← Back to overview

Terms

HEMIDI SUBPROCESSOR AND DATA TRANSFER APPENDIX

Effective date: March 26, 2026

1. Scope of Application

This Appendix describes the disclosure framework and applicable principles relating to subprocessors, material providers, data processing locations, and data transfer mechanisms associated with the Services of HEMIDI JOINT STOCK COMPANY ("Hemidi").

This Appendix shall be read together with the Privacy Policy, the Data Processing Addendum, the applicable Terms of Service, relevant commercial documentation, and product documentation. In the event of any conflict, the transaction documentation, DPA, or documentation specifically applicable to the relevant Service shall prevail to the extent of such conflict.

2. Categories of Subprocessors and Material Providers

Depending on the type of Service, customer segment, technical configuration, and deployment region, Hemidi may use one or more of the following categories of providers:

  • cloud infrastructure, storage, network, CDN, or backup providers;
  • authentication, identity management, anti-fraud, or security monitoring providers;
  • payment, invoicing, accounting, or payment anti-fraud providers;
  • customer support, ticketing, communications, or email delivery providers;
  • analytics, performance monitoring, logging, or diagnostics providers;
  • artificial intelligence model providers, content processing tools, safety tools, or output evaluation tools;
  • subcontractors or other implementation, maintenance, or operational support providers to the extent necessary to provide the Service.

3. Principles for the Use of Subprocessors

Hemidi permits subprocessors or material providers to access data only to the extent reasonably necessary to perform the relevant part of the work.

Hemidi will seek to ensure that each subprocessor:

  • is bound by appropriate confidentiality obligations;
  • processes data only in accordance with the instructions or scope of work permitted by Hemidi;
  • applies data protection and security measures no less protective than the material protections committed by Hemidi under the applicable documentation;
  • does not use data for purposes beyond those necessary to perform the relevant part of the work.

4. Product-Specific Disclosure

Because Hemidi's Services may use different infrastructure, models, deployment regions, or providers, Hemidi may disclose information regarding subprocessors or material providers at one or more different levels, including:

  • trust center;
  • product documentation;
  • commercial appendices;
  • data processing appendices;
  • dashboards or separate notices for enterprise customers;
  • documentation specifically applicable to the relevant service package or deployment region.

Unless otherwise provided in the applicable documentation, the fact that a provider is used for one Service does not by default mean that such provider is used for all other Hemidi Services.

5. Notice of Changes

To the extent required by applicable law, a DPA, contract, or transaction documentation, Hemidi may provide reasonable prior notice of the addition, replacement, or change of material subprocessors for the relevant Service.

Unless otherwise provided in the transaction documentation, Hemidi reserves the right to change subprocessors or providers where necessary to maintain, secure, improve, or operate the Service, provided that Hemidi applies appropriate controls in accordance with the applicable documentation.

6. Data Processing Locations and Data Transfers

Data may be stored, accessed, or processed in Vietnam or in other countries or regions where Hemidi, its affiliates, or its providers operate systems, technical support, or processing capabilities relating to the Service.

If personal data is transferred outside Vietnam or outside the customer's or data subject's original legal jurisdiction, Hemidi will implement or support the implementation of appropriate data transfer mechanisms to the extent required by applicable law, including but not limited to:

  • contractual commitments;
  • data protection clauses;
  • supplementary technical measures;
  • supplementary organizational measures;
  • records, administrative procedures, or other data protection commitments under applicable law.

7. Data Residency and Dedicated Configurations

If a Service or service package supports:

  • data residency;
  • a dedicated data region;
  • a dedicated environment;
  • data isolation mechanisms;
  • a restricted provider list;

then the features, conditions, limitations, and exceptions applicable to such configuration shall be determined in accordance with the specific applicable documentation, commercial documentation, or administrative configuration published by Hemidi for the relevant Service.

8. Requests for Additional Information

To the extent reasonable and consistent with applicable law, Hemidi may provide enterprise customers with additional information regarding provider categories, processing functions, primary processing regions, or data transfer principles through the trust center, diligence processes, a DPA, commercial documentation, or separate security documentation.

Hemidi reserves the right to limit the level of detail in such disclosures if full disclosure could reveal confidential information, system security information, or third-party information beyond the scope required to be disclosed by applicable law.