English 
Deutsch 
Español 
Português 
Français 
Italiano 
中文 (中国) PRC DATA PROCESSING ADDENDUM
This PRC Data Processing Addendum (the “PRC DPA”) is entered into by and between:
(1) Client: the applicable Сlient contracting entity expressly identified in the applicable Delivery Order (or other order form or document issued pursuant thereto and accepted by Client) for the provision of the VDR services (“Delivery Order”) acting as Personal Information Processor (“Client” or “Personal Information Processor”); and
(2) Ideals Business Technology Solutions (Shanghai) Co., Ltd., a company incorporated in China whose registered office is located at: Zone A, Floor 2, No. 1220, Pudong Avenue, Pilot Free Trade Zone, Shanghai acting as Entrusted Party (“Ideals” or “Entrusted Party”).
Incorporation and precedence
This PRC DPADPA supplements and forms an integral part of the Ideals Terms and Conditions of Service (”T&Cs”) located at https://www.idealsvdr.com/terms-and-conditions/. This PRC DPADPA applies where and to the extent Ideals processes Personal Information on behalf of Client as an Entrusted Party in connection with the Services. By executing the Delivery Order referencing the T&Cs, or by accessing or using the Services, Client agrees to be bound by this PRC DPADPA on behalf of itself and its users.
The “Ideals VDR Agreement” means the T&Cs together with any applicable Delivery Order. Collectively, the Ideals VDR Agreement and this PRC DPADPA are referred to herein as the “Agreement”.
In the event of any conflict or inconsistency between any of the terms of the Agreement, only to the extent of the conflict with respect to data protection and processing obligations, the provisions of the following documents (in order of precedence) shall prevail: (a) this PRC DPADPA; and (b) the Ideals VDR Agreement. Except as specifically amended in this PRC DPADPA, the Ideals VDR Agreement remains unchanged and in full force and effect.
1. DEFINITIONS
For purposes of this PRC DPADPA:
“Applicable PRC Data Protection Laws” means the Personal Information Protection Law of the People’s Republic of China (“PIPL”), the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and any applicable implementing regulations, measures, standards, binding guidance, or decisions of competent PRC authorities, as amended from time to time.
“Client Personal Information” means personal information, sensitive personal information, or other data uploaded by or on behalf of Client to the Virtual Data Room (hereinafter the “VDR”) or otherwise made available to Ideals under the Agreement, to the extent regulated under Applicable PRC Data Protection Laws.
“Personal Information Processor” means the party that independently determines the purposes and means of processing personal information and, for purposes of this PRC DPADPA, means Client.
“Entrusted Party” means the party entrusted by the Personal Information Processor to process personal information on its behalf and, for purposes of this PRC DPADPA, means Ideals.
“Sensitive Personal Information” shall have the meaning given in Applicable PRC Data Protection Laws.
“Important Data” shall have the meaning given in Applicable PRC Data Protection Laws.
“Process”, “Processing”, or similar terms mean any operation performed on Client Personal Information, including collection, storage, use, processing, transmission, provision, disclosure, retrieval, consultation, deletion, or destruction.
“Sub-processor” means any affiliate or third party engaged by Ideals to process Client Personal Information on behalf of Client in connection with the Services.
“Personal Information Breach” means any unauthorised access, acquisition, disclosure, leakage, tampering, alteration, loss, destruction, or other compromise affecting Client Personal Information.
“Overseas Access” means any access to Client Personal Information from outside mainland China, including remote access by support, engineering, security, maintenance, troubleshooting, or incident-response personnel located outside mainland China.
2. ROLES OF THE PARTIES
2.1 Client is the Personal Information Processor and determines the purpose and means of processing Client Personal Information.
2.2 Ideals acts solely as an Entrusted Party and shall process Client Personal Information only in accordance with Client’s documented instructions, the Agreement, and this PRC DPADPA.
2.3 Nothing in this PRC DPADPA grants Ideals any independent right to determine the purposes or means of processing Client Personal Information.
2.4 The Parties acknowledge that this PRC DPADPA is intended to satisfy the entrustment requirements under Applicable PRC Data Protection Laws.
3. SUBJECT MATTER, PURPOSE, NATURE, AND DURATION OF PROCESSING
3.1 The subject matter of Processing is the provision of the Ideals Virtual Data Room and related services under the Agreement.
