About
Globo is the company specializing in website design and development in Vietnam.
18 Khuc Thua Du Street, HN
globosoftware
[email protected]
Follow Us
  • No products in the cart.

DPA

Globo Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement between the merchant using Globo applications (“Merchant”, “Customer”, “Controller”, or “you”) and PowerfulForm Technology Company Limited, a company incorporated in Vietnam with its registered address at 19 Tuyen, Soc Son, Hanoi, Vietnam (“Globo”, “Processor”, “we”, “us”, or “our”).

This DPA applies to all Globo applications and services, including but not limited to Shopify applications provided under the Globo brand (the “Services”).

By installing, accessing, or using the Services, Merchant agrees to this DPA where Globo processes Personal Data on behalf of Merchant.

1. Definitions

Applicable Data Protection Laws means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation 2016/679 (GDPR).

Controller means the entity that determines the purposes and means of the processing of Personal Data.

Processor means the entity that processes Personal Data on behalf of the Controller.

Personal Data means any information relating to an identified or identifiable natural person that is processed by Globo on behalf of Merchant through the Services.

Sub-processor means any third party engaged by Globo to process Personal Data on behalf of Merchant in connection with the Services.

2. Roles of the Parties

For Personal Data processed through the Services on behalf of Merchant:

  • Merchant acts as the Controller.
  • Globo acts as the Processor.
  • Globo will process Personal Data only on documented instructions from Merchant, including through Merchant’s configuration and use of the Services, unless required by applicable law.

Merchant is responsible for ensuring that it has a lawful basis for collecting and processing Personal Data through its Shopify store and for providing all required privacy notices to its customers.

3. Subject Matter and Duration of Processing

The subject matter of the processing is the provision, operation, maintenance, support, and improvement of the Services.

The duration of processing is the period during which Merchant uses the Services, plus any additional retention period described in this DPA or required by applicable law.

4. Nature and Purpose of Processing

Globo processes Personal Data as necessary to provide the Services to Merchant, including to:

  • enable app functionality within Merchant’s Shopify store;
  • display, collect, store, and manage app-related data configured by Merchant;
  • process customer-specific information and product customization details;
  • associate app data with carts, orders, products, variants, or customer records where required by the relevant app;
  • store uploaded files, images, logos, or other materials submitted through supported app features;
  • provide technical support, troubleshooting, debugging, and customer service;
  • maintain service security, prevent abuse, and monitor service performance;
  • send service-related email communications where required for app functionality or support.

Globo does not sell Personal Data processed on behalf of Merchant.

5. Categories of Personal Data

Depending on the Globo app used by Merchant and Merchant’s configuration, the Personal Data processed may include:

  • Merchant account information, such as store owner name, email address, Shopify store domain, and contact details;
  • Shopify store information, such as shop domain, shop ID, products, variants, collections, and app configuration;
  • customer information, such as customer name, email address, phone number, shipping or billing address, and Shopify customer or order identifiers, where required by the relevant app;
  • order, cart, checkout, and line item information;
  • product option values, custom fields, personalization text, engraving text, gift messages, notes, and other customer-submitted customization details;
  • files uploaded by customers or merchants, such as images, logos, artwork, design files, or other uploaded materials;
  • technical information, such as IP address, device/browser information, logs, error reports, and usage information;
  • support communications between Merchant and Globo.

Globo does not intentionally process payment card data through the Services. Payment processing is handled by Shopify or Merchant’s selected payment providers.

6. Categories of Data Subjects

  • Merchant and Merchant’s staff or representatives;
  • Merchant’s customers and prospective customers;
  • individuals who submit information through Merchant’s Shopify store using Globo app features;
  • support contacts and other individuals communicating with Globo on behalf of Merchant.

7. Processor Obligations

Globo will:

  • process Personal Data only on documented instructions from Merchant;
  • ensure that persons authorized to process Personal Data are subject to confidentiality obligations;
  • implement appropriate technical and organizational measures to protect Personal Data;
  • assist Merchant, taking into account the nature of processing, in responding to data subject requests where reasonably possible;
  • assist Merchant with security, breach notification, and data protection compliance obligations where required by Applicable Data Protection Laws;
  • make available information reasonably necessary to demonstrate compliance with this DPA;
  • notify Merchant if, in Globo’s opinion, an instruction infringes Applicable Data Protection Laws.

8. Merchant Obligations

  • comply with Applicable Data Protection Laws in its use of the Services;
  • provide appropriate notices to data subjects;
  • obtain all necessary consents or establish another valid legal basis for processing;
  • ensure that Personal Data submitted to the Services is lawful, accurate, and relevant;
  • configure the Services in a manner consistent with Merchant’s privacy obligations;
  • respond to data subject requests unless assistance from Globo is required.

