Important Notice: This DPA is provided as an optional agreement for Customers that require a data processing agreement under applicable data protection laws (e.g., GDPR, UK GDPR).
This DPA does not apply by default. It only becomes binding if:
• The Customer completes and signs Annex I.A and submits it to Chinafy; OR
• The Agreement (e.g., an Enterprise Order Form) explicitly incorporates this DPA by reference.
• Where this DPA is not executed, Chinafy does not act as a Data Processor under GDPR or UK GDPR and provides Services solely as a technical optimization and delivery platform.
1. Purpose and Scope
This DPA governs Chinafy’s processing of Personal Data only when executed by the Customer. When effective, it supplements the main Agreement between the parties.
2. Definitions
• “Data Protection Laws” refers to GDPR, UK GDPR, and other applicable data protection laws.
• “Personal Data,” “Controller,” “Processor,” and related terms have the meanings given under the GDPR.
3. Roles of the Parties
• The Customer acts as Controller (or Processor on behalf of a third-party Controller).
• Chinafy acts as a Processor (or Sub-Processor), only upon execution of this DPA.
4. Nature of Processing
• Purpose: Delivery, caching, optimization, and transmission of web content via Chinafy
• Duration: Throughout the service period and 60 days thereafter
• Data Types: HTTP headers, metadata, content, cookies, logs
• Data Subjects: Visitors to Customer sites, authorized users, employees, contractors
Chinafy does not inspect, classify, or differentiate content. It acts as a pass-through delivery layer. Customer is solely responsible for applying classification, legal labels, and compliance mechanisms to transmitted content.
5. Obligations of Chinafy
When this DPA is executed, Chinafy agrees to:
• Process Personal Data only in accordance with the Agreement and this DPA.
• Maintain confidentiality and restrict access to authorized personnel.
• Implement security measures (see Annex II).
• Notify the Customer of any Personal Data Breach.
• Assist with lawful Data Subject Requests, where required.
• Delete or return Personal Data within 60 days after termination unless required to retain by law.
6. Sub-Processing
Chinafy uses Sub-Processors listed in Annex III.
Customers may object to new Sub-Processors within 10 days of notice.
Chinafy remains liable for Sub-Processor compliance.
7. International Transfers
If the DPA is executed:
• EEA Transfers: Governed by the EU 2021 Standard Contractual Clauses (SCCs), included below.
• UK Transfers: Governed by the UK International Data Transfer Addendum (Addendum B1.0).
• Transfers from other jurisdictions follow appropriate legal safeguards (e.g., consent, contracts, adequacy).
8. Security Measures
See Annex II. Key measures include:
• TLS/HTTPS encryption
• IAM access controls
• AWS CloudWatch monitoring
• CDN segmentation and redundancy
• Audit logging and infrastructure hardening
9. Data Retention and Deletion
Chinafy deletes Personal Data within 60 days of termination, unless retention is legally required.
10. Audit Rights
Enterprise Customers may request remote documentation, certifications, and summaries at most once annually.
11. Liability
Chinafy’s liability under this DPA is subject to the limitation of liability in the main Agreement.
12. Governing Law
Unless otherwise agreed:
• EU SCCs: governed by English law
• UK Addendum: governed by UK law
• Other Customers: governed by Hong Kong SAR law
Execution & Legal Effect
This DPA is pre-signed by Chinafy and only becomes legally binding upon:
• Customer’s valid execution of Annex I.A; OR
• Reference to this DPA in a signed Enterprise Agreement or Order Form.
If this DPA is not executed, Chinafy is not a “Processor” and disclaims obligations under applicable data protection laws.
Standard Contractual Clauses (2021)
A. List of Parties
DATA EXPORTER (CUSTOMER)
Legal Name: _____________________
Address: _____________________
Contact: _____________________
Role: Controller / Processor
DATA IMPORTER
Legal Name: Notey Limited
Address: Notey Limited: 4/F, Lee Garden Three, 1 Sunning Road, Causeway Bay, Hong Kong
Contact: privacy@notey.com
Role: Processor / Sub-Processor
Signature (Customer):
Name: _____________________
Title: ______________________
Date: ______________________
B. Description of Transfer
Described in Section 4 above.
C. Supervisory Authority
• EU Customers: Supervisory authority in Customer’s member state
• UK Customers: UK ICO
Annex II – Security Measures (TOMs)
• TLS encryption (HTTPS)
• AWS Shield, IAM controls
• Access restriction to authorized personnel
• Monitoring via AWS CloudWatch
• Segmentation of data environments
Annex III – Sub-Processors
Please see Chinafy’s list of sub processors here: https://www.chinafy.com/subprocessors
UK Addendum Summary
The UK Addendum (version B1.0) applies when Customer is a UK entity. It incorporates the SCCs above with applicable UK-specific governance.
