Hi, how can we help?

These terms and conditions form a binding Data Sharing Agreement (“Agreement”) between Shopee Logistics Services Private Limited (“Customer”) and the entity (“Service Provider”) which had submitted the electronic form which incorporates the link to this webpage (“Acceptance Form”).

1.              INTERPRETATION

1.1     In this Agreement, the following words will have the meanings assigned to them in this Clause, except where inconsistent with the context:

“Breach Incident” means any collection, use, disclosure of any Shared Personal Data otherwise than as permitted under this Agreement; any unauthorised access, collection, use, disclosure, copying, modification or disposal of any Shared Personal Data or  the loss of any storage medium or device on which Shared Personal Data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the Shared Personal Data is likely to occur; or any security breach in connection with the Agreement that could compromise the security or integrity of Shared Personal Data;

"Business Day" means a day (other than a Saturday or Sunday) on which banks are open for general business in Singapore.

"Data Protection Laws" means the Singapore Personal Data Protection Act 2012 (the “PDPA”) and any applicable personal data protection or privacy laws and regulations in any other jurisdiction, including all applicable subsidiary legislation, regulations, orders, standards, guidelines related thereto and any amendments or re-enactments made from time to time;

“Effective Date” means the date on which the Service Provider had submitted the Acceptance Form;

“Party” means either the Customer or the Service Provider;

"Personal Data" means data, whether true or not, about an individual who can be identified either from that data or from that data when combined with other information to which an entity has access or is likely to have access;

"Process", "Processed", "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

"Purpose" has the meaning given in Clause 3.1 of this Agreement;

"Representatives" means, as applicable in relation to a Party, its directors, officers, employees, agents, consultants, advisers, subcontractors or other representatives and the directors, officers, employees, agents, consultants, advisers, subcontractors or other representatives of each of the Parties;

“Security Measures” means the security measures set out in Schedule 1;

“Services” has the meaning given to it in the Services Agreement;

“Services Agreement” means the underlying agreement between Customer and Service Provider for the provision of logistics services by Service Provider to Customer from time to time; and

"Shared Personal Data" means the Personal Data that Customer provides to the Service Provider for the Purpose under the Agreement.

2.        TERM

2.1      This Agreement commences on the Effective Date and will continue until terminated by Customer.

2.2    The termination or expiration of this Agreement shall be without prejudice to the Parties’ rights and liabilities that may have accrued prior to such expiration or termination, unless waived in writing by the Party enjoying the right.

3.        PURPOSE OF DATA SHARING

3.1   The Service Provider agrees to only Process the Shared Personal Data (i) in accordance with this Agreement, and (ii) for the sole purpose of providing the Services as set out in the Services Agreement (“Purpose”), and shall not Process Shared Personal Data in a way that is incompatible with the Purposes described in this Agreement or the Services Agreement.

3.2   Customer and Service Provider shall ensure that Shared Personal Data comprises only data or information that is necessary for the Purpose.

3.3      Customer and Service Provider shall at all times comply with all applicable Data Protection Laws to the extent relevant to its Processing of Shared Personal Data or its obligations under the Agreement.

4.        PROTECTION OF SHARED DATA

4.1    Customer shall, in relation to the Shared Personal Data, obtain consent (where necessary) and/or provide notice in accordance with Data Protection Laws to enable Shared Personal Data to be provided to, and used by, Service Provider as contemplated by the Agreement.

4.2     The Service Provider shall, and shall procure that its Representatives shall:

(a)     Permit only authorised Representatives to access the Shares Personal Data strictly on a need-to-know basis, ensure that any such authorised Representatives shall be subject to a strict duty of confidentiality, and Process the Shared Personal Data for no longer than is necessary to carry out the Purpose and in any event not longer than any statutory data retention periods applicable under any Data Protection Laws;

(b)     return or destroy any Shared Personal Data when no longer necessary for the Purpose or upon the Customer’s written request. Following such return or destruction, the Service Provider shall provide written confirmation to Customer that it no longer possesses the Shared Personal Data in any form. This requirement shall not apply to the extent that Service Provider is required by applicable law to retain some or all of the Shared Personal Data, in which event Service Provider shall isolate and protect such data from any further Processing except to the extent required by such law until deletion is possible;

