Data Protection Policy
Last Updated: 2025-07-02
Language Supported:
English /
简体中文 /
繁體中文 /
Bahasa Indonesia /
ไทย
Protecting our users’ privacy is extremely important to us. With this in mind, we’re providing this Shopee Open Platform Data Protection Policy to explain our practices and requirements regarding the collection, use and disclosure of information through the Shopee Open Platform. This Data Protection Policy sets out the minimum requirements for any persons or businesses that use or access data through the Shopee Open Platform, including the required security and data handling requirements, as well as the consequences of violating this policy. Please make sure you have read carefully and understand these terms. This Shopee Open Platform Data Protection Policy should be read together with the Shopee Open Platform Terms of Service, the Shopee Open Platform Platform Partner Rules and any other applicable terms in relation to your use of the Shopee Open Platform (together the “Platform Terms”). The Platform Terms are incorporated by reference into any agreement or contract we have with you (including without limitation, any Developer Agreement) and will apply notwithstanding any conflicting terms in such agreement or contract.
1. Purpose and Scope
1.1 This Shopee Open Platform Data Protection Policy ("DPP") prescribes the minimum data protection and information security standards that you and your personnel must meet and maintain in order to protect Protected Data from unauthorised use, access, disclosure, theft, manipulation, reproduction, any security breaches or otherwise.
1.2 You shall be fully responsible for ensuring that you, your personnel and your users consent to and comply with this DPP. Any act or omission by any of your personnel or your users amounting to a breach of this DPP shall be deemed a breach by you. In the event of any such breach Shopee may terminate your use of the Platform without any liability to Shopee. In addition, to the fullest extent permissible under applicable law, you will indemnify, defend and hold Shopee harmless from and against all liabilities, costs, damages, claims and expenses relating to such breach or your termination from the Platform.
1.3 Capitalised terms used but not defined herein shall have the meaning set forth in the Terms of Service.
1.4 This DPP applies in conjunction with other notices, contractual clauses, consent clauses that apply in relation to the collection, storage, use, disclosure and/or processing of your personal data by us and is not intended to override those notices or clauses unless we state expressly otherwise.
1.5 By registering for an account (“Account”) with us, using the Platform, or accessing the Services, you acknowledge and agree that you accept the practices, requirements, and/or policies outlined in this DPP and the terms described herein. If we change our DPP, we will post those changes or the amended DPP on our Platform. We reserve the right to amend this DPP at any time. To the fullest extent permissible under applicable law, your continued use of the Platform shall constitute your acknowledgment and acceptance of the changes made to this DPP.
2. Definitions
"API" means the application programming interfaces made available by Shopee via the Platform.
"Application" means the software application, website or other interface that you develop, own or operate and which involves the use of any API.
"Data" means information and any other material (including databases, text, graphics, photographs, animations, audio, music, video, links or other content) made available by any member of the Shopee group to its users.
"Data Centre" means any location, whether owned by you or a third party, at which data Processing or transmission functions are being provided in support of your Application.
"Data Subject" means the person who is the subject of Personal Data.
"Incident" means any impairment, compromise or breach of the security of any Shopee Content, including but not limited to any actual or suspected (i) misuse of Shopee Content; or (ii) unauthorised access to or attempt to access Shopee Content.
"Personal Data" means data from which an individual can be identified as provided under applicable privacy laws, including the Personal Data Protection Act 2012 (No. 26 of 2012).
"Platform" means the online platform owned and operated by Shopee as part of the Shopee Open Platform program.
"Processing" means any operation or set of operations which is performed upon Data, whether by automatic means or not, including but not limited to collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and the terms "Process" and "Processes" shall be construed accordingly.
"Protected Data" means Shopee Content and any Personal Data collected or transmitted through your Applications.
“Restricted Data” means any highly sensitive or regulated information (i) that is restricted by Shopee to a limited group of persons on a need to-know basis, and (ii) whose access or whose release would likely have a material adverse financial or reputational effect on Shopee, its customers or clients, including but not limited to Shopee users’ Personal Data, promotion-related or sales-related commercial performance data (either individually or aggregated), operation performance data (either individually or aggregated), order information, marketing information, income or payment information, take-up rates for any Shopee paid programs, statistics relating to the performance (financial or otherwise) of any Shopee services, data comparing user utilisation of Shopee’s services or the services of any third-party, and any other information as may be prescribed by Shopee from time to time.
