{"id":19105,"date":"2025-10-04T08:10:59","date_gmt":"2025-10-04T08:10:59","guid":{"rendered":"https:\/\/2026.bonloyalty.com\/?page_id=19105"},"modified":"2025-10-14T09:49:02","modified_gmt":"2025-10-14T09:49:02","slug":"data-processing-agreement","status":"publish","type":"page","link":"https:\/\/2026.bonloyalty.com\/ja\/data-processing-agreement\/","title":{"rendered":"Data processing agreement"},"content":{"rendered":"<div data-elementor-type=\"wp-page\" data-elementor-id=\"19105\" class=\"elementor elementor-19105\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-023a1e7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"023a1e7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-dcb189f\" data-id=\"dcb189f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4aa5732 elementor-widget elementor-widget-shortcode\" data-id=\"4aa5732\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">        <nav class=\"bc\" aria-label=\"Breadcrumb\">\n            <ol class=\"bc-list\">\n                <!-- Home link -->\n                <li class=\"bc-item\">\n                    <a class=\"bc-link\" href=\"https:\/\/2026.bonloyalty.com\/ja\" title=\"\u30db\u30fc\u30e0\u30da\u30fc\u30b8\">\n                        <svg width=\"20\" height=\"20\" viewbox=\"0 0 20 20\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n                            <path d=\"M7.51406 2.36713L3.0224 5.86713C2.2724 6.45046 1.66406 7.69213 1.66406 8.63379V14.8088C1.66406 16.7421 3.23906 18.3255 5.1724 18.3255H14.8224C16.7557 18.3255 18.3307 16.7421 18.3307 14.8171V8.75046C18.3307 7.74213 17.6557 6.45046 16.8307 5.87546L11.6807 2.26713C10.5141 1.45046 8.63906 1.49213 7.51406 2.36713Z\" stroke=\"currentColor\" stroke-width=\"1.25\" stroke-linecap=\"round\" stroke-linejoin=\"round\" \/>\n                            <path d=\"M10 14.9922V12.4922\" stroke=\"currentColor\" stroke-width=\"1.25\" stroke-linecap=\"round\" stroke-linejoin=\"round\" \/>\n                        <\/svg>\n                        <span class=\"bc-home-text\">\u30db\u30fc\u30e0\u30da\u30fc\u30b8<\/span>\n                    <\/a>\n                <\/li>\n                \n                                \n            <\/ol>\n        <\/nav>\n        <\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a1dcc23 pp elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a1dcc23\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-top-column elementor-element elementor-element-a978bcb\" data-id=\"a978bcb\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-66 elementor-top-column elementor-element elementor-element-e2fbd7d\" data-id=\"e2fbd7d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-ce66233 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"ce66233\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-9b1612d\" data-id=\"9b1612d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-fdf5b9f date-page elementor-widget elementor-widget-text-editor\" data-id=\"fdf5b9f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\">12 Aug, 2024<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5c23cb6 elementor-widget elementor-widget-heading\" data-id=\"5c23cb6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Data processing agreement<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-10cec5a elementor-widget elementor-widget-spacer\" data-id=\"10cec5a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5389254 elementor-widget elementor-widget-text-editor\" data-id=\"5389254\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>This Data Processing Agreement (\u201cDPA\u201d) is entered into between:<br \/>1. You (the \u201cMerchant,\u201d \u201cData Controller\u201d) and<br \/>2. BON Loyalty, a company registered in Hanoi, Vietnam with a registered address at Number 9, Alley 6, Residential Group 3, Duc Thang Ward, Bac Tu Liem District, Hanoi City, Vietnam (\u201cProcessor\u201d).<br \/>Collectively referred to as the \u201cParties\u201d and individually as a \u201cParty.\u201d<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-969a9e3 elementor-widget elementor-widget-heading\" data-id=\"969a9e3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Data processing agreement<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5e0dbe4 elementor-widget elementor-widget-text-editor\" data-id=\"5e0dbe4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>WHEREAS:<\/h4><p>(A) The Controller operates an e-commerce business and engages the Processor to provide a loyalty app service, which involves the processing of customer data.<br \/>(B) The Parties seek to comply with Regulation (EU) 2016\/679 (General Data Protection Regulation, \u201cGDPR\u201d).<br \/>(C) This DPA forms part of the service agreement between the Parties (\u201cMain Agreement\u201d) and governs the Processor\u2019s processing of personal data on behalf of the Controller.