(c)    not engage any third party or subcontractor to Process the Shared Personal Data unless it has given to Customer the full details of such third party or subcontractor (including name of third party or subcontractor, registered address, company registration number) and details and duration of the proposed Processing of the Shared Personal Data by the third party or subcontractor, and obtained the prior written consent of Customer. Where the Customer has given such prior written consent to the Service Provider, the Service Provider agrees that it shall remain fully liable and responsible for any actions, omissions or negligence of such third party or subcontractor and shall procure that such third party or subcontractor is bound by binding data protection obligations equivalent to those set out in this Agreement;

(d)    where prior written consent has been given by Customer to Service Provider to engage a third party or subcontractor to Process the Shared Personal Data, shall, instruct all third parties or subcontractors to whom Service Provider has disclosed any Shared Personal Data to return to the Service Provider, delete, or destroy, such Shared Personal Data where the Purpose has been fulfilled or in accordance, or with Customer’s written instructions;

(e)   assist Customer to comply with its data access and correction obligations pursuant to Data Protection Laws, including: (i) assisting with any data subject access requests which it may receive from individuals to whom any Shared Personal Data relates; and (ii) carrying out any request from Customer to amend, restrict, or delete any Shared Personal Data; and

(f)      implement and maintain appropriate technical and organisational measures to protect the Shared Personal Data, including the Security Measures.

4.3    Service Provider shall notify the Customer in writing without undue delay and in any event within 24 hours after it reasonably suspects or becomes aware that any Breach Incident has occurred. Such notification shall include (a) a description of the cause of the Breach Incident; (b) the nature of the Breach Incident; (c) the categories and approximate number of data subjects involved; (d) the categories and volume of Shared Personal Data affected; (e) the actions that the Service Provider has taken to address the Breach Incident and to mitigate its adverse effects; (f) whether the Breach Incident is on-going or it has been contained; and (g) the details of the Service Provider’s data protection officer.

4.4    Upon notification of the Breach Incident to the Customer, the Service Provider shall within 48 hours conduct an assessment, investigate and contain the Breach Incident. The Service Provider undertakes and agree to use all reasonable endeavours to assist Customer in relation to the investigation, mitigation and remedy of such Breach Incident. The Service Provider shall also assist the Customer in fulfilling its legal obligations, including notifying applicable data protection authorities and affected data subjects as required.

4.5    The Service Provider shall bear full responsibility and liability for any Breach Incident caused by its acts, omissions or negligence, and/or those of its third party or subcontractors, which includes any failure to implement appropriate technical and organisational measures to protect the Shared Personal Data including the Security Measures.

5.        INDEMNIFICATION

5.1     Service Provider will defend, indemnify and hold harmless Customer and its Representatives against all actions, claims, demands, losses, damages, statutory penalties, expenses and costs (including legal costs on an indemnity basis) in respect of any breach of Service Provider and its Representatives’ obligations under this Agreement, or any act, omission or negligence of Service Provider and its Representatives or its subcontractors that causes or results in Customer being in breach of any Data Protection Laws.

5.2     Without prejudice to any of the Customer’s rights under the Services Agreement, this Agreement or any applicable law, Service Provider acknowledges and agrees that, in the event of any breach of Service Provider and its Representatives’ obligations under this Agreement, or any act, omission or negligence of Service Provider and/or its Representatives or its third parties or subcontractors that (i) causes or results in a Breach Incident or (ii) causes or results in Customer being in breach of any Data Protection Laws:

(a)  such breach shall constitute a breach under this Agreement that falls within the scope of Clause 5.1 of this Agreement and Customer and/or its Representatives shall have the right to claim an indemnity under Clause 5.1 of this Agreement; and

(b)  where it is a remediable breach, (i) the Customer shall notify the Service Provider of such breach, and (ii) the Service Provider shall rectify such breach promptly and in any event within 3 Business Days of receiving the Customer’s notification. Where the Service Provider has failed to rectify such breach within 3 Business Days, the Customer shall be entitled to take any or all of the following measures:

A.   impose liquidated damages amounting to 10% of the Service Provider’s average daily Fee (calculated as the aggregated Fees payable under the Services Agreement by Customer to Service Provider in the immediately preceding month divided by the number of calendar days in that month) for each calendar day that such breach remains unrectified by Service Provider;

B.    reduce the volume of Services engaged from the Service Provider;

C.  suspend any orders under the Services Agreement until such breach is remedied to the Customer’s satisfaction;

D. terminate the Services Agreement with immediate effect, without prejudice to the Customer’s rights to claim any and all damages against the Service Provider; and/or

E.  claim all damages against the Service Provider resulting from the Service Provider’s and/or its Representatives’ breach of Data Protection Laws and/or this Agreement, including any fines, penalties, or compensation paid by the Customer to data subjects or regulatory authorities.

