection Law.
Where the Controller is located in the EEA and GDPR applies, the provisions of GDPR shall prevail in the event of any conflict with this DPA regarding the processing of Personal Data of EEA Data Subjects.
13. Amendments
Kuluara may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Sub-processor changes, or improvements to security measures. Material changes will be communicated to the Controller with at least 30 days' prior notice. Continued use of the Kuluara platform after the effective date of changes constitutes acceptance of the updated DPA.
14. Contact
For questions, requests, or complaints regarding this DPA or the processing of Personal Data, contact:
PT Tom Marvolo Riddle Group
Jalan Mertasari, Desa/Kelurahan Kerobokan Kelod, Kec. Kuta Utara, Kab. Badung, Provinsi Bali, 80361, Indonesia
Email: info@kuluara.com