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-23c9a24 elementor-widget elementor-widget-text-editor\" data-id=\"23c9a24\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>1. DEFINITIONS<\/h4><p>1.1. \u201cPersonal Data\u201d means any information relating to an identified or identifiable natural person (\u201cData Subject\u201d) processed by the Processor on behalf of the Controller under this DPA.<br \/>1.2. \u201cProcessing\u201d means any operation or set of operations performed on Personal Data, such as collection, storage, use, disclosure, or deletion, as defined in Article 4(2) GDPR.<br \/>1.3. Terms such as \u201cController,\u201d \u201cProcessor,\u201d \u201cData Subject,\u201d and \u201cPersonal Data Breach\u201d have the meanings assigned under GDPR.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-818b584 elementor-widget elementor-widget-text-editor\" data-id=\"818b584\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>2. SUBJECT MATTER AND DURATION<\/h4><p>2.1. The Processor shall process Personal Data to provide the loyalty app services, including managing customer rewards, sending automated emails and communications, and analyzing user engagement and usage behaviors, as instructed by the Controller.<br \/>2.2. This DPA remains in effect for the duration of the Main Agreement and until all Personal Data is deleted or returned in accordance with Clause 9.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-36fa547 elementor-widget elementor-widget-text-editor\" data-id=\"36fa547\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>3. NATURE AND PURPOSE OF PROCESSING<\/h4><p>3.1. The Processor shall process Personal Data to deliver the loyalty app services, including:<\/p><ul><li>Collecting and storing customer data for loyalty program enrollment.<\/li><li>Sending automated emails and notifications.<\/li><li>Generating analytics on customer engagement and reward redemption.<\/li><li>Monitor customers\u2019 interactions with the loyalty app embeds and extensions on the merchant\u2019s online store to conduct reports on customers\u2019 behavior and the loyalty program\u2019s performance.\u00a0<\/li><li>All monitored metrics are done anonymously, which means no emails or names are collected.\u00a0<\/li><\/ul><p>3.2. Processing shall be carried out only on the Controller\u2019s documented instructions, unless required by EU or Member State law.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9223be7 elementor-widget elementor-widget-text-editor\" data-id=\"9223be7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>4. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS<\/h4><p>4.1. Types of Personal Data: Names, email addresses, gender, phone number, address (optional), order history, loyalty points, and behavioral data (e.g., browsing or redemption activity, etc.).<br \/>4.2. Categories of Data Subjects: Customers of the Controller\u2019s e-commerce platform<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a58fdf1 elementor-widget elementor-widget-text-editor\" data-id=\"a58fdf1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>5. OBLIGATIONS OF THE PROCESSOR<\/h4><p>5.1. The Processor (BON Loyalty) shall:<br \/>\u00a0\u00a0\u00a0a) Process Personal Data only on written instructions from the Controller, including with regard to transfers to third countries, unless required by law (in which case, the Processor shall inform the Controller before processing, unless prohibited by law). The Controller shall ensure that all personal data provided to the Processor is collected and processed in compliance with applicable data protection laws, and the Processor shall act only on documented instructions from the Controller.<br \/>\u00a0\u00a0\u00a0b) Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.<br \/>\u00a0\u00a0\u00a0c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security assessments.<br \/>\u00a0\u00a0\u00a0d) Assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III, including rights to access, rectification, erasure, and data portability.<br \/>\u00a0\u00a0\u00a0e) Assist the Controller in ensuring compliance with GDPR Articles 32\u201336, including security, breach notifications, and data protection impact assessments.<br \/>\u00a0\u00a0\u00a0f) The Processor shall notify the Controller of a confirmed personal data breach without undue delay, providing details as required by Article 33(3) GDPR. A personal data breach shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed under this DPA.<br \/>g) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6650723 elementor-widget elementor-widget-text-editor\" data-id=\"6650723\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>6. SUB-PROCESSING<\/h4><p>6.1. The Processor shall not engage sub-processors without consent from the Controller.<br \/>6.2. The list of sub-processors is not fixed and can be extended without prior notice to the Controller.