PieBox← 홈으로 돌아가기

Data Processing Agreement

Last Updated: March 16, 2026

Effective Date: March 16, 2026

Welcome to PieBox !

Introduction

Both parties agree that this Data Processing Agreement ("DPA") outlines their obligations regarding the processing and security of developer data (including personal information contained therein). They also agree that, unless otherwise agreed, the processing and security of data within PieBox products and services are governed by the DPA.

If any terms of the DPA conflict with or are inconsistent with any other data terms in other applicable agreements related to the PieBox website and services (hereinafter referred to as the “PieBox Agreement”), the DPA shall prevail. The DPA terms shall supersede any conflicting terms in the PieBox Privacy Policy that originally applied to the processing of developer data and personal information as defined herein.

We may revise the DPA from time to time. Such revisions constitute part of the DPA and have the same effect as the DPA. After the DPA is updated, we will publish the updated version on the official website and notify you of the updated content through official website announcements or other appropriate means before the updated terms take effect, so that you are aware of the latest version of the DPA. Your continued use of the official website and related services constitutes your acceptance of the entire contents of the revised DPA.

Terms and Definitions

Unless the context otherwise requires, the following terms in DPA have the following meanings:

  • "Developer Data" refers to: (1) all data uploaded by the developer when obtaining or creating a chatbot using PieBox features/services (e.g., database information, plugin/API information uploaded by the developer, etc.), and (2) all data processed by PieBox during the operation of the chatbot after the developer publishes it, including all text, audio, video, or image files and software, as well as data that the developer can control and manage independently derived from using PieBox products or services (e.g., configuration data, operation and maintenance data, etc.).
  • "Personal Information" refers to various information recorded electronically or otherwise relating to an identified or identifiable natural person, excluding anonymized information. Personal information involved in the provision of specific services includes, but is not limited to, personal identification information (name), address, contact number, online identification information (including account name, email address), personal frequently used device information, location information, etc.
  • "Processing of Personal Information" includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information. - "Personal information subject" refers to the natural person identified by the personal information.
  • "Personal information security incident" refers to events such as unauthorized login to a system, unauthorized access, reading, copying, modification, or deletion of personal information, system vulnerabilities, computer viruses, network attacks, and network intrusions that result in the leakage, loss, theft, or alteration of personal information.
  • "Client" refers to an organization or individual (alone, jointly, or in collaboration with others) who independently decides the purpose and method of data processing in the data processing activities.
  • "Entrusted Party" refers to any organization or individual (excluding the principal's employees) that processes data on behalf of the principal; under the DPA, this refers to PieBox.
  • Other relevant terms in the DPA, unless otherwise stated, are defined in the same way as those in the PieBox Agreement. Where no definition is provided, the interpretation shall be based on laws, regulations, administrative rules, national standards.

Data and Personal Information Protection Terms

3.1 Scope of Application

The DPA Terms apply to all PieBox websites and services.

For clarity, the DPA Terms apply only to data processed in environments controlled by PieBox and its authorized sub-delegates, excluding data retained in the developer's environment or any third-party operating environment of the developer's choice.

3.2 Nature and Purpose of Data Processing

PieBox will use and otherwise process developer data and personal information only as described below, and will comply with the limitations of these Terms when: (a) providing the website and services to the developer according to instructions recorded by the developer, and (b) conducting business activities for the purpose of providing the website and services to the developer. Between the parties, the developer has all rights and interests in the developer data. PieBox has no other rights with respect to the developer data except for the rights granted to PieBox by the developer under the DPA and/or the PieBox Agreement. This paragraph does not affect PieBox's rights contained in the services provided to the developer. PieBox will not disclose or allow any person access to processed data unless: (a) authorized or instructed by the developer; (b) as required by this DPA; or (c) required by law. For the purposes of this DPA, “processed data” means: (a) developer data (including personal information); and (b) any other data processed by PieBox in accordance with the PieBox Agreement that is related to the official website and services and constitutes the developer's confidential information. All processing of processed data shall comply with PieBox's confidentiality obligations under the PieBox Agreement.

PieBox will not provide any third party with: (a) direct, indirect, full, or discretionary access to processed data; or (b) platform encryption keys used to secure processed data or the ability to break such encryption.

To comply with the foregoing commitments, PieBox may provide third parties with the developer's basic contact information.

PieBox may use developer data to improve PieBox functionality, provided it has been securely encrypted, strictly de-identified, and cannot be re-identified as a specific individual.

3.3 Personal Information Protection

3.3.1 Scope of Personal Information

All personal information processed by PieBox in connection with the provision of the official website and services will be obtained in the following forms: data provided by the developer or data generated, derived, or collected by PieBox based on developer data and the scenarios in which services and functions are provided, including data sent to PieBox by the developer due to the use of service-based functions or data obtained from products and services provided by PieBox. Personal information includes any personal information that is pseudonymous or de-identified but not anonymous. Anonymous information is not considered personal information, where anonymization means that personal information has been processed in a way that makes it impossible to identify a specific natural person and cannot be restored.

3.3.2 Role and Responsibility of the Entrusted Party and Client

The Developer and PieBox agree that the Developer is the processor and entruster of personal information, and PieBox acts as the entrusted party, acting on the Developer's instructions and purposes, except in the following circumstances: (a) where the Developer acts as the entrusted processor of personal information, in which case PieBox is the Developer's authorized sub-delegator; or (b) as otherwise provided in the terms of the specific product or service or in this DPA.

When PieBox acts as the entrusted party or authorized sub-delegator of personal information, it may only process data in accordance with the Developer's instructions and purposes. The Developer warrants that the personal information it processes is legally sourced and compliant, and that its collection, use, and processing have been legally authorized by the relevant personal information subjects, comply with national laws and regulations regarding personal information protection and data security, and do not infringe upon the legitimate rights and interests of any third party. The Developer also warrants that it has the right to sub-delegate the processing of personal information.

The Developer agrees that the PieBox Agreement (including the DPA terms and any applicable updates), together with the developer's documentation on using and configuring PieBox's related functions and the developer's use of professional services, constitutes the Developer's complete instructions to PieBox regarding the processing of personal information.

3.3.3 Client's Rights and Obligations

  • The client has the right to:
  • If the client learns or discovers that the entrusted party has failed to comply with the provisions of the DPA, the PieBox Agreement, and applicable laws regarding the processing of personal information, or that the entrusted party has failed to effectively fulfill its responsibilities for the protection of personal information security, the client has the right to demand that the entrusted party cease the relevant actions and take or require the entrusted party to take effective remedial measures to control or eliminate the security risks faced by personal information.
  • Unless otherwise stipulated by laws and regulations regarding the retention period of specific information, when a developer cancels their PieBox account or permanently ceases using PieBox services, PieBox shall, in accordance with laws and regulations, process the account-related content and information by means including but not limited to deletion and anonymization.
  • The client undertakes that:
  • It has obtained authorization from the data subject: the client guarantees that all personal information it obtains has a legal basis that complies with legal requirements, so as to legally provide the personal information stipulated in the DPA to the entrusted party for carrying out the agreed personal information processing activities within the scope and purpose of the DPA.
  • The client shall comply with the relevant provisions of the DPA, the PieBox Agreement, and applicable laws regarding personal information processing; as the client, it shall fulfill the relevant obligations of a personal information processor in accordance with relevant legal requirements.
  • The client shall conduct a personal information protection impact assessment before the entrusted party processes the personal information provided by the client to ensure that the entrusted processing and the purpose of the DPA are legal and compliant, and do not infringe upon the legitimate rights and interests of any third party.

3.3.4 Rights and Obligations of the Entrusted Party:

If the entrusted party has justifiable reason to believe that the Client's written instructions regarding personal information processing activities do not meet the needs of personal information security or violate any applicable laws, the entrusted party shall promptly notify the Client and has the right to demand that the Client cease the relevant actions and take or require the Client to take effective remedial measures to control or eliminate the security risks to personal information. The Client shall bear the costs incurred. If the Client fails to resolve the risks and issues described in this clause within a reasonable period, it shall be deemed a material breach of DPA, and the entrusted party shall have the right to unilaterally terminate the DPA and PieBox Agreement.

  • The entrusted party undertakes that:
  • The entrusted party shall comply with the DPA, the PieBox Agreement, and applicable laws regarding the handling of personal information.
  • The entrusted party shall take necessary measures to protect the security of the personal information provided by the Client and assist the Client in fulfilling its legal obligations.
  • The entrusted party shall use and process personal information within the scope stipulated in the DPA.
  • The Client may conduct a personal information security impact assessment of the entrusted data processing activities before implementing these entrusted processing activities. Without harming the legitimate interests of the entrusted party, its affiliates, and all other third parties, the entrusted party shall provide necessary assistance according to the Client's reasonable requests.
  • The entrusted party acknowledges and warrants that it will conduct personal information processing activities on behalf of the Client and will take appropriate measures to ensure that employees authorized to access personal information only process personal information within the scope instructed by the Client.
  • The entrusted party shall require all its staff involved in personal information processing activities and any third-party service providers to strictly keep the entrusted personal information confidential, receive appropriate training, and strictly comply with the provisions of the DPA; (g) The entrusted party shall not process the personal information provided by the client beyond the purpose of the DPA. If the DPA is ineffective, invalid, revoked, or terminated, the entrusted party shall delete or anonymize the personal information provided by the client.

3.3.5 Personal Information Subject Rights Requests

Both parties to the DPA will promptly respond to and process the legal rights requests of personal information subjects in accordance with applicable laws and their respective personal information protection policies. Both parties shall provide each other with necessary assistance: (a) If the entrusted party receives a rights request from a personal information subject, unless prohibited by applicable law, it shall forward the rights request to the client within a reasonable period; (b) If applicable law requires the client to respond to the rights requests of personal information subjects, the entrusted party will fully cooperate with the client to protect the rights of the personal information subjects, and the client shall provide the entrusted party with necessary assistance.

3.3.6 Personal Information Security Incidents

In the event of a personal information security incident during the processing of personal information, both parties shall:

  • Promptly notify the other party, informing them of: (i) the nature of the personal information security incident, including the type and scale of the personal information involved; (ii) the possible consequences of the personal information security incident; and (iii) the remedial measures already taken;
  • Assist the other party in investigating the personal information security incident and provide all relevant records, documents, logs, reports, and other reasonable materials;
  • Promptly take necessary measures to handle the incident in accordance with the emergency response plan;
  • If the personal information security incident involves issues such as the leakage of personal information, the parties shall promptly report to the relevant competent authorities in accordance with applicable laws and regulations and fulfill the obligation to inform the personal information subject as required by laws and regulations.

3.3.7 Security Technology and Access Control

PieBox will implement and maintain appropriate technical and organizational measures to protect developer data (including the personal information involved therein) from accidental or unlawful damage, loss, alteration, unauthorized disclosure, or access to data transmitted, stored, or otherwise processed.

Access to developer data required for service activities is controlled by permissions to ensure that access is only permitted when the purpose reasonably aligns with the needs of the developer's products and services.

3.3.8 Developer Responsibilities

Developers are solely responsible for independently determining whether the technical and organizational measures of their products and professional services meet their requirements, including any security obligations under applicable data protection requirements. Developers acknowledge and agree that, (taking into account the current state of technology, implementation costs, and the nature, scope, context, and purpose of data processing activities and the risks to individuals) PieBox's implemented and maintained security practices and policies provide a level of security commensurate with the data-related risks. Developers are responsible for implementing and maintaining privacy and security measures for components provided or controlled by them.

3.3.9 Security Incident Notification

If PieBox becomes aware of an activity that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to developer data or personal information processed by PieBox (hereinafter referred to as a "Security Incident"), PieBox shall immediately: (a) notify the developer of the Security Incident; (b) investigate the Security Incident and provide the developer with detailed information about the Security Incident; and (c) take reasonable steps to mitigate the impact and minimize the damage caused by the Security Incident without undue delay.

Security Incident Notifications will be sent to developers via any means chosen by PieBox, including email. Developers are solely responsible for ensuring that they provide PieBox with accurate contact information for each applicable product and professional service. Developers are also solely responsible for complying with and fulfilling any third-party notification obligations related to any security incidents.

Developers must immediately notify PieBox of any potential account or authentication misuse or any security incident related to the official website and services.

3.3.10 Data Retention and Deletion

The entrusted party shall not retain and process data for longer than necessary to achieve the agreed data processing purpose, unless otherwise specified by applicable law regarding the retention period of personal information. When a developer cancels their PieBox account or permanently ceases using PieBox services, PieBox will process account-related content and information in accordance with legal and regulatory requirements, including but not limited to deletion and anonymization.

If PieBox has a legal obligation to retain personal information beyond the period stipulated in the DPA, PieBox will delete or anonymize the relevant personal information as soon as possible after the legally required retention period expires, in accordance with the DPA. Upon the expiration of the data processing period or the expiration of legal obligations related to data retention, PieBox will no longer respond to developers' requests for data and personal information processing, except for purposes such as developer billing and account management, and compensation (e.g., calculating employee commissions and partner rewards).

3.3.11 Confidentiality Clause

Except as necessary to achieve the purpose of the DPA, or in accordance with national laws and regulations, or with the authorization of the developer or the consent of the personal information subject, PieBox will not disclose or reveal such information to any specific or unspecified third party in any form, nor will it expressly or impliedly authorize or authorize any specific or unspecified third party to use it.

Personal information stipulated in this agreement may only be used to the extent necessary for the purpose of the DPA and may not be disclosed in any form, including but not limited to: (i) disclosure to entrusted partys, representatives, officers, and employees of the entrusted party who need to know the aforementioned information or the personal information provided by the entrusted party to perform the purpose of the DPA, and to authorized third parties; (ii) disclosure by either party to the DPA when required by a court or based on relevant legal obligations, but only to the minimum extent necessary to comply with the court order or legal obligation.

Validity and Other Matters

4.1 Termination and Consequences

If the Client breaches any obligation under the DPA or any other agreement entered into between the Client and the entrusted party, the entrusted party shall have the right to terminate the DPA immediately by written notice at any time.

The DPA shall automatically terminate on the expiry or termination date of the last agreement between the Client and the entrusted party relating to the Client's request for the entrusted party to process data provided by the Client, without the need for any notice. Upon termination of the PieBox Agreement and the DPA, both parties shall continue to perform their respective legal obligations.

4.2 Other Matters

Regardless of the validity of the PieBox Agreement and its provisions, both parties shall perform their respective rights and obligations in accordance with the DPA when PieBox conducts data processing activities as specified in the DPA.

Any dispute arising out of or relating to the DPA, including any question concerning the continuation, validity, or termination of the DPA, the parties agree that the Dispute shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (SIAC) in accordance with the Arbitration Rules of SIAC in force at that time. The arbitration shall take place in Singapore, and the arbitration proceedings and all pleadings and written evidence shall be in the English language, and judgment upon the award rendered by the arbitrators may be entered in any court having jurisdiction thereof. Except for disputed terms, the continued performance of the other terms of the DPA shall not be affected during the dispute resolution process.

Matters not covered by the DPA may be interpreted in accordance with the PieBox Agreement. In the event of any inconsistency between the DPA and the PieBox Agreement regarding data processing and protection, the DPA shall prevail.