Data Processing Agreement

Last updated: Mei 2026

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms are aligned with Indonesia's Personal Data Protection Law (UU PDP, Law No. 27 of 2022):

  • "Controller" means the Customer — the entity that determines the purposes and means of processing personal data through applications deployed on Delt.
  • "Processor" means PT Sarang Nalar Karya (trading as Cognerest, operating the Delt platform) — the entity that processes personal data on behalf of the Controller.
  • "Sub-processor" means a third party engaged by the Processor to assist in processing personal data.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by UU PDP.
  • "Data Subject" means the individual whose personal data is processed.
  • "Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion.

2. Scope of Processing

This DPA applies when Delt processes personal data on behalf of the Customer. This occurs when the Customer's application, deployed on Delt infrastructure, collects, stores, or processes personal data from the Customer's end-users.

  • Types of data: Application data and end-user data as determined by the Customer's application logic.
  • Purpose: Hosting and running the Customer's Laravel application, including building Docker images, managing Kubernetes deployments, and provisioning SSL certificates.
  • Duration: For the term of the Customer's Delt account, plus the data retention period specified in Section 8.

3. Processor Obligations

As a data processor, Delt shall:

  • Process personal data only on documented instructions from the Controller, unless required by law.
  • Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures as described in Section 4.
  • Assist the Controller in responding to data subject requests (access, correction, deletion, portability) within reasonable timeframes.
  • Notify the Controller of personal data breaches within 72 hours as described in Section 7.
  • Delete or return all personal data upon termination as described in Section 8.
  • Make available information necessary to demonstrate compliance with this DPA.

4. Security Measures

Delt implements the following technical and organizational measures to protect personal data:

  • Encryption at rest: All data stored in Supabase (PostgreSQL) is encrypted at rest.
  • Environment variable encryption: Application secrets are encrypted using Supabase Vault (pgsodium) before storage. Plaintext values are never persisted.
  • Encryption in transit: All communications are encrypted via TLS.
  • Tenant isolation: Each Customer's application runs in a dedicated Kubernetes namespace with enforced resource quotas, preventing cross-tenant access to data or resources.
  • Row-Level Security: Database tables enforce Row-Level Security (RLS) policies ensuring data isolation at the database level.
  • Webhook validation: All external webhooks are validated using HMAC signature verification (SHA-256 for GitHub, SHA-512 for Midtrans) to prevent unauthorized data manipulation.

5. Sub-Processors

Delt engages the following sub-processors to provide the Service:

  • SupabaseDatabase, authentication, and secret management
  • Google Cloud PlatformCompute (GKE, Jakarta region), container builds (Cloud Build), and container registry (Artifact Registry)
  • MidtransPayment processing
  • GitHubSource code integration
  • CloudflareFrontend hosting (Cloudflare Pages)

Delt will notify the Controller via email of any intended changes to sub-processors at least 30 days before the change takes effect. The Controller may object to the change within that period. If the objection cannot be reasonably resolved, the Controller may terminate the agreement.

6. Controller Obligations

The Controller shall:

  • Ensure that the processing of personal data through the Service complies with applicable data protection laws, including UU PDP.
  • Provide clear and lawful instructions to Delt regarding the processing of personal data.
  • Obtain all necessary consents from data subjects before processing their personal data through applications deployed on Delt.
  • Notify Delt promptly of any data subject requests that require Delt's assistance.

7. Data Breach Notification

In the event of a personal data breach affecting the Controller's data, Delt will notify the Controller within 72 hours (3 × 24 hours) of becoming aware of the breach, in accordance with UU PDP requirements. The notification will include:

  • The nature and scope of the breach
  • The categories and approximate number of data subjects affected
  • The categories of personal data affected
  • Measures taken or proposed to address the breach
  • Recommendations for the Controller to mitigate potential adverse effects

8. Data Deletion on Termination

Upon termination of the Customer's Delt account, Delt will delete all Customer personal data within 30 days, including:

  • Kubernetes resources (deployments, services, namespaces)
  • Supabase Vault entries (encrypted environment variables)
  • Deployment artifacts in Google Artifact Registry
  • Account and project configuration data

Billing and transaction records are retained as required by Indonesian tax regulations and are exempt from the deletion obligation.

9. Audit Rights

The Controller has the right to audit Delt's compliance with this DPA, subject to the following conditions:

  • Audits require at least 30 days advance written notice.
  • Audits are conducted during normal business hours.
  • Audits are limited to no more than once per calendar year.
  • Delt may satisfy audit requests by providing relevant compliance documentation, security reports, or third-party audit results in lieu of on-site access.

10. Cross-Border Data Transfers

Application workloads are hosted on Google Kubernetes Engine in the Jakarta region (asia-southeast2), Indonesia. Some processing may occur outside Indonesia through our sub-processors — in particular, GitHub (United States) for source code integration.

Where personal data is transferred outside Indonesia, Delt ensures adequate safeguards are in place in accordance with UU PDP Article 56, including contractual commitments with sub-processors to maintain equivalent data protection standards.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

12. Term and Amendments

This DPA is effective for the duration of the Customer's use of the Delt Service. Delt may update this DPA to reflect changes in legal requirements or processing practices. Material changes will be communicated via email at least 30 days before taking effect.

13. Contact

For questions about this Data Processing Agreement, contact us at support@cognerest.com.

PT Sarang Nalar Karya (Cognerest)
Republic of Indonesia