<br \/>6.3. Current sub-processors (if applicable):\u00a0<\/p><ul><li>Digital Ocean:\u00a0Host and store application data, customer profiles, and transaction records. Data Processed: Customer data, transaction logs, and loyalty program metrics<\/li><li>Google Analytics (California): Monitor customer behavior and loyalty program engagement. Data Processed: User interactions, purchase history, and demographic data.<\/li><li>Klaviyo: Send notifications, promotional emails, and reward updates to customers\u00a0only when the merchant gives consent. Data Processed: customer\u2019s name, email address, birthday, loyalty points, tier, and referral link.<\/li><li>Dotdigital:\u00a0Set up and send out loyalty email campaigns, such as points-based rewards notifications or tiered promotions,\u00a0only when the merchant gives consent.\u00a0Data Processed: Customer engagement data, campaign metrics, and behavioral data.<\/li><li>Customer.io: Facilitating marketing email campaigns<\/li><li>Crisp:\u00a0Customer support chat<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e5123be elementor-widget elementor-widget-text-editor\" data-id=\"e5123be\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>7. DATA TRANSFERS<\/h4><p>7.1. The Processor may transfer Personal Data to Vietnam, outside the EEA, only in compliance with GDPR Chapter V.<br \/>7.2. The Parties incorporate the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021\/914\/EU) as Annex I to this DPA to ensure lawful data transfers. The Processor shall comply with the obligations of the data importer under the SCCs.<br \/>7.3. The Processor shall implement supplementary measures to ensure an adequate level of protection for transferred Personal Data, including encryption and pseudonymization where feasible.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bcbf71e elementor-widget elementor-widget-text-editor\" data-id=\"bcbf71e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>8. AUDITS<\/h4><p>8.1. Should the information provided under Clause 5.1(g) be insufficient, the Controller may conduct a direct audit of the Processor\u2019s data processing facilities and practices, subject to at least 30 days\u2019 prior written notice and during normal business hours (9 AM \u2013 6 PM, UTC+7). Such an audit shall be at the Controller\u2019s expense, limited in scope to the Processing of Personal Data under this DPA, and conducted in a manner that does not unreasonably interfere with the Processor\u2019s business operations. The Controller and its mandated auditor must enter into a standard confidentiality agreement with the Processor before any audit.<br \/>8.2. The Processor shall cooperate fully with such audits and provide access to relevant documentation and systems.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8e02bb3 elementor-widget elementor-widget-text-editor\" data-id=\"8e02bb3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>9. LIABILITY<\/h4><p>9.1. Each party\u2019s liability under this DPA shall be limited to the extent of its respective fault, as determined by applicable law.<br \/>9.2. The Processor shall be liable to the Controller for any failure by a sub-processor to fulfill its data protection obligations.<br \/>9.3. The Processor shall bear the costs of breach notifications only to the extent that the breach results from its failure to comply with this DPA. The Controller shall bear costs arising from its instructions or vulnerabilities in its systems<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-876b26b elementor-widget elementor-widget-text-editor\" data-id=\"876b26b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h4>10. GOVERNING LAW AND JURISDICTION<\/h4><div><div><div><div><p>This DPA is governed by the laws of Vietnam. However, if applicable Data Protection Laws mandate a specific governing law or jurisdiction, such requirements shall prevail.<\/p><\/div><\/div><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-16 elementor-top-column elementor-element elementor-element-be803de\" data-id=\"be803de\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>12 Aug, 2024 Data processing agreement This Data Processing Agreement (\u201cDPA\u201d) is entered into between:1. You (the \u201cMerchant,\u201d \u201cData Controller\u201d) and2. BON Loyalty, a company registered<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":23,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"footnotes":""},"class_list":["post-19105","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/pages\/19105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/comments?post=19105"}],"version-history":[{"count":13,"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/pages\/19105\/revisions"}],"predecessor-version":[{"id":20135,"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/pages\/19105\/revisions\/20135"}],"wp:attachment":[{"href":"https:\/\/2026.bonloyalty.com\/ja\/wp-json\/wp\/v2\/media?parent=19105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}