← Back to overview

Terms

HEMIDI DATA PROCESSING ADDENDUM

Effective date: March 26, 2026

1. Conditions for Effectiveness

This Data Processing Addendum ("Data Processing Addendum") shall take effect only when:

  • it is expressly incorporated into an enterprise contract, order form, or other written agreement with Hemidi;
  • it is approved by authorized representatives of both parties through a valid execution process;
  • it applies to circumstances in which Hemidi actually processes personal data on behalf of the customer as a data processor or in an equivalent role under applicable law.

A general reference in standard terms or click-through terms does not by default give rise to this Addendum where Hemidi provides that the Addendum must be separately signed or separately approved.

This Addendum is primarily used together with Hemidi's commercial terms, enterprise contracts, or order forms, rather than for the default self-service individual user flow.

2. Scope

This Addendum applies to the extent that Hemidi processes personal data on behalf of the customer in providing the Service. If Hemidi processes data for its own independent purposes such as security, anti-fraud, operational logging, aggregated statistics, data processed to reasonably reduce the ability to identify individuals, or its own legal obligations, such activities may fall outside the scope of processing on behalf of the customer.

Unless otherwise provided in transaction documentation or a specific appendix, the processing description under this Addendum shall be understood as follows:

  • the subject matter of processing is personal data submitted to, stored in, or generated through the Service by the customer or users authorized by the customer;
  • the purpose of processing is to provide, operate, secure, support, store, transmit, index, monitor, troubleshoot, and perform functions in accordance with the configuration selected by the customer in the Service;
  • the categories of data subjects may include the customer's users, end customers, personnel, contractors, collaborators, or other data subjects that the customer decides to include in the Service;
  • the categories of data may include account information, contact data, transaction data, technical data, usage data, content data, input data, output data, metadata, and other types of data that the customer chooses to upload or configure for processing;
  • the duration of processing continues for the Service term and for any retention, backup, logging, restoration, or deletion period under the Service's standard mechanisms, unless applicable law or a separate agreement requires a different period.

3. Processing Instructions

Hemidi will process personal data in accordance with:

  • the principal agreement between the parties;
  • lawful configurations and instructions implemented by the customer through the Service;
  • this Addendum;
  • applicable legal obligations.

The customer is responsible for the lawfulness of uploaded data, the legal basis for processing, notices to data subjects, and the accuracy of the instructions given by the customer.

Hemidi will not:

  • sell personal data processed on behalf of the customer as an independent commodity;
  • process personal data beyond the scope of the customer's lawful instructions, except where applicable law requires or permits Hemidi to act under its own obligations;
  • disclose personal data to third parties beyond what is necessary to provide the Service, use subprocessors, or comply with applicable legal obligations.

4. Security

Hemidi will implement reasonable technical and organizational measures appropriate to the nature of the Service and the processing risks in order to protect personal data against unauthorized access, loss, unauthorized disclosure, or destruction.

Such measures may include access controls, logging, internal authorization controls, appropriate encryption, backups, security monitoring, and incident response procedures.

Hemidi will ensure that personnel, contractors, and individuals authorized by Hemidi to access personal data on behalf of the customer may access such data only to the extent necessary to provide the Service and are bound by appropriate confidentiality obligations.

If Hemidi determines that a security incident has resulted in unauthorized access to, loss of, destruction of, or unauthorized disclosure of personal data within the scope of this Addendum, Hemidi will notify the customer without undue delay after determining the incident with sufficient confidence to issue an initial notice, to the extent permitted by applicable law and reasonable operational capability.

5. Subprocessors

Hemidi may use infrastructure providers, AI providers, storage providers, support providers, or other subcontractors as subprocessors or processing support providers, provided that Hemidi applies reasonable controls appropriate to the service context.

Hemidi will ensure that each subprocessor is authorized to access personal data only to the extent necessary to perform the relevant part of the work and is subject to confidentiality, data protection, and use-restriction obligations no less protective than the material protections committed by Hemidi under this Addendum.

The list of material subprocessors and the notice mechanism for changes may be separately published by Hemidi, provided through enterprise support channels, the trust center, product documentation, HEMIDI SUBPROCESSOR AND DATA TRANSFER APPENDIX, or commercial documentation. Unless otherwise provided in transaction documentation, Hemidi may change subprocessors as necessary to operate the Service, provided that Hemidi applies reasonable prior notice where required by applicable law or transaction documentation.

6. Cross-Border Data Transfers

If the Service involves the storage, processing, or access of data outside Vietnam or outside the customer's jurisdiction, the parties agree that data transfers will be carried out to the extent necessary to provide the Service and in compliance with applicable legal requirements to the extent reasonably possible.

To the extent required by applicable law, Hemidi will implement or support the implementation of appropriate data transfer mechanisms, including but not limited to contractual terms, notices, data protection commitments, technical measures, or administrative procedures necessary for the transfer of personal data abroad.

7. Assistance with Data Subject Rights

To the extent reasonable and consistent with the nature of the Service, Hemidi may assist the customer in responding to requests relating to data subject rights, impact assessments, records for overseas data transfer assessments, or requests from regulatory authorities, provided that the customer bears reasonable costs incurred if such assistance exceeds the standard support level.

The customer is responsible for responding directly to data subjects or regulatory authorities, unless applicable law requires Hemidi to respond directly.

8. Deletion or Return of Data

Upon termination of the principal agreement, Hemidi may delete, disable, or return data in accordance with the Service's standard mechanisms, internal retention schedules, legal requirements, backup obligations, security logs, or a separate written agreement. Unless otherwise provided by applicable law or a separate agreement, the customer may request return of available data within a reasonable period after the termination date before Hemidi deletes or disables the data under the Service's standard mechanisms.

Deletion or return of data does not limit Hemidi's right to continue retaining:

  • data that must be retained under legal obligations;
  • backup copies maintained under standard cycles during a reasonable internal retention period;
  • security logs, system logs, or data necessary to evidence transactions, enforce rights, or resolve disputes.

9. Audit and Supporting Information

To a reasonable extent, Hemidi may provide the customer with information at an appropriate level regarding security measures, subprocessors, and data processing practices relating to the Service in order to support the customer's assessment of compliance with its legal or contractual obligations.

Unless otherwise provided in transaction documentation, any customer inspection, assessment, or on-site verification rights must:

  • be notified reasonably in advance;
  • take place during normal business hours;
  • not create security risks, unreasonably affect other customers, or disclose Hemidi's or third parties' confidential information;
  • be limited to what is reasonably necessary;
  • prioritize the use of Hemidi's documentation, certifications, independent audit reports, or written responses before requesting more intrusive measures.

10. Order of Precedence

In the event of any conflict between this Addendum and the principal agreement with respect to Hemidi's processing of personal data on behalf of the customer, this Addendum shall prevail to the extent of such conflict, unless the principal agreement or transaction documentation expressly provides in writing that another provision shall prevail.