"Security Breach" means any actual or suspected impairment, compromise or breach of security of any system (including any System used by you or your personnel) containing Shopee Content, for example, any (i) misuse; (ii) loss; (iii) destruction; or (iv) unauthorised access, collection, retention, storage or transfer, of Shopee Content.
"Security Officer" has the meaning given to it under Section 4.3.
"Shopee Content" means all Data stored in and retrieved from the databases of the Shopee group, which may include Personal Data, and does not include information that you obtain independent of the Shopee group by lawful means.
"Sub-processor" means any of your personnel that processes Shopee Personal Data.
"Systems" has the meaning given to it under Section 5.1.
"Terms of Service" means the Shopee Open Platform Terms of Service.
3. Restricted Data
Under no circumstances shall you or any of your personnel access, receive, transmit, disclose, process or store (or attempt to do any of the aforementioned) Restricted Data, except in accordance with Shopee's Terms of Service and Privacy Policy and in connection with specific user transactions on the Platform. Such information shall not include Payment Card Industry (“PCI”) regulated data. In the event of any breach of this Clause 3 by you, you agree to defend, indemnify and hold harmless Shopee and its affiliates, and its and their respective officers, directors, employees, and agents from and against any and all liabilities, damages, judgments, costs, expenses, and fees (including reasonable and justified attorney’s fees) resulting from any third party claims, investigations, legal or administrative action, or litigation to the extent arising out of or relating to your breach of this Clause 3. Notwithstanding, because of the unique nature of the Restricted Data, you understand and agree that we will suffer irreparable harm in the event that you or your personnel fails to comply with any of your obligations hereunder, that monetary damages alone may be inadequate to compensate us for such a breach and that in addition to any other legal remedies, we shall be entitled to equitable relief, including injunction and specific performance, as a remedy for any such breach. You and your personnel agree to waive any requirement for the securing or posting of any bond in connection with such remedy. You shall reimburse us for all costs and expenses incurred in connection with its enforcement of this DPP.
4. Security Management
4.1 You will develop, implement, maintain and enforce a written information privacy and security program that:
- (a) aligns with industry recognised frameworks as may be designated by Shopee from time to time;
- (b) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Shopee Content and Personal Data;
- (c) is appropriate to the nature, size and complexity of your business operations; and
- (d) complies with any applicable laws that apply to you in any jurisdiction.
4.2 You will provide details of any major change to your security program that may adversely affect the security of any Protected Data. Such details must be communicated in writing to Shopee (through the email address provided in Section 9) within ten (10) business days before such change is implemented.
4.3 You will designate a senior employee to be responsible for overseeing and carrying out your security program and for communicating with Shopee on information security matters (the “Security Officer”).
4.4 Upon Shopee’s request, the Security Officer will provide Shopee with the contact information of one or more your representatives who will be available to discuss any security concerns (e.g. discovered vulnerability, exposed risk, reported concern) with Shopee and to communicate the level of risk associated with such concerns and any remediation thereof. Such representative shall be available during normal business hours. Any changes to the contact information of the Security Officer or designated representatives must be communicated in writing to Shopee (through the email address provided in Section 9) within twenty-four (24) hours.
4.5 You shall ensure that each of your personnel:
- (a) consents to its compliance with this DPP before being given access to any Shopee Content;
- (b) complies with this DPP at all times;
- (c) is given all reasonable resources and training to comply with this DPP; and
- (d) provides their services with promptness, diligence, due care and skill and at all times in accordance with the best industry and professional standards and practices used in well-managed establishments, agencies, or operations involving the performance of similar services.
4.6 You must implement fine-grained access control mechanisms to allow granting rights to any party using your Application (e.g., access to a specific set of data at its custody) and the Application's operators (e.g., access to specific configuration and maintenance APIs such as kill switches) following the principle of least privilege. Application sections or features that vend Personal Data must be protected under a unique access role, and access should be granted on a "need-to-know" basis.
4.7 You must gather logs to detect security-related events (e.g., access and authorization, intrusion attempts, configuration changes) to your Applications and systems. You must implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Shopee Content. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs themselves should not contain Personal Data and must be retained for at least 90 days for reference. You must build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). You should perform an investigation when monitoring alarms are triggered, and this should be documented in your Incident response plan.
5. Logical Security
5.1 The logical security processes in this Section 5 apply to all systems used by you or your personnel to access Process, store or maintain any Protected Data, including any third party hosted systems and any system that can connect to the system on which Shopee Content is stored via any form of communication interface (collectively, the "Systems").
