logo
Shopee SG Help Center
Shopee Policies

Hi, how can we help?

DATA SHARING AGREEMENT

THIS DATA SHARING AGREEMENT (“DSA”) shall apply to the processing of all Personal Data by Supplier in connection with the Agreement.
 
1.    INTERPRETATION
 
1.1    Unless otherwise defined in this DSA, capitalised words shall have the meanings assigned to them in the rest of the Agreement.
 
1.2    In this DSA, the following words will have the meanings assigned to them in this Clause, except where inconsistent with the context:
 
Breach Incident” means any collection, use, disclosure of any Shared Personal Data otherwise than as permitted under this DSA; any unauthorised access, collection, use, disclosure, copying, modification or disposal of any Shared Personal Data or the loss of any storage medium or device on which Shared Personal Data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the Shared Personal Data is likely to occur; or any security breach in connection with the DSA that could compromise the security or integrity of Shared Personal Data; 
 
Business Day” means a day (other than a Saturday or Sunday) on which banks are open for general business in Singapore. 
 
"Data Protection Laws" means the Singapore Personal Data Protection Act 2012 (the “PDPA”) and any applicable personal data protection or privacy laws and regulations in any other jurisdiction, including all applicable subsidiary legislation, regulations, orders, standards, guidelines related thereto and any amendments or re-enactments made from time to time; 
 
"Personal Data" means data, whether true or not, about an individual who can be identified either from that data or from that data when combined with other information to which an entity has access or is likely to have access; 
 
"Process", "Processed", "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 
 
"Purpose" has the meaning given in Clause 3.1 of this DSA; 
 
Security Measures” means the security measures set out in Schedule 1 of this DSA; and 
 
"Shared Personal Data" means the Personal Data that Company provides to the Supplier for the Purpose under the Agreement. 
 
2.    TERM
 
2.1    This DSA commences on the Agreement Date and will continue until terminated by Company.
 
3.    PURPOSE OF DATA SHARING
 
3.1    Supplier agrees to only Process the Shared Personal Data (i) in accordance with this DSA, and (ii) for the sole purpose of providing the Services (“Purpose”), and shall not Process Shared Personal Data in a way that is incompatible with the Purposes described in this DSA.
 
3.2    Company and Supplier shall ensure that Shared Personal Data comprises only data or information that is necessary for the Purpose.
 
3.3    Company and Supplier shall at all times comply with all applicable Data Protection Laws to the extent relevant to its Processing of Shared Personal Data or its obligations under this DSA.
 
4.    PROTECTION OF SHARED DATA
 
4.1    Company shall, in relation to the Shared Personal Data, obtain consent (where necessary) and/or provide notice in accordance with Data Protection Laws to enable Shared Personal Data to be provided to, and used by, Supplier as contemplated by this DSA.
 
4.2    Supplier shall, and shall procure that its Representatives shall:
 
(a)    Permit only authorised Representatives to access the Shared Personal Data strictly on a need-to-know basis, ensure that any such authorised Representative shall be subject to a strict duty of confidentiality, and Process the Shared Personal Data for no longer than is necessary to carry out the Purpose and in any event not longer than any statutory data retention periods applicable under any Data Protection Laws;
 
(b)    return or destroy any Shared Personal Data when no longer necessary for the Purpose or upon the Company’s written request. Following such return or destruction, the Supplier shall provide written confirmation to Company that it no longer possesses the Shared Personal Data in any form. This requirement shall not apply to the extent that Supplier is required by applicable law to retain some or all of the Shared Personal Data, in which event Supplier shall isolate and protect such data from any further Processing except to the extent required by such law until deletion is possible;
 
(c)    not engage any third party or subcontractor to Process the Shared Personal Data unless it has given to Company the full details of such third party or subcontractor (including name of third party or subcontractor, registered address, company registration number) and details and duration of the proposed Processing of the Shared Personal Data by the third party or subcontractor, and obtained the prior written consent of Company. Where the Company has given such prior written consent to the Supplier, the Supplier agrees that it shall remain fully liable and responsible for any actions, omissions or negligence of such third party or subcontractor and shall procure that such third party or subcontractor is bound by binding data protection obligations equivalent to those set out in this DSA;
 
