Data Processing Agreement (DPA) / Hợp đồng Xử lý Dữ liệu Cá nhân
Version / Phiên bản: {{dpa_version}} (e.g. 2026.05.01) Effective date / Ngày hiệu lực: {{effective_date}}
⚠️ This is a starting template, not legal advice. Have it reviewed by Vietnamese counsel + (if applicable) GDPR counsel before use. See legal-templates/README.md for the review checklist and budget guidance.1. Parties / Các bên
Data Processor / Bên Xử lý: License Tracker Vietnam Co., Ltd. ("License Tracker", "we", "Processor") Tax ID (MST): {{lt_tax_id}} · Address: {{lt_address}} · Email: [email protected]
Data Controller / Bên Kiểm soát: `{{customer_legal_name}}` ("Customer", "you", "Controller") Tax ID (MST): {{customer_tax_id}} · Address: {{customer_address}} · DPO email: {{customer_dpo_email}}
This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement between the Parties and governs the Processor's processing of personal data on behalf of the Controller.
Hợp đồng Xử lý Dữ liệu Cá nhân này ("HĐXLDL") là một phần của Hợp đồng Sử dụng Dịch vụ giữa các Bên và điều chỉnh việc Bên Xử lý xử lý dữ liệu cá nhân thay mặt cho Bên Kiểm soát.
2. Definitions / Định nghĩa
- "Personal Data" has the meaning given in (a) GDPR Article 4(1) and (b) Nghị định 13/2023/NĐ-CP Article 2(1).
- "Processing" means any operation performed on Personal Data — collection, recording, storage, transmission, deletion, or otherwise.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates — in this DPA, this is an employee or contractor of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Authority" means: in Vietnam, the Department of Cyber Security and High-tech Crime Prevention (Cục An ninh mạng và phòng, chống tội phạm sử dụng công nghệ cao — A05); in the EU/EEA, the supervisory authority designated under GDPR Article 51.
3. Subject matter, duration, nature, and purpose / Đối tượng, thời hạn, bản chất và mục đích
| Field / Mục | Detail / Chi tiết |
|---|---|
| Subject matter / Đối tượng | Provision of the License Tracker software-asset-management SaaS / Cung cấp dịch vụ SaaS quản lý tài sản phần mềm License Tracker |
| Duration / Thời hạn | The term of the Master Subscription Agreement plus 30 days post-termination for data export / Theo thời hạn Hợp đồng Sử dụng cộng thêm 30 ngày sau chấm dứt để xuất dữ liệu |
| Nature of processing / Bản chất | Collection, storage, transmission, classification, and deletion of installed-software inventory data / Thu thập, lưu trữ, truyền tải, phân loại và xóa dữ liệu kiểm kê phần mềm đã cài đặt |
| Purpose / Mục đích | Enabling the Controller to manage its software licenses lawfully and optimize costs / Hỗ trợ Bên Kiểm soát quản lý license phần mềm hợp pháp và tối ưu chi phí |
4. Categories of personal data / Các loại dữ liệu cá nhân
The Processor processes the following Personal Data, and only the following — adding a new category requires a written amendment to this DPA.
| Category / Loại | Examples / Ví dụ |
|---|---|
| Device identifiers | Hostname, OS, OS version, architecture, agent version |
| User identifiers (optional, configurable) | Local OS username, anonymisable via SHA-256 |
| Domain identifiers (optional, Windows AD) | Domain / workgroup name |
| Software inventory | Application name, vendor, version, install date |
| Telemetry metadata | Scan timestamp, agent ID, signature classifications |
| Consent + audit | Employee consent records, IP address, timestamps |
The Processor does not collect: file contents, browser history, passwords, screenshots, keystrokes, clipboard contents, network traffic, geolocation, or any biometric data.
Bên Xử lý KHÔNG thu thập: nội dung file, lịch sử trình duyệt, mật khẩu, ảnh chụp màn hình, phím gõ, nội dung clipboard, lưu lượng mạng, vị trí địa lý, hoặc bất kỳ dữ liệu sinh trắc học nào.
5. Categories of data subjects / Đối tượng dữ liệu
Employees, contractors, and authorised users of the Controller using devices that have the License Tracker agent installed.
6. Obligations of the Processor / Nghĩa vụ của Bên Xử lý
The Processor shall:
6.1 Documented instructions
Process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required by Vietnamese law. The Processor shall inform the Controller of any such legal requirement before processing, unless the law prohibits this notice.
6.2 Confidentiality
Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 Security measures
Implement appropriate technical and organisational measures, including but not limited to those listed in Annex II (Technical and Organisational Measures).
6.4 Sub-processors
Engage Sub-processors only with the Controller's prior general authorisation (granted by acceptance of this DPA, subject to the change-notification mechanism in Annex I).
6.5 Data subject rights
Taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of GDPR and Articles 9–15 of Nghị định 13/2023.
6.6 Breach notification
Notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach, providing at minimum: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
6.7 Deletion or return
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services and delete existing copies, unless storage is required by Vietnamese law. The Processor shall provide written confirmation of deletion within 30 days.
6.8 Audit
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor may charge a reasonable fee for any audit beyond once per calendar year, except where mandated by an Authority.
7. International data transfers / Chuyển dữ liệu xuyên biên giới
The Processor's primary infrastructure is hosted in Singapore (AWS ap-southeast-1). Where the Controller is established in the EU/EEA, the Parties incorporate by reference the Standard Contractual Clauses (Module 2: Controller-to-Processor) adopted by the European Commission Decision 2021/914, with the Processor as "data importer" and the Controller as "data exporter". Optional clauses are included; docking is enabled.