5.2 You and your personnel shall at all times employ access control mechanisms that:
- (a) prevent unauthorised access to Protected Data;
- (b) limit access of Protected Data to your personnel a need-to-know basis;
- (c) allow access to information and resources only to the extent allowed under the Terms of Service; and
- (d) are capable of detecting, logging, and reporting (i) access to the System; and (ii) any Security Breach or attempt to breach security of any System.
5.3 In respect of any of your personnel, you shall revoke the relevant person's access to physical locations, Systems, and applications that contain or Process Protected Data within twenty-four (24) hours of the cessation of the relevance or need for such access by such person.
5.4 Each of your personnel must have an individual account that authenticates that individual’s access to Protected Data. You must not allow sharing of accounts.
5.5 Access controls and passwords must be configured in accordance with industry standards and best practices.
5.6 You will review, at least once per annum, access controls for any System that contains Protected Data. The relevant access processes in respect of such System, including the process to establish and delete individual accounts should be documented in your written information privacy and security program (referred to in Section 4.1 above).
5.7 You will require two-factor authentication for remote access to any network storing, transmitting, or containing Protected Data.
5.8 You shall do the following to ensure telecommunication and network security:
-
(a) deploy appropriate firewall technology in the operation of your Applications, sites, and protect and authenticate traffic between Shopee using industry standard cryptographic technologies;
-
(b) review firewall rule sets annually to ensure that legacy rules are removed and active rules are configured correctly;
-
(c) deploy intrusion detection and prevention systems in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host;
-
(d) deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year;
-
(e) establish and maintain appropriate network segmentation to restrict network access to Systems storing Protected Data, and prohibit direct connections from public networks into any network segment storing Shopee Content.
-
(f) in the event that you deploy a wireless network, you will configure and maintain the use, configuration and management of wireless networks to meet the following:
-
(i) all wireless devices shall be protected using appropriate physical controls to minimise the risk of theft, unauthorised use, or damage;
-
(ii) network access to wireless networks shall be restricted to those authorised;
-
(iii) access points shall be segmented from an internal, wired LAN using a gateway device;
-
(iv) the service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value;
-
(v) encryption of all wireless connections will be enabled using industry standard encryption algorithms (i.e. WPA2/WPA with 802.1X authentication and AES encryption);
-
(vi) if supported, auditing features on wireless devices shall be enabled and resulting logs shall be reviewed periodically by designated staff or a wireless intrusion prevention system. Logs must be retained for ninety (90) days or longer; and
-
(vii) SNMP shall be disabled if not required for network management purposes. If SNMP is required for network management purposes, SNMP will be read-only with appropriate access controls that prohibit wireless devices from requesting and retrieving information and all default community strings will be changed; and
-
(g) maintain a program to detect rogue access points at least quarter-yearly to ensure that only authorised wireless access points are in place; if you have not deployed a wireless solution, you are still required to conduct this quarterly audit to ensure that user-deployed wireless access points are not in use.
5.9 All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server, and virus definitions shall be updated within twenty-four (24) hours of release by the anti-virus software vendor. You will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of Shopee or your computing environment.
6. Systems Development and Maintenance
6.1 You shall maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that Process or store any Protected Data. You must employ documented secure programming guidelines, standards, and protocols in the development of applications that Process or store any Protected Data. You shall be responsible for verifying that all development staff have been successfully trained in secure programming techniques. Your personnel must be trained on all current application vulnerabilities, including how to recognise these issues and how to remediate them.
6.2 You will employ an effective, documented change management program with respect to services provided pursuant to the Terms of Service or any of your Applications. This includes logically or physically separate environments from production for all development and testing. No Protected Data will be transmitted, stored or Processed in a non-production environment.
6.3 You must run internal and external network vulnerability scans at least quarter-yearly and following any material change in the network configuration. Vulnerabilities identified and rated as high risk by you must be remedied within ninety (90) days of discovery.
6.4 For all internet-facing applications that collect, transmit or display Shopee Content, you agree to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognised organisations, annually and for all major releases. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review.
6.5 For all mobile applications that collect, transmit or display Shopee Content, you agree to conduct an application security assessment review to identify and remediate industry-recognised vulnerabilities specific to mobile applications.
6.6 You must use a qualified third party to conduct the application security assessments. You may alternatively conduct the security assessment review yourself, provided that your personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by Shopee in writing. Vulnerabilities identified and considered as high risk by you will be remedied within ninety (90) days of discovery.
