Webstorio
Untuk FounderUntuk Pemilik UMKMUntuk Product ManagerUntuk MarketerUntuk DesainerUntuk DeveloperUntuk SalesUntuk PasanganUntuk Penyelenggara Acara
Landing pageProfil PerusahaanBlog, Artikel & BeritaPortofolioWebsite PribadiToko OnlineDirektori TautanAcara & UndanganFormulir & SurveiSistem BookingSistem TiketPeluncuran & Daftar TungguUmpan Balik & SaranDonasi & Pendanaan
FiturDokumentasiBlogShowcase
HargaTentang
Mulai Sekarang
Menu
HargaTentang
Mulai Sekarang
English|Bahasa Indonesia

Data Processing Agreement

Last updated: July 12, 2026

On this page

This Data Processing Agreement ("DPA" or "Agreement") forms part of the Terms of Service (the "Principal Agreement") between PT Rasylva Digital Lestari, Jakarta, Indonesia ("Webstorio", "Processor", "we", or "us") and the customer entity that uses the Webstorio Services ("Customer", "Company", or "Controller") (together, the "Parties").

This DPA applies when Webstorio processes Personal Data on behalf of the Customer in connection with websites, forms, CMS content, end-user accounts, and other Customer Content hosted on the platform. It complements our Privacy Policy, which covers data we process as an independent controller (account data, billing, and first-party platform analytics).

WHEREAS

  • (A) The Customer acts as a Data Controller (or "business" under applicable U.S. privacy laws).
  • (B) The Customer wishes to use Webstorio Services that imply the processing of personal data by the Processor.
  • (C) The Parties seek to implement a data processing agreement that complies with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and other Applicable Data Protection Laws.
  • (D) The Parties wish to lay down their rights and obligations with respect to such processing.

The Parties expressly acknowledge and agree that:

  1. This DPA does not establish a joint controllership arrangement under Article 26 of the GDPR.
  2. Each party remains solely responsible for its own compliance with Applicable Data Protection Laws in respect of its separate processing activities.
  3. Webstorio processes Customer Personal Data solely on behalf of and under the documented instructions of the Customer.
  4. Webstorio may process Service Data, log data, aggregated data, and de-identified data as an independent controller solely for analytics, security, billing, and product-development purposes, as described in the Privacy Policy.
  5. Webstorio does not engage in automated decision-making with legal or similarly significant effects on Data Subjects under this DPA.

For privacy questions under this DPA, contact [email protected].

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms have the meaning assigned in the Principal Agreement. In addition:

  • Applicable Data Protection Laws means all EU and relevant Member State legislation and regulations protecting individuals' personal data that apply to Webstorio and the Customer, including the GDPR, UK GDPR, and, to the extent applicable, other national or state privacy laws.
  • CCPA means the California Consumer Privacy Act of 2018 and regulations thereunder. When used in that context, "business," "service provider," "contractor," "sell," and "share" have the meanings given in the CCPA.
  • Customer Personal Data means any Personal Data Processed by Webstorio or a Sub-processor on behalf of the Customer pursuant to or in connection with the Principal Agreement (for example, form submissions, end-user account data on Customer sites, and CMS records containing personal information).
  • Data Protection Laws means collectively (i) EU GDPR, UK GDPR and implementing legislation; (ii) the EU–US Data Privacy Framework and UK/Swiss extensions where applicable; and (iii) U.S. federal or state privacy statutes applicable to Processing under this DPA.
  • Data Transfer means (a) a transfer of Customer Personal Data from the Customer to Webstorio or a Sub-processor; or (b) an onward transfer between processors, where such transfer would be restricted by Data Protection Laws without appropriate safeguards.
  • EEA means the European Economic Area.
  • EU SCCs means the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021 (as amended).
  • GDPR means Regulation (EU) 2016/679. If the Customer is a UK entity, references to the GDPR include the UK GDPR.
  • Personal Data Breach means a confirmed breach of Webstorio's security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Webstorio's possession, custody, or control. Unsuccessful attempts that do not compromise Customer Personal Data (such as failed logins, pings, or port scans) are not Personal Data Breaches.
  • Service Data means data relating to the use, support, and/or operation of the Services collected by Webstorio about Customer account holders and use of the platform for Webstorio's own purposes (as independent controller).
  • Services means the Webstorio platform and related hosting and tooling provided under the Principal Agreement.
  • Sub-processor means any processor engaged by Webstorio to process Customer Personal Data on behalf of the Customer.
  • UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK ICO.
  • U.S. Privacy Laws means applicable U.S. state privacy laws governing Processing under this DPA, including the CCPA/CPRA.