Where Vietnamese law (e.g. Nghị định 53/2022/NĐ-CP) requires data localisation, the Controller may elect data residency in Vietnam (VNG Cloud or Viettel IDC) by giving 30 days' written notice; the Processor shall migrate within 90 days subject to a reasonable migration fee.
8. Liability and indemnity / Trách nhiệm và bồi thường
Each Party's aggregate liability under or in connection with this DPA shall not exceed the fees paid or payable by the Controller under the Master Subscription Agreement during the 12 months preceding the event giving rise to liability. Nothing in this DPA limits liability for: (a) fraud or wilful misconduct, (b) breach of confidentiality, (c) any liability that cannot be limited under applicable law.
9. Term and termination / Thời hạn và chấm dứt
This DPA shall remain in force for the duration of the Master Subscription Agreement. Either Party may terminate this DPA for material breach with 30 days' written notice and a cure period of 15 days. Sections 6.6, 6.7, 7, 8, and 10 survive termination.
10. Governing law and disputes / Luật áp dụng và giải quyết tranh chấp
This DPA is governed by the laws of the Socialist Republic of Vietnam. Disputes shall be finally resolved by arbitration administered by the Vietnam International Arbitration Centre (VIAC) in accordance with its Arbitration Rules in force at the time of the dispute. The seat of arbitration shall be Ho Chi Minh City; proceedings shall be conducted in Vietnamese, with English translations available on request. The number of arbitrators shall be one.
11. Signatures / Chữ ký
| Processor / Bên Xử lý | Controller / Bên Kiểm soát |
|---|---|
| License Tracker Vietnam Co., Ltd. | {{customer_legal_name}} |
By: {{lt_signatory_name}} | By: {{customer_signatory_name}} |
Title: {{lt_signatory_title}} | Title: {{customer_signatory_title}} |
Date: {{lt_signature_date}} | Date: {{customer_signature_date}} |
| Signature: ____________________ | Signature: ____________________ |
Annex I — Sub-processors / Phụ lục I — Các Bên Xử lý Phụ
The Processor uses the following Sub-processors as of {{effective_date}}. The current list is also available at https://licensetracker.vn/legal/sub-processors with email subscription for change notifications.
| Sub-processor | Service | Location | DPA |
|---|---|---|---|
| Amazon Web Services, Inc. | Compute, storage, DB hosting | Singapore (ap-southeast-1) | AWS Data Processing Addendum |
| Vercel Inc. | Application hosting + edge CDN | USA (with EU edges) | Vercel DPA |
| Neon Inc. | Postgres database | USA | Neon DPA |
| Resend Inc. | Transactional email | USA | Resend DPA |
| Stripe Inc. | Payment processing | USA | Stripe Data Processing Agreement |
| Paddle.com Market Limited | Payment processing (MoR) | UK | Paddle DPA |
| Cloudflare, Inc. | DDoS protection + WAF | Global edge | Cloudflare DPA |
Change notification mechanism: The Processor shall notify the Controller at least 30 days before appointing a new Sub-processor or changing one's role. The Controller may object in writing within that 30-day window; if the objection cannot be resolved within 15 days, the Controller may terminate the affected service with pro-rata refund of pre-paid fees.
Annex II — Technical and organisational measures / Phụ lục II — Biện pháp kỹ thuật và tổ chức
The Processor implements at minimum:
Encryption / Mã hóa
- TLS 1.3 in transit (TLS 1.2 disabled at transport layer)
- AES-256 at rest for database and object storage
- Per-customer database row-level encryption keys
Access control / Kiểm soát truy cập
- Single-sign-on mandatory for all internal staff with MFA (TOTP minimum)
- Least-privilege RBAC; production access requires explicit ticket
- Quarterly access reviews; immediate revocation on role change
Network security / An ninh mạng
- All ingress through a managed WAF (Cloudflare)
- Private VPC for compute + DB; no public DB endpoints
- IP allowlist for super-admin portal
Logging + monitoring / Ghi log và giám sát
- Immutable audit log with 7-year retention
- 24/7 alerting on auth failures, privilege escalations, DB anomalies
- Quarterly penetration test by an independent firm
Backup + recovery / Sao lưu
- Daily encrypted backups, 30-day retention, geo-replicated
- Quarterly restore drills, target RPO 24h / RTO 4h
Personnel / Nhân sự
- Background checks on all engineering staff
- Annual security training; signed confidentiality undertaking
- Off-boarding: access revoked within 1 hour of departure
Vendor management / Quản lý nhà cung cấp
- Sub-processors reviewed annually against this Annex
- DPA in force with every Sub-processor before any data is shared
Annex III — EU SCC additional safeguards / Phụ lục III — Bảo vệ bổ sung theo SCC
For data transfers from the EU/EEA, the Parties confirm:
- The Processor has assessed the legal regime of Singapore as the destination country and concluded that the GDPR-equivalent level of protection is achieved through the combination of (a) Singapore's PDPA, (b) the contractual safeguards in this DPA, and (c) the technical measures in Annex II.
- The Processor shall promptly notify the Controller if it receives any legally binding request for disclosure by a public authority, unless prohibited.
- The Processor shall use its best efforts to challenge any disclosure request that is, in the Processor's reasonable assessment, contrary to applicable laws of the EU/EEA, and shall maintain a transparency report.