5.3    Service Provider acknowledges and agrees that Customer shall have the right to set off and apply any sum due or owing by Service Provider or its Affiliates to Customer or its Affiliates under this Agreement against any amounts of debts, outstanding claims, demands, loss or damages, and/or any amounts due and owing by Customer and/or its Affiliates (as the case may be) to Service Provider and/or its Affiliates under the Agreement, the Services Agreement or any other dealings, agreements, contracts or debit notes.

6.        INSPECTION

6.1     The Customer reserves the right to conduct data security audits of the Service Provider, either by itself or through a designated third party, to ensure or monitor the Service Provider’s compliance with Data Protection Laws and its obligations set forth in this Agreement.

6.2     The Customer shall provide the Service Provider with reasonable notice of any audit, except where the audit is conducted following a Breach Incident or suspected non-compliance of Data Protection Laws or this Agreement, in which case no notice shall be required. The Service Provider shall provide full cooperation and access to all relevant records, systems, and personnel during such audits. Such audits shall not relieve Service Provider of any of its obligations under this Agreement or Data Protection Laws.

6.3    If any vulnerabilities, non-compliance, or deficiencies are identified during an audit, the Service Provider shall, at its own cost, implement all necessary corrective measures within a reasonable timeframe specified by the Customer. Failure by the Service Provider to cooperate with an audit or to remedy identified vulnerabilities shall entitle the Customer to the rights as set out in Clause 5.2 of this Agreement.

7.        CHANGE IN LAWS

7.1    Customer agrees to consider good faith modifications to this Agreement if changes are required for a Party to continue to Process the Shared Personal Data in compliance with Data Protection Laws or to address the legal interpretation of Data Protection Laws, including to comply with any amendments to the PDPA.

8.        GOVERNING LAW AND JURISDICTION

8.1     This Agreement and any non-contractual rights or obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Singapore.

8.2     In the event of any dispute, controversy, difference or claim arising under or relating to this Agreement (including, without limitation: (1) any contractual or non-contractual rights, obligations or liabilities; and (2) any issue as to the existence, validity or termination of this Agreement) (a “Dispute”), a Party shall promptly notify the other Party in writing (the “Dispute Notice”) and the Parties shall conduct discussions and negotiations in good faith. Any resolution of such Dispute is to be set forth in writing signed by the Parties. If such Dispute cannot be satisfactorily resolved by the Parties through good faith negotiations within thirty (30) calendar days after the Dispute Notice, it shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in Singapore in accordance with the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference in this Clause. The seat of the arbitration shall be Singapore. This arbitration agreement shall be governed by Singapore law. The Tribunal shall consist of three (3) arbitrators and the language of the arbitration shall be English.

8.3    In any action or suit between the Parties to enforce any right or remedy under this Agreement or to interpret any provision of this Agreement, the prevailing Party shall be entitled to recover its costs, including reasonable and justified legal costs.

          9.       GENERAL PROVISIONS

9.1   The relationship between the Parties shall be at all times that of independent contractors. Nothing contained herein or done pursuant hereto shall constitute either Party (or its agents or employees) as an agent, legal representative, partner, trust, joint venturer or employee of the other Party for any purpose whatsoever, and each Party and its Representatives shall have no right, power, or authority to assume, create, or incur, in writing or otherwise, any expense, liability, or obligation in the name or on behalf of the other Party.

9.2      Except as expressly stated in this Agreement, a person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act of Singapore to enforce any term of this Agreement, but this does not affect any right or remedy of a third party which exists or is available apart from the aforementioned Act. The rights of the Parties to rescind or vary this Agreement are not subject to the consent of any other person.

9.3     Each Party shall do all things necessary, including executing all documents necessary, to give effect to the intention of the Parties in relation to this Agreement.

9.4   Unless otherwise stated herein, each Party shall bear all of its costs and expenses incurred in the performance of its own undertakings, duties, and obligations under this Agreement.