6.7 You will patch all workstations and servers with all current operating system, database and application patches deployed in your computing environment according to a schedule predicated on the criticality of the patch. You must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed thirty (30) days from the date of release.
7. Email Security
If you are sending emails to your users, appropriate email identity solutions will be utilised.
8. Security Assessments and Audits
8.1 You shall declare and submit to Shopee a declaration of all Systems and key IT assets which Process and/or store any Shopee Personal Data or other Restricted Data, in a format to be specified by Shopee (including the IP address of application servers, database servers, etc.) within ten (10) days of receiving any such request. In the event of any changes or additions to the declared list, you agree to declare any such changes or additions to Shopee within ten (10) days.
8.2 You agree that Shopee may, from time to time, perform a security audit (i.e., vulnerability scans), of your Systems and key IT assets which Process and/or store any Shopee Personal Data or other Restricted Data. If Shopee identifies any vulnerabilities, exposed data or other security concerns, you agree to take prompt and sufficient steps to correct the issue immediately.
8.3 You agree, upon reasonable notice, to allow your data processing facilities, procedures and documentation to be inspected by Shopee (or its designee) in order to ascertain compliance with applicable laws, this DPP, or any agreements between you and Shopee. You agree to provide Shopee access to relevant knowledgeable personnel, physical premises, documentation, infrastructure, and application software.
8.4 You agree, upon reasonable notice, to submit to Shopee a penetration test report administered by a third-party vendor approved by Shopee, and to bear all costs and expenses to obtain the penetration test report.
8.5 You shall fully cooperate with the security checks, audit efforts and requests from Shopee in accordance with the preceding paragraphs. Any violation of the above, including any failure to cooperate or failure to take sufficient remedial action in response to any issues that are detected, is a violation of this DPP and, without limitation to any other remedy available, will result in immediate termination of your use of the Services.
9. Incident Response and Notification Procedures
9.1 You will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. Upon discovering or otherwise becoming aware of an Incident and/or Security Breach that may put Shopee Content at risk, you shall take all reasonable measures to mitigate the harmful effects of the Incident. You shall also notify Shopee of the Security Breach as soon as practicable, but in no event later than twenty-four (24) hours after the Security Breach, to ssrc@sea.com. Such notification shall include:
- (a) the identification of the Shopee Content which has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Incident;
- (b) a description of what happened, including the date of the Incident and the date of discovery of the Incident, if known;
- (c) the scope of the Incident, including a description of the type of Shopee Content involved in the Incident;
- (d a description of your response to the Incident, including steps you have taken to mitigate the harm caused by the Incident; and
- (e) other information as Shopee may reasonably request.
9.2 You must ensure that affected third parties are notified of the Security Breach, at Shopee’s sole discretion, either by notifying such third parties after Shopee has reviewed and approved the language and method of notice, or by enabling Shopee to notify such third parties itself. You agree to cover the costs of any such notification, including reimbursing Shopee for any reasonable costs such as to provide credit monitoring to affected Data Subjects.
9.3 You will retain all data related to known and reported Incidents or investigations indefinitely or until Shopee notifies you that the image is no longer needed. Upon Shopee’s request, you will permit Shopee or its third party auditor to review and verify relevant records, access logs and data pertaining to any Incident investigation. Upon conclusion of investigative, corrective, and remedial actions with respect to an Incident, you will prepare and deliver to Shopee a final report that describes in detail:
- (a) the extent of the Incident;
- (b) the Shopee Content disclosed, destroyed, or otherwise compromised or altered;
- (c) all supporting evidence, including, but not limited to, system, network, and application logs;
- (d) all corrective and remedial actions completed; and
- (e) all efforts taken to mitigate the risks of further Incidents.
10. Storage, Handling, and Disposal
You will take each of the below measures and agree to securely store, handle, and dispose of all Shopee Content, Personal Data, Protected Data, and Restricted Content that is subject to this DPP.
10.1 You will physically or logically separate and segregate Shopee Content from your other clients’ data.
10.2 You will utilise industry standard encryption algorithms and key strengths to encrypt:
- (a) all Protected Data that is in electronic form while in transit over all public wired networks (e.g., the internet) and all wireless networks;
- (b) passwords with irreversible industry standard algorithms, with randomly generated "salt" added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings; and
- (c) any mobile devices used outside of a Data Centre (e.g., laptop, desktop tablet) to perform any services pursuant to the Terms of Service or any of your Applications.
