Data Processing Agreement (DPA)

Date Last Updated: December 24, 2024

1. Definitions
2. Scope and Purpose
3. Data Protection Obligations
4. Data Security
5. Data Subject Rights
6. Duration and Termination
7. General
8. Governing Law and Jurisdiction
Security Measures
1. Organizational Security
2. Technical Security

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

1.1 " Personal data " means any information relating to an identified or identifiable natural person ("data subject").

1.2 " Data controller " means Global Sources Exhibitions & Events (India) Private Limited, which determines the purposes and means of processing personal data.

1.3 " Data processor " means Sobot Technologies Pte Ltd, which processes personal data on behalf of the data controller.

1.4 " Processing " means any operation or set of operations performed on personal data, including but not limited to collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

1.5 " Transfer " means any movement or transmission to personal data, whether within a single country or internationally, including without limitation, hosting, processing, storing, or otherwise dealing with personal data in a different location than where the data was originally collected or received.

1.6 " Data exporter " means the customer and the user of the services.

1.7 " Data importer " means Sobot, a business call centre service provider that enables communications features and allows users the ability to make, receive and forward voice calls using a phone number provided by Sobot.

1.8 " Data subjects " means the personal data transferred concern the following categories of data subjects: data exporter’s end-users. The personal data that the data exporter will transfer to the data importer is determined and controlled solely by the data exporter. The data importer will receive this personal data in the form of customer content that the data exporter instructs it to process through its products and services.

1.9 " Processing operations " means the personal data transferred will be subject to the following basic processing activities: Sobot must process the data collected from or for the customer or in connection with its services provided to the customer.

2. Scope and Purpose

Sobot shall process personal data on behalf of customers for the purpose of providing the Sobot service platform.

3. Data Protection Obligations

3.1 Sobot shall process personal data only on the documented instructions of customer, as set out in the Sales Agreement and this DPA. Any additional processing instructions shall require the prior written consent of customer, unless required by applicable law.

3.2 Sobot shall implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data in accordance with applicable data protection laws.

3.3 Sobot shall assist customers in complying with their obligations under data protection laws, including responding to data subject requests and notifying customers of any data breaches.

4. Data Security

4.1 Sobot shall implement appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

4.2 Sobot shall promptly notify customers of any data breaches affecting personal data and shall cooperate in the investigation, mitigation, and resolution of such breaches.

5. Data Subject Rights

Sobot shall assist customer in responding to data subject requests to exercise their rights under applicable data protection laws.

6. Duration and Termination

6.1 This DPA shall remain in effect for the duration of the Sales Agreement and any extensions or renewals thereof.

6.2 Upon termination or expiry of the Sales Agreement, Sobot shall, at the choice of customer, return or securely dispose of all personal data, unless otherwise required by applicable law.

7. General

7.1 This DPA supersedes any prior agreements or understandings between the parties concerning the subject matter herein.

7.2 Any modifications to this DPA must be made in writing and signed by authorized representatives of both parties.

7.3 Sobot shall not transfer personal data to any jurisdiction outside the related business countries without customer’s consent. In the event customer consents to any such transfer, the parties shall enter into such amendment and/or supplement to this DPA containing such provisions as may be required by customer pertaining to such transfer, and Sobot shall comply with the provisions thereof, as well as any and all applicable laws and regulations, with respect to any such transfer.

7.4 Sobot shall maintain complete, accurate and up to date written records of its processing activities carried out on behalf of customer, containing such information as may be required by customer and applicable laws and regulations and shall make copies of such records available to customer promptly upon request.

7.5 Sobot shall promptly make available to customer such information and documents, and permit and cooperate with any inspection or audit, as may be requested by customer from time to time, for the purpose of demonstrating Sobot’s and/or customer’s compliance with their respective obligations under this DPA and applicable laws and regulations.

8. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Singapore. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Singapore.

Security Measures

1. Organizational Security

Sobot has the following policies established, management approved, and documented. The policies shall be continually improving, reviewed at least annually, and require all Sobot employees, contractors and interns to review and acknowledge annually. Evidence of policies is required.

  • Information Security Policy
  • Acceptable Use Policy

Sobot has the following policies established, management approved, and documented. The policies shall be continually improved and reviewed at least annually. Evidence of policies is required.

  • Access Control Policy
  • Change Management Policy
  • Mobile Device Management Policy
  • Remote / Teleworker Policy

Security Awareness and Training Program

  • Sobot has in place a Security Awareness Program that all employees are required to complete at hire and at least annually thereafter.

Physical Security

  • Sobot shall limit access to areas where controller data is processed and maintain audit logs of access.
  • Sobot shall implement security protocols.

Asset Management

  • Sobot has in place a system to manage and track all processor-owned or managed assets.

2. Technical Security

Operating System / Software / Applications

  • Sobot has in place a method to communicate and/or push security patch updates for operating systems, software, and applications deployed in its environments.
  • Critical patches and or updates are deployed within 30 days of release.

Access Credentials

All employees who have access to or maintain controller data:

  • Have a unique user id/account
  • Do not share user id/account with other users
  • Are required to authenticate with a second factor

User accounts are required to:

  • Account will be locked after 5 incorrect attempts for 5 minutes.
  • If 5 more incorrect attempts are made, the lock will extend for another 15 minutes, and this process continues.

Encryption

  • Data transmission utilizes the SSL/TLS encryption protocol to establish a secure encrypted channel between the data sender and receiver. When data is transmitted over the network, the SSL/TLS protocol encrypts the data, converting it into ciphertext. This ensures that even if a third party intercepts the data, it is extremely difficult for them to access the actual information.
  • For data storage, mandatory encryption is strictly configured when creating new EBS volumes. This measure ensures that all data written to EBS volumes is automatically encrypted at the time of storage, safeguarding data security at its source. This encryption process also relies on keys managed by AWS KMS, closely integrating key management with the entire data storage encryption system.

Backups

If Sobot performs the backup of controller data:

  • Backups are required to be performed and stored in a secure location.
  • Backups shall be encrypted.

Intrusion Detection and Prevention

  • Sobot has in place an intrusion detection and prevention system in all corporate and production locations.