The terms "Commission," "Controller," "Data Subject," "Member State," "Personal Data," "Personal Data Breach," "Processing," and "Supervisory Authority" have the meanings in the GDPR, and cognate terms are construed accordingly.

For EU/UK Personal Data, the Customer acts as controller and Webstorio as processor. For U.S. Personal Data, the Customer is the "business" and Webstorio is the "service provider"/"contractor," and Webstorio shall not "sell" or "share" such data nor combine it for cross-contextual advertising, except as permitted by U.S. Privacy Laws.

2. Processing of Customer Personal Data

Webstorio shall:

  • comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
  • not Process Customer Personal Data other than on the Customer's documented instructions, including to provide, host, and maintain the Services; process actions initiated by authorized Customer users; provide support; and meet legal requirements (in which case Webstorio will inform the Customer unless prohibited by law).

The Customer instructs Webstorio to process Customer Personal Data as described in Annex 1 and as necessary to perform the Services. Webstorio may refuse, suspend, or propose commercially reasonable alternatives to any instruction it reasonably believes would breach this DPA, Applicable Data Protection Laws, or materially compromise the security or performance of the Services. This DPA remains in effect for the duration of the Principal Agreement.

3. Customer Obligations

  • The Customer shall serve as a single point of contact for Webstorio in matters under this DPA and is responsible for coordinating instructions and distributing notices from Webstorio.
  • The Customer confirms it is entitled to provide access to Customer Personal Data and maintains all necessary rights, consents, and lawful bases for Webstorio's Processing.
  • The Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which it was acquired.
  • The Customer shall comply with Applicable Data Protection Laws and is responsible for configuring and using the Services in a secure manner consistent with those laws.
  • The Customer is responsible for securing its account credentials, systems, and devices used to access the Services, and for backing up Customer Personal Data as appropriate for its risk profile.

4. Processor Personnel

Webstorio shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Customer Personal Data, ensuring access is strictly limited to those who need to know / access such data as necessary for the Principal Agreement and Applicable Laws, and that such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Webstorio shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In assessing the appropriate level of security, Webstorio shall take account in particular of the risks presented by Processing, especially from a Personal Data Breach. Current measures are described on our Security page and include encryption in transit, access controls, rate limiting, and logical isolation between customer projects.

6. Sub-processing

The Customer authorizes Webstorio to engage Sub-processors to support the Services. Webstorio shall not appoint (or disclose Customer Personal Data to) any Sub-processor unless authorized under this Section. Current categories include cloud hosting and databases, CDN and security (e.g. Cloudflare), authentication providers, payment processors, email delivery providers, and AI infrastructure providers used to deliver the Services, as outlined in the Privacy Policy.

Where Webstorio engages a Sub-processor, the same data- protection obligations as set out in this DPA shall be imposed on that Sub-processor by contract. Webstorio remains responsible for Sub-processor performance insofar as required by Applicable Data Protection Laws.

Webstorio will provide reasonable notice of material changes to Sub-processors (for example via the Privacy Policy or email). If the Customer objects on reasonable data-protection grounds within twenty (20) business days, the Parties will work in good faith toward a resolution. If none is reached, the Customer may terminate the affected Services as its sole and exclusive remedy and receive a refund of prepaid fees for the unused portion of the terminated Services, where applicable.

7. Data Subject Rights

Taking into account the nature of the Processing, Webstorio shall assist the Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligations to respond to requests to exercise Data Subject rights under Data Protection Laws.

Webstorio shall:

  • promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
  • ensure that it does not respond to that request except on the documented instructions of the Customer or as required by Applicable Laws, in which case Webstorio shall, to the extent permitted, inform the Customer before responding.

8. Personal Data Breach

Webstorio shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects under Data Protection Laws.

Webstorio shall co-operate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach. Notification is not an admission of fault or liability.

If the Customer determines to notify any governmental entity, Data Subjects, or the public of a Personal Data Breach and such notice refers to or identifies Webstorio, the Customer agrees, where permitted by law, to notify Webstorio in advance and in good faith consider clarifications Webstorio may reasonably recommend regarding Webstorio's involvement.

9. Data Protection Impact Assessment and Prior Consultation

Webstorio shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities that the Customer reasonably considers required by Articles 35 or 36 of the GDPR (or equivalent provisions), solely in relation to Processing of Customer Personal Data by Webstorio and taking into account the nature of the Processing and information available to Webstorio.