10.3 To the extent you are operating a Data Centre or utilising a third party Data Centre, you will comply with physical security controls outlined in one or more of the following industry standards: ISO 27001, SSAE 16 or ISAE 3402, or PCI-DSS.
10.4 Except where prohibited by applicable laws, upon the earliest of (i) the termination of the Terms of Service; (ii) the cessation of the need of any Protected Data for the purposes of the Terms of Service; or (iii) at any time upon written request from Shopee, you will:
- (a) promptly remove the Protected Data from your environment and destroy it within a reasonable timeframe, but in no case longer than thirty (30) days thereafter,
- (b) sanitise or destroy, as required in Section 10.5, all media used to store Protected Data, and
- (c) provide Shopee a written certification regarding such removal, destruction, and/or cleaning upon request.
10.5 You will utilize TLS 1.2 or above and will provide a secure, encrypted communication channel between yourself and your clients for any communications containing or in respect of any Protected Data. If for any reason, Shopee becomes aware that you are not using TLS-enabled communications, Shopee will provide written notice requesting rectification, following receipt of which you agree to rectify the communication channel within 30 days. Failure to take sufficient remedial action in response to any issues that are detected is a violation of this DPP and, without limitation to any other remedy available, will result in immediate termination of your use of the Services.
10.6 You shall not retain or store any Personal Data and Restricted Data (including but not limited to the Customer Name, Phone Number, Email Address, and Address) that is subject to this DPP for any period of time longer than is necessary to fulfil the purposes set out in this Agreement and in any event, no longer than 90 days or as otherwise required under applicable laws. Upon the expiry of the applicable retention period, all data must be disposed of in accordance with Clause 10.7 below.
10.7 You shall dispose of the relevant Protected Data once it is no longer necessary to retain it for the purposes of this Agreement or once the applicable legal retention period has expired, whichever is earlier, in a manner that ensures the data is securely and permanently deleted. Protected Data should be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media. You will destroy any equipment containing Protected Data that is damaged or non-functional. All Protected Data must be rendered unreadable and unrecoverable regardless of the form (physical or electronic).
11. Ownership and Use
11.1 You acknowledge and agree that you have no ownership of, or right to use, Shopee Content other than as expressly permitted under the Terms of Service or as authorised by Shopee in writing. For the avoidance of doubt, you have no right to copy, use, reproduce, display, perform, modify or transfer Shopee Content or any derivative works thereof, except as expressly provided in the Terms of Service or as expressly authorised by Shopee in writing.
11.2 You acknowledge and agree that you will not use (or permit any third party to use) the Shopee Content for any purpose other than as expressly provided in the Terms of Service.
12. Payment Card Industry Compliance
12.1 This Section 12 applies whenever you transmit, Process, handle, access, maintain, or store credit card holder’s information in the course of providing services pursuant to the Terms of Service or any of your Applications.
12.2 You shall comply with and have a program to ensure that you continue to comply with, or enter into an agreement with a third party provider of payment processing services that requires compliance with, the Payment Card Industry Data Security Standards ("PCI-DSS") published by the PCI Security Standards Council. You must, if requested, provide audit evidence to show such compliance with the PCI-DSS prior to access to relevant Shopee API(s).
12.3 You must comply with this Section 12 at all times. This requirement will survive the termination of the Terms of Service until you return, destroy, or cause the destruction of any and all credit card holder’s information in its possession, custody, or control.
12.4 You will provide Shopee with evidence of full compliance with the PCI-DSS upon request.
13. Governing Law; Disputes
13.1 Use of the Platform and/or the Services and these Terms of Use shall be governed by and construed in accordance with Singapore law, without regard for conflict of laws principles.
13.2 Unless otherwise required by applicable law, any dispute, controversy, claim or difference of any kind whatsoever arising out of or relating to this DPP, including any claims as to its formation, validity, existence, breach or termination, shall be referred to and finally resolved by arbitration in Singapore in accordance with the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference in this Section. Notwithstanding anything to the contrary in this Agreement, the law of this arbitration clause shall be Singapore law, and the seat of the arbitration shall be Singapore. The arbitration tribunal shall consist of three arbitrators. Each party shall nominate an arbitrator, and if one party fails to appoint an arbitrator within thirty (30) days of the notice of the nomination of an arbitrator by the other party then that arbitrator shall be appointed in accordance with the SIAC Rules. The third arbitrator, who shall act as chairman of the tribunal, shall be chosen by the two arbitrators appointed by or on behalf of the parties. If the third arbitrator is not chosen and nominated within 30 days of the date of appointment of the later of the two party-appointed arbitrators to be appointed, such arbitrator shall be appointed in accordance with the SIAC Rules. The language of the arbitration shall be English. The arbitral award made and granted by the arbitration tribunal shall be final, binding and incontestable. You irrevocably submit to the jurisdiction of the Singapore courts for purposes of compelling and/or enforcing the terms of this provision or the enforcement of any arbitration award.