9.5    This Agreement sets forth the entire agreement between the Parties with respect to the subject matter hereof, merges all discussions between them, and supersedes and replaces any and every other prior or contemporaneous agreement, understanding or negotiation, whether written or oral, that may have existed among the Parties to the extent that any such agreement relates to the subject matter hereof. For the avoidance of doubt, the Parties agree that the terms in this Agreement supersedes and replaces any and all existing privacy and data protection terms previously concluded between the Parties (which may include terms included in standalone data sharing agreements (if any) or in the Services Agreement).

9.6    Where any provision of this Agreement is or becomes illegal, invalid or unenforceable in any respect under the laws of any jurisdiction, then such provision shall be deemed to be severed from this Agreement and, if possible, replaced with a lawful provision which, as closely as possible, gives effect to the intention of the Parties under this Agreement and, where permissible, that shall not affect or impair the legality, validity or enforceability in that, or any other, jurisdiction of any other provision of this Agreement.

9.7    Neither Party may or shall assign, transfer (by way of novation or otherwise), or create any trust or purport to do the same, in respect of a right or obligation in, this Agreement without the prior written consent of the other Party hereto (not to be unreasonably withheld or delayed), provided that the Customer may assign or transfer (by way of novation or otherwise) its right or obligation in this Agreement to: (a) its Affiliates, or (b) a third party as part of a corporate restructuring. The terms and conditions of this Agreement will inure to the benefit of and bind each Party’s respective successors and permitted assigns.

9.8     The failure of a Party to enforce at any time or for any period of time any of the provisions hereof shall not be construed to be a waiver of such provision or of the right of such Party thereafter to enforce each such provision. No waiver of any term or condition of this Agreement shall be valid or binding on a Party unless the same is set forth in a written document, specifically referring to this Agreement and duly signed by the waiving Party.

9.9     Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by Applicable Law.

9.10  This Agreement is written in the English language only, and it shall be the binding and controlling agreement for all respects, and all versions hereof in any other language shall be for accommodation only and shall not be binding upon the Parties.

9.11   This Agreement may be modified from time to time at the sole discretion of the Customer by posting the revised version online, and Service Provider’s continued provision of Services shall constitute its acceptance of such revised Agreement (regardless of whether it has reviewed such changes).

SCHEDULE 1

For the purposes of Clause 4.2(f) of this Agreement, “appropriate technical and organisational measures” shall, at minimum, include the following technical and organisational measures:-

1.       Logical Security

1.1.    The logical security processes as set out in this this Clause 1 apply to all systems used by the Service Provider and its Representatives to access process, store or maintain any Personal Data, including any third party hosted systems and any system that can connect to the system on which any of Customer’s content (“Customer Content”) is stored via any form of communication interface, (collectively, the "Systems").

1.2.    Service Provider and its Representatives shall at all times employ access control mechanisms that:

(a)     prevent unauthorised access to Shared Personal Data;

(b)     limit access of Shared Personal Data to the Representatives on a need-to-know basis;

(c)     allow access to information and resources only to the extent allowed under the Agreement; and

(d)     are capable of detecting, logging, and reporting (i) access to the Systems; and (ii) any Breach Incident or attempt to breach security of any System.  This includes (but is not limited to) requiring two-factor authentication for remote access to any network storing, transmitting, or containing Shared Personal Data.

1.3.    The Service Provider shall do the following to ensure telecommunication and network security:

(a)     deploy appropriate firewall technology in the operation of the Service Provider’s applications and sites, and protect and authenticate traffic between Customer using industry standard cryptographic technologies;

(b)     review firewall rule sets annually to ensure that legacy rules are removed and active rules are configured correctly;

(c)     deploy intrusion detection and prevention systems in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host;

(d)     deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year;

(e)     establish and maintain appropriate network segmentation to restrict network access to Systems storing Shared Personal Data, and prohibit direct connections from public networks into any network segment storing any Customer Content;

(f)      in the event that the Service Provider deploys a wireless network, the Service Provider shall configure and maintain the use, configuration and management of wireless networks to meet the following:

(i)      all wireless devices shall be protected using appropriate physical controls to minimise the risk of theft, unauthorised use, or damage;

(ii)     network access to wireless networks shall be restricted to authorised Representatives only;