(d)    where prior written consent has been given by Company to Supplier to engage a third party or subcontractor to Process the Shared Personal Data, shall instruct all third parties or subcontractors to whom Supplier has disclosed any Shared Personal Data, to return to the Supplier, delete, or destroy, such Shared Personal Data where the Purpose has been fulfilled or in accordance with Company’s written instructions;
 
(e)    assist Company to comply with its data access and correction obligations pursuant to Data Protection Laws, including: (i) assisting with any data subject access requests which it may receive from individuals to whom any Shared Personal Data relates; and (ii) carrying out any request from Company to amend, restrict access to, or delete any Shared Personal Data; and
 
(f)    implement and maintain appropriate technical and organisational measures to protect the Shared Personal Data, including the Security Measures.
 
4.3    Supplier shall notify the Company in writing without undue delay and in any event within 24 hours after it reasonably suspects or becomes aware that any Breach Incident has occurred. Such notification shall include (a) a description of the cause of the Breach Incident; (b) the nature of the Breach Incident; (c) the categories and approximate number of data subjects involved; (d) the categories and volume of Shared Personal Data affected; (e) the actions that the Supplier has taken to address the Breach Incident and to mitigate its adverse effects; (f) whether the Breach Incident is on-going or it has been contained; and (g) the details of the Supplier’s data protection officer.
 
4.4    Upon notification of the Breach Incident to the Company, the Supplier shall within 48 hours conduct an assessment, investigate and contain the Breach Incident. The Supplier undertakes and agree to use all reasonable endeavours to assist Company in relation to the investigation, mitigation and remedy of such Breach Incident. The Supplier shall also assist the Company in fulfilling its legal obligations, including notifying applicable data protection authorities and affected data subjects as required.
 
4.5    The Supplier shall bear full responsibility and liability for any Breach Incident caused by its acts, omissions or negligence, and/or those of its third party or subcontractors, which includes any failure to implement appropriate security arrangements to protect the Shared Personal Data including the Security Measures.
 
5.    INDEMNIFICATION
 
5.1    Without prejudice to any of the Company’s rights under the Agreement, this DSA or any applicable law, Supplier acknowledges and agrees that, in the event of any breach of Supplier and its Representatives’ obligations under this DSA, or any act, omission or negligence of Supplier and/or its Representatives or its third parties or subcontractors that (i) causes or results in a Breach Incident or (ii) causes or results in Company being in breach of any Data Protection Laws:
 
(a)    such breach shall constitute a breach under this Agreement that falls within the scope of sub-clause (a) of the "Indemnification" section of the Standard Terms and Conditions; and
 
(b)    where it is a remediable breach, (i) the Company shall notify the Supplier of such breach, and (ii) the Supplier shall rectify such breach promptly and in any event within 3 Business Days of receiving the Company’s notification. Where the Supplier has failed to rectify such breach within 3 Business Days, the Company shall be entitled to take any or all of the following measures:
 
a.    impose liquidated damages amounting to 10% of the Supplier’s average daily Fee (calculated as the aggregated Fees payable by Company to Supplier in the immediately preceding month divided by the number of calendar days in that month) for each calendar day that such breach remains unrectified by Supplier;
 
b.    reduce the volume of Services engaged from the Supplier;
 
c.    suspend any Orders until such breach is remedied to the Company’s satisfaction;
 
d.    terminate the Agreement with immediate effect, without prejudice to the Company’s rights to claim any and all damages against the Supplier; and/or
 
e.    claim all damages against the Supplier resulting from the Supplier’s and/or its Representatives’ breach of Data Protection Laws and/or this DSA, including any fines, penalties, or compensation paid by the Company to data subjects or regulatory authorities.
 
5.2    Supplier acknowledges and agrees that Company shall have the right to set off and apply any sum due or owing by Supplier or its Affiliates to Company or its Affiliates under this DSA against any amounts of debts, outstanding claims, demands, loss or damages, and/or any amounts due and owing by Company and/or its Affiliates (as the case may be) to Supplier and/or its Affiliates under the Agreement or any other dealings, agreements, contracts or debit notes.
 
6.    INSPECTION
 
6.1    The Company reserves the right to conduct data security audits of the Supplier, either by itself or through a designated third party, to ensure or monitor the Supplier’s compliance with Data Protection Laws and its obligations set forth in this DSA.
 
6.2    The Company shall provide the Supplier with reasonable notice of any audit, except where the audit is conducted following a Breach Incident or suspected non-compliance of Data Protection Laws or this DSA, in which case no notice shall be required. The Supplier shall provide full cooperation and access to all relevant records, systems, and personnel during such audits. Such audits shall not relieve Supplier of any of its obligations under this DSA or Data Protection Laws.
 
6.3    If any vulnerabilities, non-compliance, or deficiencies are identified during an audit, the Supplier shall, at its own cost, implement all necessary corrective measures within a reasonable timeframe specified by the Company. Failure by the Supplier to cooperate with an audit or to remedy identified vulnerabilities shall entitle the Company to the rights as set out in Clause 5.1 of this DSA.
 
7.    CHANGE IN LAWS
 
7.1    The Parties agree to negotiate in good faith modifications to this DSA if changes are required for a Party to continue to Process the Shared Personal Data in compliance with Data Protection Laws or to address the legal interpretation of Data Protection Laws, including to comply with any amendments to the PDPA.
 
SCHEDULE 1 
 
For the purposes of Clause 4.2(f) of this DSA, “reasonable security arrangements” shall, at minimum, include the following technical and organizational measures:- 
 
1.    Logical Security
 
1.1    The logical security processes as set out in this Paragraph 1 apply to all systems used by the Supplier and its Representatives to access process, store or maintain any Personal Data, including any third party hosted systems and any system that can connect to the system on which any of Company’s content (“Company Content”) is stored via any form of communication interface, (collectively, the "Systems").
 
1.2    Supplier and its Representatives shall at all times employ access control mechanisms that:
 
(a)    prevent unauthorised access to Shared Personal Data;
 
(b)    limit access of Shared Personal Data to the Representatives on a need-to-know basis;
 
(c)    allow access to information and resources only to the extent allowed under the Agreement; and
 
(d)    are capable of detecting, logging, and reporting (i) access to the Systems; and (ii) any Breach Incident or attempt to breach security of any System. This includes (but is not limited to) requiring two-factor authentication for remote access to any network storing, transmitting, or containing Shared Personal Data.
 
1.3    The Supplier shall do the following to ensure telecommunication and network security:
 
(a)    deploy appropriate firewall technology in the operation of the Supplier’s applications and sites, and protect and authenticate traffic between Company using industry standard cryptographic technologies;
 
(b)    review firewall rule sets annually to ensure that legacy rules are removed and active rules are configured correctly;
 
(c)    deploy intrusion detection and prevention systems in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host;
 
(d)    deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year;
 
(e)    establish and maintain appropriate network segmentation to restrict network access to Systems storing Shared Personal Data, and prohibit direct connections from public networks into any network segment storing any Company Content;
 
(f)    in the event that the Supplier deploys a wireless network, the Supplier shall configure and maintain the use, configuration and management of wireless networks to meet the following:
 
(i)    all wireless devices shall be protected using appropriate physical controls to minimise the risk of theft, unauthorised use, or damage;
 
(ii)    network access to wireless networks shall be restricted to authorised Representatives only;
 
(iii)    access points shall be segmented from an internal, wired LAN using a gateway device;
 
(iv)    the service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value;
 
(v)    encryption of all wireless connections will be enabled using industry standard encryption algorithms (i.e. WPA2/WPA with 802.1X authentication and AES encryption);
 
(vi)    if supported, auditing features on wireless devices shall be enabled and resulting logs shall be reviewed periodically by designated staff or a wireless intrusion prevention system. Logs must be retained for ninety (90) days or longer; and
 
(vii)    SNMP shall be disabled if not required for network management purposes. If SNMP is required for network management purposes, SNMP will be read-only with appropriate access controls that prohibit wireless devices from requesting and retrieving information and all default community strings will be changed; and
 
(g)    maintain a program to detect rogue access points at least quarter-yearly to ensure that only authorised wireless access points are in place or, if no wireless solution has been deployed, to ensure that user-deployed wireless access points are not in use.
 