9. Sub-processors

Merchant provides Globo with general authorization to engage Sub-processors to provide the Services. Globo will ensure that Sub-processors are bound by written obligations that provide an appropriate level of protection for Personal Data.

Entity Type of Service Location
Amazon Web Services Inc. Email communication and infrastructure provider Canada
Crisp IM Support ticket management France
DigitalOcean Cloud hosting and infrastructure provider United States of America

Globo may update the list of Sub-processors from time to time. If required by Applicable Data Protection Laws, Globo will provide notice of material changes to Sub-processors and allow Merchant to object on reasonable data protection grounds.

10. International Data Transfers

Globo is incorporated in Vietnam and uses infrastructure and service providers that may process Personal Data outside the European Economic Area (EEA), including in the United States of America and other jurisdictions.

Where Personal Data subject to GDPR is transferred outside the EEA to a country that has not been recognized as providing an adequate level of protection, Globo will rely on appropriate safeguards, which may include the EU Standard Contractual Clauses (SCCs), as applicable.

For transfers from Merchant as Controller to Globo as Processor, the applicable SCC module will generally be Module Two: Controller to Processor, unless another module is more appropriate based on the parties’ roles.

11. Security Measures

Globo implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure. These measures may include:

  • HTTPS/TLS encryption for data transmission;
  • access controls limiting access to authorized personnel;
  • confidentiality obligations for personnel with access to Personal Data;
  • regular backup procedures;
  • infrastructure monitoring and security controls;
  • least-privilege access where applicable;
  • logging and monitoring for service security and troubleshooting;
  • secure hosting through reputable cloud infrastructure providers;
  • internal procedures for handling security incidents.

Merchant acknowledges that no system can guarantee absolute security, but Globo will maintain commercially reasonable safeguards appropriate to the nature of the Services and the Personal Data processed.

12. Personal Data Breach

Globo will notify Merchant without undue delay and, where feasible, within 72 hours after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed on behalf of Merchant.

The notification will include available information reasonably necessary for Merchant to assess the incident and comply with its own breach notification obligations, including, where available:

  • the nature of the breach;
  • categories and approximate number of affected data subjects;
  • categories and approximate number of affected records;
  • likely consequences of the breach;
  • measures taken or proposed to address the breach.

13. Data Subject Requests

If Globo receives a request from a data subject relating to Personal Data processed on behalf of Merchant, Globo will, where reasonably possible, direct the data subject to Merchant or notify Merchant, unless prohibited by law.

Globo will reasonably assist Merchant in fulfilling requests to access, correct, delete, restrict, or export Personal Data, taking into account the nature of the Services and the information available to Globo.

14. Data Retention and Deletion

Globo retains Personal Data only as necessary to provide the Services, comply with legal obligations, resolve disputes, maintain security, and enforce agreements.

Unless otherwise required by law or agreed with Merchant:

  • app data is deleted or anonymized within 30 days after Merchant uninstalls the relevant app or submits a verified deletion request;
  • backups are retained for up to 30 days and deleted through normal backup rotation;
  • uploaded files are retained according to Merchant’s selected app pricing plan and app configuration, and are deleted after uninstall or verified deletion request in accordance with this section;
  • security and application logs are generally retained for up to 90 days unless a longer period is required for security, fraud prevention, debugging, or legal compliance.

Upon termination of the Services, Merchant may request deletion or return of Personal Data by contacting [email protected].

15. Audit and Compliance

Upon reasonable written request, Globo will provide Merchant with information necessary to demonstrate compliance with this DPA.

Any audit or inspection must be conducted in a manner that does not compromise the security, confidentiality, or availability of Globo’s systems or other customers’ data. Globo may satisfy audit requests by providing relevant documentation, security summaries, or written responses.

16. Confidentiality

Globo will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations or an appropriate statutory obligation of confidentiality.

17. Return or Deletion of Personal Data

At Merchant’s choice and subject to the technical functionality of the Services, Globo will delete or return Personal Data after termination of the Services unless applicable law requires continued storage.

Deletion requests may be submitted to [email protected].

18. Changes to this DPA

Globo may update this DPA from time to time to reflect changes in the Services, legal requirements, or operational practices.

The updated version will be posted on Globo’s website. Material changes will take effect no earlier than the date specified in the updated DPA, unless required sooner by law.

19. Governing Law

This DPA is governed by the laws of Vietnam, unless otherwise required by Applicable Data Protection Laws.

Where the EU Standard Contractual Clauses apply, the governing law and jurisdiction provisions of the SCCs will apply to those clauses.

20. Contact

For privacy, data protection, or DPA-related questions, please contact:

PowerfulForm Technology Company Limited

19 Tuyen, Soc Son, Hanoi, Vietnam

Email: [email protected]