(iii)    access points shall be segmented from an internal, wired LAN using a gateway device;

(iv)    the service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value;

(v)     encryption of all wireless connections will be enabled using industry standard encryption algorithms (i.e. WPA2/WPA with 802.1X authentication and AES encryption);

(vi)    if supported, auditing features on wireless devices shall be enabled and resulting logs shall be reviewed periodically by designated staff or a wireless intrusion prevention system. Logs must be retained for ninety (90) days or longer; and

(vii)   SNMP shall be disabled if not required for network management purposes. If SNMP is required for network management purposes, SNMP will be read-only with appropriate access controls that prohibit wireless devices from requesting and retrieving information and all default community strings will be changed; and

(g)     maintain a program to detect rogue access points at least quarter-yearly to ensure that only authorised wireless access points are in place or, if no wireless solution has been deployed, to ensure that user-deployed wireless access points are not in use.

1.4.    The Service Provider shall revoke the access of any Representatives to physical locations, Systems, and applications that contain or process Personal Data within twenty-four (24) hours of the cessation of the relevance or need for such access by such person.

1.5.    Each of the Representatives must have an individual account that authenticates that individual’s access to Personal Data. The Service Provider must not allow sharing of accounts.

1.6.    Access controls and passwords must be configured in accordance with industry standards and best practices.

1.7.    The Service Provider will review, at least once per annum, access controls for any System that contains Personal Data. The relevant access processes in respect of such System, including the process to establish and delete individual accounts should be documented in the Service Provider’s written information privacy and security program (referred to in Clause 6.1 below).

1.8.    All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server, and virus definitions shall be updated within twenty-four (24) hours of release by the anti-virus software vendor. The Service Provider shall configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Customer’s or the Service Provider’s computing environment.

2.       Email Security

2.1.    If the Service Provider or the Representatives are sending emails to Customer’s users, appropriate email identity solutions will be utilised.

3.       Security Assessments and Audits

3.1.    The Service Provider shall, upon reasonable notice, allow its data processing facilities, procedures and documentation to be inspected by Customer (or its designee) in order to ascertain compliance with applicable laws, this Agreement, or any agreements between Service Provider and Customer.

3.2.    The Service Provider shall fully cooperate with audit requests by providing Customer access to relevant knowledgeable Representatives, physical premises, documentation, infrastructure, and application software.

3.3.   The Service Provider shall, upon reasonable notice, submit to Customer a penetration test report administered by a third-party vendor approved by Customer, and to bear all costs and expenses to obtain the penetration test report.

4.       Storage, Handling, and Disposal

4.1.    The Service Provider shall utilise industry standard encryption algorithms and key strengths to encrypt:

(a)     all Shared Personal Data that is in electronic form while in transit over all public wired networks (e.g., the internet) and all wireless networks; and

(b)     all devices used outside of a data centre (e.g., laptop, desktop tablet, smartphone) to perform any services pursuant to the Agreement or any of Service Provider’s applications,

and shall in all cases:

(c)     use passwords with irreversible industry standard algorithms, with randomly generated "salt" added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings; and

(d)     enforce the same encryption standards with all Personal Data transfers that may occur with any third parties engaged or otherwise utilised by the Service Provider in connection with the provision of Services.

4.2.    To the extent Service Provider are operating a Data Centre or utilising a third party data centre, Service Provider will comply with physical security controls outlined in one or more of the following industry standards: ISO 27001, SSAE 16 or ISAE 3402, or PCI-DSS. The Service Provider shall also physically or logically separate and segregate the Personal Data from the Service Provider’s other clients’ data.

4.3.    Except where prohibited by applicable laws, upon the earliest of (i) the termination of the Agreement; (ii) the cessation of the need of any Personal Data for the purposes of the Agreement; or (iii) at any time upon written request from Customer, Service Provider will:

(a)     promptly remove the Personal Data from Service Provider’s environment and destroy it within a reasonable timeframe, but in no case longer than thirty (30) days thereafter,  

(b)     sanitise or destroy as required in Section 4.4 all media used to store Personal Data, and

(c)     provide Customer a written certification regarding such removal, destruction, and/or cleaning upon request.