1.4    The Supplier shall revoke the access of any Representatives to physical locations, Systems, and applications that contain or process Personal Data within twenty-four (24) hours of the cessation of the relevance or need for such access by such person.
 
1.5    Each of the Representatives must have an individual account that authenticates that individual’s access to Personal Data. The Supplier must not allow sharing of accounts.
 
1.6    Access controls and passwords must be configured in accordance with industry standards and best practices.
 
1.7    The Supplier will review, at least once per annum, access controls for any System that contains Personal Data. The relevant access processes in respect of such System, including the process to establish and delete individual accounts should be documented in the Supplier’s written information privacy and security program (referred to in Paragraph 6.1 below).
 
1.8    All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server, and virus definitions shall be updated within twenty-four (24) hours of release by the anti-virus software vendor. The Supplier shall configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Company’s or the Supplier’s computing environment.
 
2.    Email Security
 
2.1    If the Supplier or the Representatives are sending emails to Company’s users, appropriate email identity solutions will be utilised.
 
3.    Security Assessments and Audits
 
3.1    The Supplier shall, upon reasonable notice, allow its data processing facilities, procedures and documentation to be inspected by Company (or its designee) in order to ascertain compliance with applicable laws, this Agreement, or any agreements between Supplier and Company.
 
3.2    The Supplier shall fully cooperate with audit requests by providing Company access to relevant knowledgeable Representatives, physical premises, documentation, infrastructure, and application software.
 
3.3    The Supplier shall, upon reasonable notice, submit to Company a penetration test report administered by a third-party vendor approved by Company, and to bear all costs and expenses to obtain the penetration test report.
 
4.    Storage, Handling, and Disposal
 
4.1    The Supplier shall utilise industry standard encryption algorithms and key strengths to encrypt:
 
(a)    all Shared Personal Data that is in electronic form while in transit over all public wired networks (e.g., the internet) and all wireless networks; and
 
(b)    all devices used outside of a data centre (e.g., laptop, desktop tablet, smartphone) to perform any services pursuant to the Agreement or any of Supplier’s applications,
and shall in all cases:
 
(c)    use passwords with irreversible industry standard algorithms, with randomly generated "salt" added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings; and
 
(d)    enforce the same encryption standards with all Personal Data transfers that may occur with any third parties engaged or otherwise utilised by the Supplier in connection with the provision of Services.
 
4.2    To the extent Supplier are operating a Data Centre or utilising a third party data centre, Supplier will comply with physical security controls outlined in one or more of the following industry standards: ISO 27001, SSAE 16 or ISAE 3402, or PCI-DSS. The Supplier shall also physically or logically separate and segregate the Personal Data from the Supplier’s other clients’ data.
 
4.3    Except where prohibited by applicable laws, upon the earliest of (i) the termination of the Agreement; (ii) the cessation of the need of any Personal Data for the purposes of the Agreement; or (iii) at any time upon written request from Company, Supplier will:
 
(a)    promptly remove the Personal Data (including Personal Data transmitted via any newly developed API, such as PII API) from Supplier’s environment and destroy it within a reasonable timeframe, but in no case longer than thirty (30) days thereafter,    
 
(b)    sanitise or destroy as required in Paragraph 4.4 all media used to store Personal Data, and
 
(c)    provide Company a written certification regarding such removal, destruction, and/or cleaning upon request.
 
4.4    The Supplier shall dispose of the relevant Personal Data when it is deemed no longer necessary to continue being preserved, or has exceeded industry best practices for the time/duration/age of the Personal Data. Personal Data should be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media. The Supplier shall destroy any equipment containing Personal Data that is damaged or non-functional. All Personal Data must be rendered unreadable and unrecoverable regardless of the form (physical or electronic).
 
4.5    The Supplier shall: (a) provide Company with a list of all IP addresses and domain names used in connection with Supplier’s provision of the Services upon Company’s written request; and (b) ensure that all such IP addresses are updated at least once each calendar quarter.
 
