JKT48Connect
Data Processing Agreement
Version 1.0 · Last updated: March 3, 2026
This Data Processing Agreement ("DPA") is entered into between JKT48Connect ("JKT48Connect", "Processor") and the customer identified in the signature block below ("Controller"). It applies where JKT48Connect processes personal data on behalf of the Controller as part of the JKT48Connect API service, and forms part of the JKT48Connect Terms of Service.
1. Definitions
- Applicable Data Protection Law means any applicable privacy or data protection legislation, including but not limited to UU PDP (Indonesia) and GDPR where applicable.
- Controller means the customer, who determines the purposes and means of processing.
- Processor means JKT48Connect, who processes data on the Controller's behalf.
- Personal Data, Processing, Data Subject, and Supervisory Authority have the meanings given under applicable data protection law.
- Sub-processor means any third party engaged by JKT48Connect to process Personal Data in connection with the service.
2. Our approach to privacy
JKT48Connect is built to minimize personal data collection by design. The API does not collect end-user cookies or persistent browser identifiers. API usage data (request logs, IP addresses of API callers) is collected solely for security, abuse prevention, and rate limiting purposes and is not retained beyond 30 days.
The data we store per API request is:
- API key identifier (anonymized reference, not the key itself)
- Endpoint called and HTTP method
- Response status code and latency
- Timestamp of the request
- Hashed IP address for abuse detection (discarded after 30 days)
JKT48 member data served through the API (profiles, schedules, live stream data) is sourced from publicly available information and does not constitute personal data processed on behalf of the Controller's end users. We provide this DPA for Controllers who require it for their own compliance documentation.
3. Scope and roles
JKT48Connect acts as a Processor when processing data on behalf of the Controller. The Controller is responsible for how they use data retrieved from the JKT48Connect API within their own applications and for ensuring their end users are appropriately informed.
4. Processor obligations
JKT48Connect commits to the following:
- Process Personal Data only on the Controller's documented instructions and for no other purpose.
- Ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain technical and organizational measures in accordance with Section 7 of this DPA.
- Not engage a Sub-processor without prior general or specific written authorization and flow down equivalent data protection obligations to any Sub-processor.
- Assist the Controller, where reasonably possible, in responding to Data Subject requests to exercise their rights under applicable law.
- Notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a Personal Data breach.
- Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or their designated auditor, subject to reasonable notice and confidentiality obligations.
- At the Controller's choice, delete or return all Personal Data upon termination of the service.
5. Controller obligations
The Controller confirms that:
- They have a lawful basis for the processing described in this DPA.
- They have provided appropriate privacy notices to their end users.
- They are responsible for the accuracy and lawfulness of the data they instruct JKT48Connect to process.
- They will not use the JKT48Connect API to collect, store, or process special categories of personal data without appropriate safeguards.
6. Sub-processors
JKT48Connect uses the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | API hosting and edge infrastructure | Global (Singapore region primary) |
| Cloudflare Inc. | CDN, DDoS protection, and DNS | Global |
| Supabase Inc. | Database and authentication | Singapore |
JKT48Connect will inform the Controller of any intended changes to this list with reasonable notice, giving the Controller the opportunity to object.
7. Technical and organizational measures
Data minimization and anonymization
- IP addresses of API callers are hashed immediately on ingestion and discarded in raw form. Hashed values are retained for no more than 30 days.
- API keys are stored as salted hashes. The raw key is only shown to the user once at creation and never stored in plaintext.
- No end-user cookies or persistent cross-device identifiers are set by JKT48Connect.
Access control
- Dashboard and API management access is protected by authentication and role-based access control.
- Production systems are accessible only to authorized personnel.
Encryption and transport security
- All data is transmitted over HTTPS (TLS 1.2+).
- Data at rest is encrypted using AES-256.
Infrastructure and availability
- Primary infrastructure is hosted in the Singapore region to minimize latency for Indonesian and Southeast Asian users.
- Regular automated backups are performed daily.
Incident response
- We maintain procedures for detecting, reporting, and investigating Personal Data breaches.
- In the event of a breach affecting the Controller's data, we will notify them within 48 hours of becoming aware.
8. International data transfers
JKT48Connect's primary infrastructure is located in Singapore. Controllers based in Indonesia should note that data may be processed outside Indonesia. JKT48Connect ensures appropriate safeguards are in place for any such transfers in accordance with applicable data protection law.
9. Data retention and deletion
- API request logs are retained for 30 days and then permanently deleted.
- Account data (email, API key hashes, usage statistics) is retained for the duration of the active account.
- The Controller can delete their account and all associated data at any time from within the dashboard. Upon account termination, JKT48Connect will delete the Controller's data within 30 days unless required by law to retain it longer.
10. Governing law
This DPA is governed by the laws of the Republic of Indonesia and is interpreted in accordance with applicable Indonesian data protection legislation, including UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP).
Annex
Exhibit A: Description of Processing
| Nature of processing | Collection and storage of API request logs (endpoint, status, latency, hashed IP) for security and rate limiting purposes. Provision of JKT48 member, theater, live stream, and event data via REST API endpoints. |
| Purpose of processing | To provide the Controller with access to JKT48 data through the JKT48Connect API for use in their applications. API request logs are processed for security monitoring, abuse prevention, and usage analytics. |
| Duration of processing | API request logs: 30 days, then permanently deleted. Account data: retained for the duration of the active account. All data deleted within 30 days of account termination. |
| Categories of data subjects | Developers and organizations using the JKT48Connect API (Controllers). End users of the Controller's applications are not directly processed by JKT48Connect. |
| Categories of personal data | API key identifiers (hashed), email address (for account), hashed IP addresses of API callers (for abuse detection, retained max 30 days), API usage statistics (endpoint, status, latency, timestamp). No end-user personal data is collected from the Controller's application users. |
| Special categories of data | None. The Controller is responsible for ensuring no special category data is transmitted via API request parameters. |
| Sub-processors | Vercel Inc. (Singapore) — API hosting; Cloudflare Inc. (Global) — CDN and DDoS protection; Supabase Inc. (Singapore) — database and authentication |
Execution
Signatures
Processor
JKT48Connect
Indonesia
Signature
Name
Title
Date
Controller
Company
Signature
Name
Title
Date