PRIVACY NOTICE
(Effective Date: 3 November 2025)
1. Introduction
PT Gan Mitra Usaha (“GMU”, “we”, “us”) is committed to protecting Personal Data processed in the delivery of Security Operations Center (SOC) and Managed Security Services Provider (MSSP) services, as well as through the use of GMU’s website and digital platforms.
This Privacy Notice explains how GMU collects, uses, stores, discloses, protects, and deletes Personal Data in accordance with:
-
Law No. 27 of 2022 on Personal Data Protection (Indonesia PDP Law); and
-
ISO/IEC 27701:2019 - Privacy Information Management System.
Role Clarification
For SOC and MSSP services, GMU acts as a Data Processor and processes Personal Data solely on behalf of, and in accordance with, documented instructions from its customers, who act as Data Controllers.
GMU does not determine the purposes or means of processing such Personal Data and does not directly collect Personal Data from end users of customer systems.
2. Personal Data We Process
Category | Examples |
|---|---|
Customer System Data | Information from customer systems that may contain Personal Data in a security context |
Security Log Data | IP address, timestamps, security events, alerts, ticket metadata |
System Usage Data | Username, access roles, user activity |
Contact Data | Corporate email address, business phone number |
Identity Data | Name, job title, internal identifier |
GMU may process certain categories of Personal Data, including but not limited to:
For SOC/MSSP services, Personal Data is generally obtained indirectly through customer systems.
GMU does not intentionally collect sensitive Personal Data, except where strictly necessary, based on customer instructions and supported by a Data Processing Agreement (DPA).
3. Purpose of Personal Data Processing
GMU processes Personal Data for lawful and limited purposes, including:
-
Providing SOC/MSSP and information security services
-
Detecting, analyzing, investigating, and responding to security incidents
-
Monitoring and improving security system performance
-
Service reporting to customers
-
Business relationship administration
-
Website security monitoring and cyber threat detection
No Personal Data is processed beyond these purposes without a valid legal basis or prior notification.
4. Legal Basis for Processing
GMU processes Personal Data based on one or more of the following legal bases:
-
Performance of a contract with customers
-
Compliance with legal obligations
-
Legitimate interests related to information security
-
Consent of the Data Subject, where required by applicable law
5. Data Subject Rights
Subject to applicable laws, Data Subjects have the right to:
-
Access their Personal Data
-
Correct inaccurate or incomplete data
-
Withdraw consent (where consent is the legal basis)
-
Request deletion of Personal Data under certain conditions
-
Object to or restrict processing (where applicable)
-
Submit complaints to GMU or the relevant supervisory authority
Requests may be submitted through the contact details provided in the Data Protection Officer (DPO) section below.
6. Information Security & Privacy Management
GMU implements an Information Security Management System (ISO/IEC 27001:2022) and a Privacy Information Management System (ISO/IEC 27701:2019), including:
-
Privacy by Design and Privacy by Default principles
-
Encryption and access controls
-
24/7 security monitoring
-
Periodic audits of data processing activities
-
Privacy risk registers and Privacy Impact Assessments (PIA) for high-risk processing
7. Data Storage and Retention
Personal Data is retained:
-
In accordance with SOC/MSSP service contracts and SLAs
-
As required by applicable laws and regulations
After the retention period expires, Personal Data is securely deleted or anonymized.
8. Data Sharing and International Transfers
GMU may share Personal Data with:
-
Customers acting as Data Controllers
-
Contracted third-party service providers (sub-processors)
-
Government authorities or regulators where legally required
International data transfers, if any:
-
Are performed only based on customer instructions
-
Follow GMU’s International Data Transfer Procedure and applicable safeguards
GMU does not sell Personal Data to any third party.
9. Automated Decision-Making
GMU does not conduct automated decision-making that produces legal or similarly significant effects on Data Subjects.
If such processing is implemented in the future, GMU will:
-
Conduct a Privacy Impact Assessment (PIA), and
-
Provide appropriate human intervention mechanisms
in accordance with applicable law.
10. Updates to This Privacy Notice
GMU may update this Privacy Notice from time to time. Any changes will be reflected by updating the effective date at the top of this document.
11. Contact - Data Protection Officer (DPO)
For questions, requests, or complaints related to Personal Data processing, please contact:
Data Protection Officer (DPO)
PT Gan Mitra Usaha
Email: privacy@sqshield.com