10. International Data Transfers

Webstorio is based in Indonesia and may use Sub-processors in other countries. Webstorio shall not transfer Customer Personal Data to a third country or international organization unless:

  • the transfer is to a country or organization deemed to provide an adequate level of protection by the European Commission or applicable authority;
  • the transfer is covered by appropriate safeguards such as the EU SCCs (and UK Addendum where applicable), binding corporate rules, or other approved mechanisms; or
  • another lawful basis under Chapter V of the GDPR (or equivalent) applies.

For ex-EEA Transfers, Module Two (Controller to Processor) of the EU SCCs is deemed incorporated by reference where required. Module Three applies where Webstorio acts as a processor and engages a Sub-processor. The Parties shall complete the SCCs as reasonably necessary to give effect to this Section.

11. Service Data

The Customer acknowledges that Webstorio may collect, use, and disclose Service Data as an independent controller for its own business purposes, including:

  • accounting, tax, billing, audit, and compliance purposes;
  • providing, securing, improving, developing, optimizing, and maintaining the Services; investigating fraud, spam, or unlawful use; and
  • as otherwise permitted or required by Applicable Data Protection Laws.

Service Data Processing is described further in the Privacy Policy and is outside the processor relationship for Customer Personal Data under this DPA.

12. Use of Customer Data for Artificial Intelligence

  • Webstorio shall not use Customer Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing general-purpose Artificial Intelligence or Machine Learning models.
  • Customer Personal Data shall be processed solely to provide, maintain, secure, and support the Services as described in this DPA, including AI-assisted generation and editing of Customer sites and content on the Customer's documented instructions.
  • Webstorio may process de-identified and aggregated information derived from platform usage only for statistical reporting, security analysis, or operational insights, provided such information cannot reasonably be used to identify the Customer, its end users, or any natural person, and is not used to train models on Customer Personal Data.

13. Deletion or Return of Customer Personal Data

Upon termination of the Principal Agreement, Webstorio shall discontinue Processing of Customer Personal Data other than secure storage or Processing expressly permitted under this DPA or required by Applicable Laws.

Within thirty (30) calendar days after termination (or within ten (10) business days of a written request following cessation of Services involving such Processing), the Customer may instruct Webstorio in writing to return or delete Customer Personal Data then in Webstorio's possession or control, unless Applicable Data Protection Laws require storage.

If no such instruction is received within thirty (30) calendar days, Webstorio may permanently delete or irreversibly anonymize the Customer Personal Data in accordance with its retention schedule. Deleted data may persist in backups for a limited rolling period before permanent removal. Where bespoke export or deletion work exceeds a commercially reasonable effort, Webstorio may charge documented professional-services rates except where prohibited by Applicable Data Protection Laws.

14. Audit Rights

Subject to this Section, Webstorio shall make available to the Customer on request information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to Processing of Customer Personal Data, to the extent required by Data Protection Laws.

Information and audit rights arise only to the extent the Principal Agreement does not already provide equivalent rights. Audits are limited to once per twelve-month period unless required by a Supervisory Authority or following a Personal Data Breach, and are subject to confidentiality, reasonable notice, scheduling, and cost allocation as agreed in writing. Webstorio may satisfy audit requests through questionnaires, security summaries, or third-party reports where available.

15. U.S. Privacy Laws

To the extent Webstorio's Processing of Customer Personal Data is subject to U.S. Privacy Laws, Webstorio shall:

  • use, retain, and disclose Customer Personal Data only as necessary to perform the business purposes specified in the Principal Agreement or as otherwise permitted by U.S. Privacy Laws;
  • provide the same level of privacy protection required of a "service provider" or "contractor";
  • implement reasonable technical and organizational measures to protect Customer Personal Data;
  • notify the Customer without undue delay if Webstorio determines it cannot meet its obligations under U.S. Privacy Laws; and
  • cooperate with the Customer to stop and remediate unauthorized use of Customer Personal Data.

Webstorio shall not:

  • sell or share Customer Personal Data;
  • retain, use, or disclose Customer Personal Data for purposes other than the business purposes specified in the Principal Agreement, except as permitted by U.S. Privacy Laws; or
  • combine Customer Personal Data with personal data from other sources except as permitted by U.S. Privacy Laws.

16. Confidentiality and Notices

Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA ("Confidential Information") confidential and must not use or disclose that Confidential Information without prior written consent of the other Party except to the extent that (a) disclosure is required by law; or (b) the relevant information is already in the public domain other than through breach of this Section.