5.    Systems Development and Maintenance
 
5.1    The Supplier shall maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any Shared Personal Data. The Supplier must employ documented secure programming guidelines, standards, and protocols in the development of applications that process or store any Shared Personal Data. The Supplier shall be responsible for verifying that all development staff have been successfully trained in secure programming techniques. The Representatives must be trained on all current application vulnerabilities, including how to recognise these issues and how to remediate them.
 
5.2    The Supplier shall employ an effective, documented change management program with respect to Services provided pursuant to the Agreement or any of the Supplier’s applications. This includes logically or physically separate environments from production for all development and testing. No Shared Personal Data will be transmitted, stored or processed in a non-production environment.
 
5.3    The Supplier must run internal and external network vulnerability scans at least quarter-yearly and following any material change in the network configuration. Vulnerabilities identified and rated as high risk by the Supplier must be remedied within ninety (90) days of discovery.
 
5.4    For all internet-facing applications that collect, transmit or display any Company Content, the Supplier agrees to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognised organisations, annually and for all major releases. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review.
 
5.5    For all mobile applications that collect, transmit or display Company Content, the Supplier agrees to conduct an application security assessment review to identify and remediate industry-recognised vulnerabilities specific to mobile applications.
 
5.6    The Supplier must use a qualified third party to conduct the application security assessments. The Supplier may alternatively conduct the security assessment review yourself, provided that the Representatives performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Company in writing. Vulnerabilities identified and considered as high risk by Supplier will be remedied within ninety (90) days of discovery.
 
5.7    The Supplier shall patch all workstations and servers with all current operating system, database and application patches deployed in Supplier’s computing environment according to a schedule predicated on the criticality of the patch. The Supplier must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed thirty (30) days from the date of release.
 
6.    Security Management
 
6.1    The Supplier shall develop, implement, maintain and enforce a written information privacy and security program that:
 
(a)    aligns with industry recognised frameworks as may be designated by Company from time to time;
 
(b)    includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Company Content and Shared Personal Data;
 
(c)    is appropriate to the nature, size and complexity of Supplier’s business operations; and
 
(d)    complies with any applicable laws that apply to Supplier in any jurisdiction.
 
6.2    The Supplier shall provide details of any major change to its security program that may adversely affect the security of any Shared Personal Data. Such details must be communicated in writing to Company at sg.logistics@shopee.com within ten (10) business days before such change is implemented.
 
6.3    The Supplier shall designate a senior employee to be responsible for overseeing and carrying out Supplier’s security program and for communicating with Company on information security matters (the “Security Officer”).
 
6.4    Upon Company’s request, the Security Officer will provide Company with the contact information of one or more of the Supplier’s representatives who will be available to discuss any security concerns (e.g. discovered vulnerability, exposed risk, reported concern) with Company and to communicate the level of risk associated with such concerns and any remediation thereof. Such representative shall be available during normal business hours. Any changes to the contact information of the Security Officer or designated representatives must be communicated in writing to Company at sg.logistics@shopee.com within twenty-four (24) hours.
 
6.5    The Supplier shall ensure that each of Supplier’s Representatives provides their services with promptness, diligence, due care and skill and at all times in accordance with the best industry and professional standards and practices used in well-managed establishments, agencies, or operations involving the performance of similar services.
 
6.6    The Supplier shall implement fine-grained access control mechanisms to allow granting rights to any party using Supplier’s Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend Personal Data must be protected under a unique access role, and access should be granted on a "need-to-know" basis.
 
6.7    The Supplier shall gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to Supplier’s applications and systems. You must implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Company Content. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves should not contain Personal Data and must be retained for at least 90 days for reference. The Supplier shall also build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). The Supplier shall perform an investigation when monitoring alarms are triggered, and this should be documented in the Supplier’s incident response plan. 
Was this article helpful?
Yes
No
Do You Have Any Other Questions?
Give us a call
Give us a call
Mon - Sun 8am - 10pm
Have a chat with us
Have a chat with us
24 hours
Shopee Policy
Service Requirement
Privacy Policy
© 2024 Seagroup. All Rights Reserved.