14. Processing of Personal Data
14.1 You shall Process Personal Data in accordance with applicable laws, and at all times maintain, and ensure compliance with, privacy policies which meet the minimum standards under the applicable laws.
14.2 Prior to sharing any Personal Data with Shopee, you shall ensure that Data Subjects are appropriately notified of and have consented to Shopee’s privacy practices. You warrant that you have a legitimate basis and adequate title to collect and share Personal Data with Shopee.
14.3 The following provisions shall apply to the Processing of Personal Data which was obtained or derived from any Shopee Content:
- (a) In relation to such Personal Data, as between you and Shopee, you are a data intermediary and shall Process the Personal Data on behalf of Shopee in accordance with this DPP.
- (b) You shall Process Personal Data only to the extent, and in such manner, as is required to develop, operate and maintain your Applications in accordance with the Terms of Service and Shopee’s written instructions.
- (c) You are authorised to use Sub-processors, provided that you (i) enter into an agreement with the Sub-processor imposing data protection obligations on the Sub-processor that are at least as restrictive as the obligations under this DPP, (ii) undertake to provide a copy of the aforesaid agreement to Shopee promptly upon request, and (iii) shall remain liable for any act or omission of any Sub-processor that does not comply with the requirements of this DPP.
- (d) You shall not cause or permit any Personal Data to be transferred across borders in breach of applicable laws. Cross-border transfers of Personal Data subject to legal restrictions by applicable laws shall require Shopee’s prior written consent. For the avoidance of doubt, this transfer restriction does not pertain to Shopee personnel access to Personal Data.
- (e) To the extent legally permitted, you shall immediately notify Shopee in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Personal Data to any third party. You shall not disclose Personal Data to the third party without providing Shopee at least forty-eight (48) hours’ notice, so that Shopee may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure. Notwithstanding the foregoing, you will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Personal Data; additionally, you will cooperate with Shopee with respect to any action taken pursuant to such order, demand, or other document request, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Personal Data.
- (f) You agree that Shopee may for any reason, in its sole discretion and with or without notice or liability to you, immediately suspend or terminate your Account or access to the Platform and Services, remove or discard from the Site any Content associated with your Account, and/or take any other actions that Shopee deems necessary to protect itself and any Protected Data. Grounds for such actions may include, but are not limited to, actual or suspected (a) extended periods of inactivity, (b) violation of the letter or spirit of this DPP, (c) security failures by you, including failure to cooperate in any security audit or to take reasonable remediation steps required by Shopee, (d) any data leakage or loss attributable to you or your clients, or (e) any other behaviour that is harmful to Shopee’s Users, third parties, or the business interests of Shopee. Use of an Account for illegal, fraudulent, harassing, defamatory, threatening or abusive purposes may be referred to law enforcement authorities without notice to you. Without limitation to any other remedy available, if a legal dispute arises or law enforcement action or other regulatory inquiry is commenced relating to your Account or your use of the Services for any reason, Shopee may terminate your Account immediately with or without notice.
- (g) Without limitation to any other remedy or indemnity available under the Terms of Service, you agree to indemnify, defend and hold harmless Shopee, and its shareholders, subsidiaries, affiliates, directors, officers, agents, co-branders or other partners, and employees (collectively, the "Indemnified Parties") from and against any and all loss, claims, actions, proceedings, and suits and all related liabilities, damages, settlements, penalties, fines, costs and expenses (including, without limitation, any other dispute resolution expenses) incurred by Shopee or any Indemnified Party arising out of or relating to, without limitation: (a) your violation or breach of any term of this DPP or any policy or guidelines referenced herein, (b) your use or misuse of the Platform, any Shopee Content, Restricted Data, Protected Data and/or Personal Data, and (c) your breach of any law or any rights of a third party, including any applicable data protection laws.
15. Effective Period
Your obligations and Shopee’s rights under this DPP shall become effective from the date you access the Platform, and will continue in effect until the termination of the Terms of Service and for any period thereafter during which you and your personnel have possession of or access to any Protected Data.