Notices under this DPA must be in writing and may be delivered by email to the addresses associated with the Customer's account and to [email protected], or such other address as a Party notifies in writing.

17. Liability, Indemnity, and Precedence

The Parties' liability under this DPA is limited in accordance with the Principal Agreement. Neither Party shall have an obligation to indemnify the other for administrative fines imposed by a Supervisory Authority or court under Applicable Data Protection Laws, except as required by law or expressly agreed in writing.

The Customer shall defend and indemnify Webstorio from third-party claims, investigations, fines, or losses arising from (i) the Customer's instructions or configurations; (ii) failure to secure a lawful basis or required consents; or (iii) the Customer's breach of this DPA or Applicable Data Protection Laws, to the extent permitted by law.

In the event of inconsistency between this DPA and the Principal Agreement regarding Processing of Customer Personal Data, this DPA prevails. If any provision is held invalid, the remaining provisions remain in force. This DPA constitutes the entire understanding between the Parties with respect to its subject matter.

18. Governing Law and Jurisdiction

This DPA, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the governing law and dispute resolution provisions of the Principal Agreement (Terms of Service).

Annex 1 — Description of Processing

A. Parties

  • Data exporter / Controller: The Customer, as defined in the Terms of Service. Role: Controller.
  • Data importer / Processor: PT Rasylva Digital Lestari (Webstorio), Jakarta, Indonesia. Contact: [email protected]. Role: Processor.

B. Subject matter and nature of Processing

Webstorio is an AI-powered website builder and hosting platform. Processing may comprise hosting, storage, retrieval, transmission, display, deletion, indexing, and AI-assisted generation or editing of Customer Content (including pages, forms, CMS records, and related configuration) in order to provide, secure, maintain, monitor, and support the Services on the Customer's instructions.

C. Purpose of Processing

  • Provision of Webstorio Services, including site building, hosting, CMS, forms, commerce features, and support.
  • Performance of the Principal Agreement and documented Customer instructions.

D. Categories of Data Subjects

  • Authorized users of the Customer's Webstorio account (employees, contractors, agents).
  • End users and visitors of Customer sites published through Webstorio.
  • Other individuals whose Personal Data the Customer chooses to store in the Services.

E. Categories of Personal Data

As determined by the Customer, which may include names, email addresses, contact details, form responses, account identifiers, content and messages, and other data the Customer uploads or collects via the Services. The Customer shall not instruct Webstorio to process special categories of Personal Data (GDPR Art. 9) or data relating to criminal convictions unless the Services expressly support it and Applicable Data Protection Laws allow it.

F. Duration and retention

For the term of the Principal Agreement. Customer Personal Data will be returned or deleted as set out in Section 13, subject to legal retention, fraud prevention, dispute resolution, and backup retention windows.

19. Contact

For questions about this DPA, contact PT Rasylva Digital Lestari, Jakarta, Indonesia, at [email protected].

This page is provided for transparency and contractual incorporation into the Terms of Service. It is not legal advice. Organizations with complex requirements may request a signed version by emailing the address above.

Webstorio

PT Rasylva Digital Lestari

Jakarta, Indonesia

[email protected]

+62-851-8787-7001

Media sosial

Perusahaan

  • Tentang Webstorio
  • Tentang Rasylva.id
  • Hubungi Kami
  • Mitra
  • Afiliasi
  • Jasa Web Experts

Produk

  • Fitur
  • Harga

Sumber Daya

  • Dokumentasi
  • Blog
  • Showcase
  • Rencana Pengembangan
  • Dukungan
  • Formulir masukan

Legal

  • Privasi
  • Syarat & Ketentuan
  • DPA
  • DMCA
  • Keamanan

Contoh Penggunaan

  • Landing page
  • Profil Perusahaan
  • Blog, Artikel & Berita
  • Portofolio
  • Website Pribadi
  • Toko Online
  • Direktori Tautan
  • Acara & Undangan
  • Formulir & Survei
  • Sistem Booking
  • Sistem Tiket
  • Peluncuran & Daftar Tunggu
  • Umpan Balik & Saran
  • Donasi & Pendanaan

Solusi

  • Untuk Founder
  • Untuk Pemilik UMKM
  • Untuk Product Manager
  • Untuk Marketer
  • Untuk Desainer
  • Untuk Developer
  • Untuk Sales
  • Untuk Pasangan
  • Untuk Penyelenggara Acara

© 2026 Webstorio. Hak cipta dilindungi.

English|Bahasa Indonesia