Hero

Data Processing Agreement

JKT48Connect's Data Processing Agreement (DPA) for customers who use JKT48Connect API to build applications on behalf of their users.

Last updated: March 3, 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the JKT48Connect Terms of Service between JKT48Connect ("JKT48Connect", "we", "us") and the customer ("Controller", "you"). It applies where JKT48Connect processes personal data on your behalf as part of the JKT48Connect API service.

1. Definitions

  • Applicable Data Protection Law means any applicable privacy or data protection legislation, including UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP) and other applicable regulations.
  • Controller means you, the customer, who determines the purposes and means of processing.
  • Processor means JKT48Connect, who processes data on your behalf.
  • Personal Data, Processing, Data Subject, and Supervisory Authority have the meanings given under applicable data protection law.
  • Sub-processor means any third party engaged by JKT48Connect to process Personal Data in connection with the service.

2. Our approach to privacy

JKT48Connect is built to minimize personal data collection by design. The API does not collect end-user cookies or persistent browser identifiers. API usage data (request logs, IP addresses of API callers) is collected solely for security, abuse prevention, and rate limiting purposes and is not retained beyond 30 days.

The data we store per API request is:

  • API key identifier (hashed reference, not the raw key)
  • Endpoint called and HTTP method
  • Response status code and latency
  • Timestamp of the request
  • Hashed IP address of the API caller (discarded after 30 days)

JKT48 member data served through the API (profiles, schedules, live stream data) is sourced from publicly available information and does not constitute personal data processed on behalf of the Controller's end users.

We provide this DPA for customers who require it for their own compliance documentation and records of processing activities.

3. Scope and roles

JKT48Connect acts as a Processor when processing data on behalf of the Controller. You act as the Controller for any personal data you collect from your application's users using data obtained from the JKT48Connect API.

4. Processor obligations

JKT48Connect commits to the following:

  • Process Personal Data only on your documented instructions and for no other purpose.
  • Ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain technical and organizational measures in accordance with Section 7 of this DPA.
  • Not engage a Sub-processor without your prior general or specific written authorization and flow down equivalent data protection obligations to any Sub-processor.
  • Assist you, where reasonably possible, in responding to Data Subject requests to exercise their rights under applicable law.
  • Notify you without undue delay (and no later than 48 hours) upon becoming aware of a Personal Data breach.
  • Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by you or your designated auditor, subject to reasonable notice and confidentiality obligations.
  • At your choice, delete or return all Personal Data upon termination of the service.

5. Your obligations as Controller

You confirm that:

  • You have a lawful basis for the processing described in this DPA.
  • You have provided appropriate privacy notices to your end users.
  • You are responsible for the accuracy and lawfulness of the data you instruct JKT48Connect to process.
  • You will not use the JKT48Connect API to collect, store, or process special categories of personal data without appropriate safeguards.

6. Sub-processors

JKT48Connect uses the following sub-processors to deliver the service.

Sub-processorPurposeLocation
Vercel Inc.API hosting and edge infrastructureGlobal (Singapore region primary)
Cloudflare Inc.CDN, DDoS protection, and DNSGlobal
Supabase Inc.Database and authenticationSingapore

We will inform you of any intended changes to this list (additions or replacements) with reasonable notice, giving you the opportunity to object.

7. Technical and organizational measures

JKT48Connect implements the following measures:

Data minimization and anonymization

  • IP addresses of API callers are hashed immediately on ingestion and discarded in raw form. Hashed values are retained for no more than 30 days.
  • API keys are stored as salted hashes. The raw key is only shown to the user once at creation and never stored in plaintext.
  • No end-user cookies or persistent cross-device identifiers are set by JKT48Connect.

Access control

  • Dashboard and API management access is protected by authentication and role-based access control.
  • Production systems are accessible only to authorized personnel.

Encryption and transport security

  • All data is transmitted over HTTPS (TLS 1.2+).
  • Data at rest is encrypted using AES-256.

Infrastructure and availability

  • Primary infrastructure is hosted in the Singapore region to minimize latency for Indonesian and Southeast Asian users.
  • Regular automated backups are performed daily.

Incident response

  • We maintain procedures for detecting, reporting, and investigating Personal Data breaches.
  • In the event of a breach affecting your data, we will notify you within 48 hours of becoming aware.

8. International data transfers

JKT48Connect's primary infrastructure is located in Singapore. Controllers based in Indonesia should note that data may be processed outside Indonesia. JKT48Connect ensures appropriate safeguards are in place for any such transfers in accordance with applicable data protection law, including UU PDP.

9. Data retention and deletion

API request logs are retained for a maximum of 30 days and then permanently deleted.

Account data (email, API key hashes, usage statistics) is retained for the duration of the active account.

You can delete your account and all associated data at any time from within the dashboard. Upon account termination we will delete your data within 30 days unless we are required by law to retain it longer.

10. Governing law

This DPA is governed by the laws of the Republic of Indonesia and is interpreted in accordance with applicable Indonesian data protection legislation, including UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP).

11. How to execute this DPA

Using JKT48Connect constitutes acceptance of this DPA as part of our Terms of Service.

If your organization requires a signed copy for your records of processing activities, you can download a pre-signed version below. Fill in your company details and countersign — no need to send it back to us.

Download pre-signed DPA

Contact

For questions about this DPA or data protection at JKT48Connect: