COMMITMENT TO CONFIDENTIALITY AND PERSONAL DATA PROTECTION

Last updated: 29/05/2026

ARTICLE 1. DEFINITIONS AND SCOPE OF APPLICATION

1.1. Definitions

In this Policy, the following terms shall be understood as follows:

a) “VNETWORK”: VNETWORK GROUP PTE. LTD., Unique Entity Number (UEN) 202231335D, with its registered office at 111 North Bridge Road, #17-06 Peninsula Plaza, Singapore (179098).

b) “Data Subject”: The individual to whom personal data relates, including individual customers, representatives of corporate customers, suppliers, partners, job applicants, employees, collaborators, and any individual whose personal data is processed by VNETWORK.

c) “Personal Data”: Digital data or information in other forms that identifies or helps identify a specific individual, including basic personal data and sensitive personal data.

d) “Basic Personal Data”: Includes information as prescribed by law, specifically: full name, date of birth, gender, place of residence, nationality, image, phone number, personal identification number, passport number, driver’s license number, marital status, family information, digital account information, and other information that helps identify a specific individual.

e) “Sensitive Personal Data”: Includes information as prescribed by law, specifically: racial/ethnic origin, political/religious/belief views, private life, health status, biometric data, data relating to sexual life, criminal data, location data, electronic identity account login information, bank account information, financial transaction history, and behavioral tracking data in cyberspace.

f) “Processing of Personal Data”: Any activity affecting personal data, including: collection, analysis, consolidation, encryption, decryption, editing, deletion, destruction, de-identification, provision, disclosure, transfer, and other activities.

g) Legal roles of VNETWORK are determined according to each specific data processing activity:

  • With respect to personal data directly collected and processed by VNETWORK for the purposes of account management, contract execution and performance, payment, customer service, recruitment, human resources management, internal operations, legal compliance, and protection of VNETWORK’s legitimate interests, VNETWORK may act as the Personal Data Controller or as both Personal Data Controller and Processor, depending on the specific context.
  • With respect to personal data of end users, end customers, or third parties submitted, transmitted, stored, or processed through VNETWORK’s CDN, cloud, security, network infrastructure, or other technology services by corporate customers, VNETWORK typically acts as the Personal Data Processor, performing processing pursuant to agreements, service documentation, and lawful instructions of the customer.
  • In cases where VNETWORK acts as the Personal Data Processor, the corporate customer is responsible for ensuring the legal basis, notifications, valid consent where required, and the right to process the end users’ personal data in accordance with applicable law.

1.2. Scope of Application

a) This Policy applies to all individuals whose personal data is processed by VNETWORK, including:

b) Individuals accessing the website www.vnetwork.vn and other websites, platforms, and service portals managed by VNETWORK;

c) Customers, representatives, technical contacts, billing contacts, or users designated by customers when registering and using services;

d) Partners, suppliers, contractors, data processors, or third parties with personal data interactions with VNETWORK;

e) Job applicants, employees, collaborators, interns, and internal personnel;

f) Other individuals whose personal data is processed by VNETWORK in the course of operations, service provision, technical support, system security, or fulfillment of legal obligations.

ARTICLE 2. PERSONAL DATA COLLECTED AND PROCESSED

2.1. Basic Personal Data

VNETWORK may collect and process the following categories of data:

a) Identification information: Full name, date of birth, gender, nationality, job title, employing organization;

b) Contact information: Email address, phone number, mailing address, residential address, or business address;

c) Identity document information: National ID/Citizen ID/Passport number, date of issue, place of issue, where necessary for identity verification, contract execution, or fulfillment of legal obligations;

d) Service account information: Username, customer code, administrative account, encrypted password;

e) Enterprise/organization information: Enterprise name, tax identification number, address, representative information, technical contact, billing contact;

f) Payment information: Payment history, payment status, supporting documents, invoice information, and payment method. VNETWORK does not proactively collect credit card information or bank account data within the scope managed by credit institutions, except where necessary and in accordance with applicable law.

2.2. Technical Data and Automatically Collected Data

In the course of accessing and using services, VNETWORK’s systems may automatically record:

a) IP address, device type, operating system, browser, language, time zone, session identifier;

b) Access logs, system logs, security logs, API logs, and information security monitoring data;

c) Network traffic information, connection metadata, performance parameters, and anomaly events;

d) Access timestamps, pages visited, actions taken on the platform, referral sources, and cookie data;

e) Statistical data, anonymized or de-identified data used for service operation and improvement.

VNETWORK does not use the above technical data to identify, track, or profile individuals beyond the scope necessary for service provision, operation, security, troubleshooting, fraud prevention, legal compliance, or the purposes notified in this Policy.

2.3. Personnel and Applicant Data

VNETWORK may collect and process personal data of employees, collaborators, interns, and applicants for the purposes of recruitment, human resources management, employment contract performance, payroll, social insurance, performance evaluation, access control management, and labor law compliance.

VNETWORK retains the records of unsuccessful applicants for a maximum of six (06) months from the date the recruitment process concludes, unless the applicant consents to a longer retention period.

2.4. Processing of Sensitive Personal Data

VNETWORK does not proactively collect or process sensitive personal data unless the processing is necessary for a specific notified purpose, for employment or recruitment relations, verification, security, legal compliance, contractual obligations, or upon a lawful request from a competent authority. Where sensitive personal data is processed, VNETWORK shall apply the following principles:

  • Clearly notify the data subject that the data being processed is sensitive personal data;
  • Identify a specific, lawful processing purpose appropriate to the scope of necessity;
  • Obtain separate consent from the data subject where required by law;
  • Apply access controls, restricted access mechanisms, and enhanced security measures;
  • Not use sensitive personal data beyond the scope of the notified purpose, except as permitted or required by law.

ARTICLE 3. PURPOSES OF PERSONAL DATA PROCESSING

3.1. Purposes of Processing

VNETWORK processes personal data only for one or more of the following purposes and shall not process data beyond the scope notified, unless there is a lawful basis to do so:

a) Establishment and performance of service relationships: Reviewing and processing registration requests, creating accounts, providing quotations, concluding and performing service agreements;

b) Service operation and delivery: Providing, operating, maintaining, administering, and securing CDN infrastructure, network security services, cloud, hosting, and other VNETWORK services;

c) Identity verification and account management: Verifying identities, authenticating users, managing accounts, and controlling system access permissions;

d) Technical support and customer service: Receiving and handling support requests, responding to inquiries, complaints, or technical incidents;

e) Finance, accounting, and legal: Issuing invoices, processing payments, reconciling receivables, accounting, taxation, auditing, and retaining documents as required by law;

f) Service information and notifications: Sending operational, maintenance, security, policy change, or terms of service notifications;

g) Security and fraud prevention: Preventing, detecting, and investigating DDoS attacks, unauthorized access, service fraud, and ensuring system continuity;

h) Research and service improvement: Analyzing performance, statistics, market research, and product improvement, conducted solely on anonymized data or with valid consent;

i) Internal human resources management: Recruitment, labor management, payroll, benefits, training, performance evaluation, and internal access control;

j) Legal compliance: Fulfilling legal obligations and requirements of competent state authorities, including taxation, accounting, labor, social insurance, information security, personal data protection, and applicable regulations;

k) Protection of legal rights and interests: Establishing, exercising, or defending the legitimate rights and interests of VNETWORK, customers, users, or third parties in disputes, proceedings, or investigations;

l) Automated data processing, analytical algorithms, or artificial intelligence for the purposes of service operation, performance optimization, system security, attack detection, fraud prevention, technical support, and infrastructure protection within the scope of this Policy.

3.2. Automated Processing and Artificial Intelligence

a) VNETWORK may use automated systems, analytical algorithms, artificial intelligence, or automated support tools for the purposes of service operation, performance optimization, load balancing, attack detection, traffic analysis, fraud prevention, information security monitoring, technical support, and infrastructure protection.

b) Where automated processing or AI activities may produce decisions with legal effects or significantly affecting the legitimate rights and interests of data subjects, VNETWORK shall provide notification, explain the basic principles of processing, and offer mechanisms for data subjects to exercise their rights within the limits permitted by law and technical capabilities.

c) The use of automated systems or AI for purposes of operations, security, attack detection, fraud prevention, load balancing, anomalous traffic analysis, or ensuring service safety is not intended to produce legally adverse decisions against individuals, unless otherwise required by law.

ARTICLE 4. LEGAL BASIS FOR DATA PROCESSING

VNETWORK processes personal data based on one or more of the following legal bases:

a) Consent of the data subject - expressed explicitly, specifically, voluntarily, and in a verifiable manner; silence or non-response shall not constitute consent;

b) Performance of a contract concluded with the data subject, customer, or partner;

c) Legal obligations of VNETWORK as required by law;

d) Protection of the life or health of the data subject or another person in emergency circumstances;

e) Activities of state agencies as prescribed by law;

f) Legitimate interests of VNETWORK or a third party, provided that such interests do not override the legitimate rights and interests of the data subject.

Note: Data subjects have the right to withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of processing activities carried out prior to VNETWORK’s receipt of a valid withdrawal request.

ARTICLE 5. RIGHTS OF DATA SUBJECTS

5.1. Rights of Data Subjects

In accordance with applicable law, data subjects have the following rights with respect to their personal data, including but not limited to:

a) The right to be informed of personal data processing activities;

b) The right to consent to or refuse the processing of personal data in cases where consent is required by law;

c) The right to withdraw previously given consent;

d) The right to access, view, amend, or request the amendment of personal data;

e) The right to request the provision of personal data;

f) The right to request the deletion or destruction of personal data;

g) The right to request the restriction of personal data processing;

h) The right to object to personal data processing activities;

i) The right to lodge complaints, denunciations, initiate legal proceedings, or claim compensation for damages in accordance with law;

j) The right to request competent authorities and organizations to implement personal data protection measures;

k) Other rights as provided by applicable law.

5.2. How to Exercise Rights

Data subjects may exercise the rights set out above by submitting a written request or a verifiable electronic request to VNETWORK using the contact information provided in Article 13 of this Policy.

5.3. Verification and Processing of Requests

In order to protect privacy and data security, VNETWORK reserves the right to request the data subject to provide appropriate information or documentation for the purposes of verifying identity, verifying authority of representation, or clarifying the scope of the request before processing it.

VNETWORK shall receive, review, and respond to requests from data subjects within the statutory period or a reasonable timeframe depending on the nature, scope, and complexity of the request.

5.4. Extension, Refusal, or Limitation of Requests

Where a request is valid, verification information is complete, and the data falls within the scope of VNETWORK’s direct control, VNETWORK shall fulfill the request in accordance with applicable law.

Where a request is complex, involves multiple systems, backup data, system logs, anonymized or de-identified data, third parties, service providers, legal obligations, disputes, receivables, audits, investigations, or requirements from competent authorities, VNETWORK may extend the response period, refuse, or limit fulfillment of the request in accordance with applicable law and shall provide appropriate reasons to the data subject, unless otherwise required by law.

5.5. Cases Where VNETWORK May Refuse, Delay, or Limit Requests

VNETWORK may refuse, delay, or limit the fulfillment of a data subject’s request in the following circumstances:

a) Compliance with a mandatory legal obligation is required;

b) Performance of an agreement or existing obligation with the data subject, customer, or related party is required;

c) Resolution of disputes, complaints, receivables, audits, inspections, investigations, or proceedings is required;

d) Protection of system safety and security, prevention of fraud, cyberattacks, or unlawful conduct is required;

e) Protection of the life, health, property, rights, and legitimate interests of the data subject, VNETWORK, or third parties is required;

f) A lawful requirement from a competent state authority has been received;

g) Other circumstances as provided by applicable law.

The exercise of rights by a data subject shall not affect the lawfulness of data processing activities carried out prior to VNETWORK’s receipt and verification of a valid request, unless otherwise provided by law.

ARTICLE 6. OBLIGATIONS OF DATA SUBJECTS

In accordance with applicable law, data subjects are obligated to:

a) Protect their own personal data; safeguard passwords, OTP codes, and refrain from sharing authentication credentials with any person;

b) Respect and protect the personal data of others;

c) Provide complete and accurate personal data as lawfully required and promptly notify VNETWORK of any changes. VNETWORK shall not be liable for consequences arising from inaccurate information attributable to the data subject;

d) Comply with applicable personal data protection laws;

e) Cooperate with VNETWORK and state authorities in the event of an incident involving personal data;

f) Not obstruct VNETWORK’s exercise of its legal rights and obligations in its capacity as Data Controller or Data Processor; not infringe upon the rights and legitimate interests of the State, agencies, organizations, or other individuals.

ARTICLE 7. OBLIGATIONS OF VNETWORK

7.1. Obligations as Data Controller and Processor

a) Fully implement the personal data protection principles as required by applicable law;

b) Ensure a valid legal basis exists prior to processing personal data;

c) Provide adequate notification to data subjects regarding the purposes, means, retention period of processing, and other necessary information;

d) Prepare, retain, submit, update, and maintain records of personal data processing impact assessments within the timeframes, procedures, applicable scope, and forms prescribed by applicable law;

e) Establish clear procedures, processes, and forms to enable data subjects to exercise their rights;

f) Designate or appoint a department or personnel responsible for personal data protection appropriate to the scale and nature of VNETWORK’s data processing activities and in compliance with applicable legal requirements;

g) Implement appropriate technical and organizational measures to protect personal data;

h) Fulfill incident notification obligations pursuant to Article 9 of this Policy.

7.2. Obligations as Data Processor

a) Process personal data only pursuant to lawful instructions and agreements with the data controller (corporate customer);

b) Not independently process data beyond the scope and purposes authorized by the data controller;

c) Ensure that personnel and subcontractors involved in data processing are bound by equivalent data protection obligations;

d) Prepare and maintain records of processing impact assessments as agreed with the data controller;

e) Notify the data controller of any personal data incident within a reasonable period following discovery and confirmation, and cooperate in fulfilling remediation obligations.

ARTICLE 8. SHARING OF PERSONAL DATA WITH THIRD PARTIES

8.1. General Principles

VNETWORK does not sell, trade, or share personal data with third parties for independent commercial purposes.

8.2. Permitted Cases of Sharing

VNETWORK shall only share personal data to the extent necessary in the following cases, accompanied by appropriate data protection agreements:

a) With partners and technical service providers, including providers of technical infrastructure, cloud computing, storage, CDN, security, email, CRM, system monitoring, and related technical services, for the purposes of service operation, maintenance, security, and improvement;

b) With payment service providers, accounting firms, auditors, legal advisors, tax consultants, and other operational service providers;

c) With competent state authorities, courts, investigative agencies, tax authorities, or third parties pursuant to legal obligations or lawful requests;

d) In the event of restructuring, merger, consolidation, or transfer of assets or services, provided that the receiving party continues to apply equivalent data protection obligations;

e) Where necessary to protect the legitimate rights and interests of VNETWORK, customers, users, or third parties;

f) Where valid consent of the data subject has been obtained.

Where sharing of data, use of service providers, infrastructure providers, technical partners, or data processors results in the transfer of personal data outside Vietnam or provides overseas organizations or individuals with access to or the ability to process personal data subject to Vietnamese law, VNETWORK shall only proceed where there is an appropriate legal basis and in compliance with all applicable conditions, procedures, impact assessment records, data protection measures, and notification/reporting obligations prescribed by law.

Where VNETWORK processes personal data in its capacity as Data Processor pursuant to a customer’s instructions, any international transfer of personal data, if it occurs, shall be carried out in accordance with the agreement with the customer, the customer’s lawful instructions, and applicable legal requirements.

VNETWORK does not transfer personal data abroad for independent commercial purposes beyond the scope of service provision, unless valid consent of the data subject has been obtained, an appropriate agreement with the customer has been concluded, or the transfer is permitted by applicable law.

ARTICLE 9. NOTIFICATION AND HANDLING OF PERSONAL DATA INCIDENTS

Upon discovering a personal data protection incident, VNETWORK shall:

a) Assess the incident immediately upon discovery; implement containment, remediation, and damage mitigation measures;

b) Notify the specialized personal data protection authority within the timeframes, procedures, and scope prescribed by law, including within seventy-two (72) hours of discovery for incidents that are required to be reported under applicable law;

c) Notify data subjects where required by law or where VNETWORK deems such notification necessary to protect the legitimate rights and interests of the data subjects. Any such notification, if provided, shall be conducted within an appropriate scope and shall include necessary information regarding the nature of the incident, the categories of data affected, measures taken and being taken, recommendations for data subjects, and a point of contact;

d) Where VNETWORK acts as the Data Processor: notify the customer (Data Controller) within a reasonable period following discovery and confirmation, and cooperate in fulfilling notification and remediation obligations pursuant to the agreement and applicable law.

ARTICLE 10. SECURITY AND PROTECTION OF PERSONAL DATA

10.1. Security Measures

VNETWORK applies technical and organizational measures appropriate to the nature of the data, risk level, processing scope, and infrastructure capabilities at any given time, including but not limited to:

a) Encryption of personal data at rest and in transit where appropriate to the nature of the data, risk level, legal requirements, applicable technical standards, and system capabilities. For personal data stored in cloud computing environments within VNETWORK’s control, VNETWORK applies encryption mechanisms for data at rest and in transit in accordance with applicable technical standards, unless otherwise provided or based on applicable law, technical specifications, or service agreements;

b) Access controls, user permission management, account authentication, and multi-factor authentication where appropriate;

c) Firewalls, intrusion detection and prevention systems, information security monitoring, and anomaly alerting;

d) Periodic data backups, incident recovery plans, and service continuity assurance;

e) Periodic security reviews, vulnerability assessments, and security testing where appropriate;

f) Personnel training, internal confidentiality commitments, and access controls for employees, contractors, and partners.

10.2. Limitation of Liability

Although VNETWORK applies appropriate technical and organizational measures to protect personal data, no system of data transmission, storage, or processing can be guaranteed to be absolutely secure against all cybersecurity risks, technical errors, unauthorized access, or unforeseen incidents.

To the extent permitted by law, VNETWORK shall not be liable for damages arising from causes beyond VNETWORK’s reasonable control, including but not limited to: errors or actions of the data subject; the data subject’s own disclosure of authentication credentials; fraud, deception, or cyberattacks by third parties beyond VNETWORK’s reasonable defensive capacity; incidents involving service providers not directly under VNETWORK’s control; or force majeure events as defined by applicable law.

This provision does not exclude or limit VNETWORK’s liability with respect to mandatory obligations under applicable personal data protection law.

ARTICLE 11. RETENTION AND DELETION OF PERSONAL DATA

VNETWORK retains personal data for the period necessary to fulfill the notified processing purposes, provide services, perform agreements, comply with legal obligations, and protect the legitimate rights and interests of VNETWORK, customers, data subjects, or third parties.

Depending on the category of data, retention periods may be determined as follows:

a) Account data and basic personal data of customers: retained for the duration of service use and for the period necessary after service termination for the purposes of support, reconciliation, dispute resolution, and legal compliance or protection of legitimate interests;

b) Data related to agreements, orders, transactions, invoices, payment documents, accounting, taxation, and audits: retained in accordance with mandatory retention periods under accounting, taxation, and other applicable laws;

c) System logs, security logs, API logs, information security monitoring data, and data used in incident investigations: retained for the period necessary for operational, security, fraud prevention, incident investigation, legal compliance, and protection of the legitimate rights and interests of VNETWORK;

d) Data of employees, collaborators, and interns: retained for the duration of employment or cooperation and in accordance with mandatory retention periods under labor, taxation, social insurance, accounting, and related laws;

e) Records of unsuccessful applicants: retained for a maximum of six (06) months from the date the recruitment process concludes, unless the applicant consents to a longer retention period or applicable law provides otherwise;

f) Data that has been anonymized or aggregated in a manner that no longer enables the identification of a specific individual as defined by law: may be retained and used for statistical, research, analytical, security, service improvement, or other lawful purposes for an appropriate period consistent with the intended use.

VNETWORK may extend retention periods where necessary to comply with legal obligations, resolve disputes, complaints, receivables, audits, inspections, investigations, proceedings, or to protect the legitimate rights and interests of VNETWORK, customers, data subjects, or third parties.

Upon the expiration of the retention period or when the data is no longer necessary for lawful processing purposes, VNETWORK shall delete, destroy, anonymize, or apply appropriate measures to the personal data in accordance with internal procedures and applicable law.

VNETWORK may decline to fulfill or may only partially fulfill a request for deletion or destruction of personal data where such data is still required to be retained or processed in order to comply with legal obligations, perform agreements, resolve disputes, protect system security, support audits, inspections, investigations, proceedings, or to protect the legitimate rights and interests of VNETWORK or third parties. Where the full request cannot be fulfilled, VNETWORK shall provide appropriate reasons to the data subject, unless otherwise required by law.

ARTICLE 12. CONSEQUENCES OF EXERCISING DATA SUBJECT RIGHTS

The exercise of data subject rights is a legitimate right that VNETWORK respects and supports in accordance with applicable law. However, in certain circumstances, the deletion, destruction, restriction of processing, withdrawal of consent, or objection to processing of personal data may affect VNETWORK’s ability to provide some or all services, including:

a) Inability to access some or all of VNETWORK’s services;

b) Use of services with limited quality or not as described;

c) Non-receipt of service notifications, updates, or important security information;

d) Ineligibility to participate in promotional programs or incentive schemes;

e) Other limitations depending on the specific circumstances.

ARTICLE 13. GENERAL PROVISIONS

13.1. Effective Date

This Policy takes effect from the date of publication or from the time it is notified or confirmed by an appropriate method. Upon accessing the website, registering, using services, or interacting with VNETWORK, data subjects confirm that they have been informed of this Policy.

The processing of personal data is carried out on the basis of valid consent of the data subject or an appropriate legal basis as prescribed by applicable law. Where the law requires separate consent for a specific processing activity, VNETWORK shall obtain such consent in an appropriate form prior to processing, unless otherwise provided by law.

13.2. Updates and Amendments

VNETWORK may update this Policy from time to time to reflect changes in law, technology, or business operations. Material changes affecting the legitimate rights and interests of data subjects shall be communicated through appropriate means, such as by email or notice on the website, within a reasonable period before taking effect, unless otherwise required by law or where the update must be implemented promptly to ensure legal compliance, system security, or to address technical errors. Where required by law, VNETWORK shall seek renewed consent from data subjects.

13.3. Disputes and Resolution

Disputes arising shall be resolved first through negotiation and mediation in good faith. If a resolution cannot be reached within thirty (30) days, either party shall have the right to refer the matter to a competent authority for resolution in accordance with Vietnamese law.

13.4. Contact and Data Protection Personnel

For any inquiries or requests relating to personal data protection, please contact:

Data Protection Department / Data Protection Officer

This Policy supersedes all previous versions relating to the protection and processing of personal data by VNETWORK from the effective date stated above.