4.4.    The Service Provider shall dispose of the relevant Personal Data when it is deemed no longer necessary to continue being preserved, or has exceeded industry best practices for the time/duration/age of the Personal Data. Personal Data should be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media. The Service Provider shall destroy any equipment containing Personal Data that is damaged or non-functional. All Personal Data must be rendered unreadable and unrecoverable regardless of the form (physical or electronic).

4.5.    The Service Provider shall: (a) provide Customer with a list of all IP addresses and domain names used in connection with Service Provider’s provision of the Services upon Customer’s written request; and (b) ensure that all such IP addresses are updated at least once each calendar quarter. 

5.       Systems Development and Maintenance

5.1.    The Service Provider shall maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Shared Personal Data. The Service Provider must employ documented secure programming guidelines, standards, and protocols in the development of applications that process or store any Shared Personal Data. The Service Provider shall be responsible for verifying that all development staff have been successfully trained in secure programming techniques. The Representatives must be trained on all current application vulnerabilities, including how to recognise these issues and how to remediate them.

5.2.    The Service Provider shall employ an effective, documented change management program with respect to Services provided pursuant to the Agreement or any of the Service Provider’s applications. This includes logically or physically separate environments from production for all development and testing. No Shared Personal Data will be transmitted, stored or processed in a non-production environment.

5.3.    The Service Provider must run internal and external network vulnerability scans at least quarter-yearly and following any material change in the network configuration. Vulnerabilities identified and rated as high risk by the Service Provider must be remedied within ninety (90) days of discovery.

5.4.    For all internet-facing applications that collect, transmit or display any Customer Content, the Service Provider agrees to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognised organisations, annually and for all major releases. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review.

5.5.   For all mobile applications that collect, transmit or display Customer Content, the Service Provider agrees to conduct an application security assessment review to identify and remediate industry-recognised vulnerabilities specific to mobile applications.

5.6.    The Service Provider must use a qualified third party to conduct the application security assessments. The Service Provider may alternatively conduct the security assessment review yourself, provided that the Representatives performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Customer in writing. Vulnerabilities identified and considered as high risk by Service Provider will be remedied within ninety (90) days of discovery.

5.7.    The Service Provider shall patch all workstations and servers with all current operating system, database and application patches deployed in Service Provider’s computing environment according to a schedule predicated on the criticality of the patch. The Service Provider must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed thirty (30) days from the date of release.

6.       Security Management

6.1.    The Service Provider shall develop, implement, maintain and enforce a written information privacy and security program that:

(a)     aligns with industry recognised frameworks as may be designated by Customer from time to time;

(b)     includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Content and Shared Personal Data;

(c)     is appropriate to the nature, size and complexity of Service Provider’s business operations; and

(d)     complies with any applicable laws that apply to Service Provider in any jurisdiction.

6.2.   The Service Provider shall provide details of any major change to its security program that may adversely affect the security of any Shared Personal Data. Such details must be communicated in writing to Customer at sg.logistics@shopee.com within ten (10) business days before such change is implemented.

6.3.    The Service Provider shall designate a senior employee to be responsible for overseeing and carrying out Service Provider’s security program and for communicating with Customer on information security matters (the “Security Officer”).

6.4.    Upon Customer’s request, the Security Officer will provide Customer with the contact information of one or more of the Service Provider’s representatives who will be available to discuss any security concerns (e.g. discovered vulnerability, exposed risk, reported concern) with Customer and to communicate the level of risk associated with such concerns and any remediation thereof. Such representative shall be available during normal business hours. Any changes to the contact information of the Security Officer or designated representatives must be communicated in writing to Customer at sg.logistics@shopee.com within twenty-four (24) hours.

6.5.    The Service Provider shall ensure that each of Service Provider’s Representatives provides their services with promptness, diligence, due care and skill and at all times in accordance with the best industry and professional standards and practices used in well-managed establishments, agencies, or operations involving the performance of similar services.

6.6.    The Service Provider shall implement fine-grained access control mechanisms to allow granting rights to any party using Service Provider’s Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend Personal Data must be protected under a unique access role, and access should be granted on a "need-to-know" basis.

6.7.    The Service Provider shall gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to Service Provider’s applications and systems. You must implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Customer Content. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves should not contain Personal Data and must be retained for at least 90 days for reference. The Service Provider shall also build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). The Service Provider shall perform an investigation when monitoring alarms are triggered, and this should be documented in the Service Provider’s incident response plan.

Last updated: 24 March 2025