3.2 The purpose of Processing is limited to processing Client Personal Information strictly as necessary to provide the Services.
3.3 The duration of Processing shall be the term of the Agreement, and, after termination or expiry of the Agreement, for any retention period specified in the Agreement, together with any limited retention period required by applicable law or expressly agreed in writing.
3.4 The categories of data subjects and categories of Client Personal Information covered by this PRC DPADPA are described in Annex II.
4. CLIENT OBLIGATIONS
Client agrees to:
4.1 ensure that it has a valid legal basis under Applicable PRC Data Protection Laws for collecting, using, uploading, and otherwise making Client Personal Information available to Ideals;
4.2 be solely responsible for complying with its obligations as Personal Information Processor, including notices, transparency, consent where required, separate consent where required, retention, legality of processing, and handling individual rights;
4.3 provide lawful, clear, and documented instructions to Ideals;
4.4 upload only the Client Personal Information that the Client determines is necessary for its intended purposes;
4.5 be solely responsible for determining whether uploaded content contains:
(a) personal information;
(b) Sensitive Personal Information;
(c) Important Data; or
(d) any category of data subject to enhanced restrictions under Applicable PRC Data Protection Laws;
4.6 be solely responsible for determining whether any actual or potential Overseas Access constitutes a regulated cross-border provision of personal information or other data under Applicable PRC Data Protection Laws;
4.7 be solely responsible for determining whether any such cross-border activity is:
(a) exempt;
(b) permitted under a valid certification;
(c) permitted under the PRC standard contract regime;
(d) subject to CAC security assessment; or
(e) otherwise lawful under Applicable PRC Data Protection Laws; and
4.8 complete, obtain, or maintain any notices, separate consents, personal information protection impact assessments, filings, certifications, contracts, governmental submissions, approvals, or other compliance steps required under Applicable PRC Data Protection Laws for any instructed or authorised Overseas Access.
5. CLIENT ACKNOWLEDGEMENTS REGARDING IDEALS’ NO-ACCESS-BY-DEFAULT MODEL
5.1 Client acknowledges that Ideals does not inspect, review, or monitor the substance of files uploaded by Client to determine:
(a) the number of individuals whose personal information is included;
(b) whether such files contain Sensitive Personal Information;
(c) whether such files contain Important Data; or
(d) whether any threshold under Applicable PRC Data Protection Laws has been met or exceeded.
5.2 Accordingly, Ideals cannot verify whether Client’s uploaded content exceeds any PRC outbound-transfer threshold or otherwise triggers any specific PRC cross-border mechanism.
5.3 Ideals shall be entitled to rely on Client’s written instructions, representations, warranties, and compliance confirmations for the purposes described in this PRC DPADPA.
6. IDEALS’ OBLIGATIONS
6.1 Ideals shall process Client Personal Information only:
(a) on Client’s documented instructions;
(b) within the agreed purpose, method, scope, and retention period; and
(c) to the extent necessary to provide, secure, maintain, and support the Services.
6.2 Ideals shall not sell, share, disclose, mine, profile, combine, analyse, monetise, or otherwise use Client Personal Information for its own purposes.
6.3 Ideals shall promptly inform Client if Ideals believes any Client instruction violates Applicable PRC Data Protection Laws. Pending Client’s response, Ideals may suspend the affected processing. If Client maintains the instruction, Ideals may terminate the relevant instruction scope. Client shall indemnify Ideals for any loss resulting from processing carried out pursuant to Client instructions that violate Applicable PRC Data Protection Laws.
6.4 Ideals shall ensure that persons authorised to process Client Personal Information are subject to confidentiality obligations and appropriate training. Ideals personnel do not access Client Personal Information by default and may access such information only where necessary for the provision of the Services and with the Client’s authorisation.
6.5 Where the entrustment expires, is terminated, becomes invalid, or otherwise ends, Ideals shall return or delete the relevant Client Personal Information in accordance with Section 15 below and shall not retain it except to the extent required by law.
7. SECURITY
7.1 Ideals shall implement and maintain appropriate technical and organisational measures to protect Client Personal Information against unauthorised access, disclosure, leakage, tampering, alteration, destruction, or loss.
7.2 Such measures shall include, as appropriate:
(a) role-based access controls and least-privilege access;
(b) authentication and identity management;
(c) encryption in transit and at rest;
(d) access logging and monitoring;
(e) vulnerability management and patch management;
(f) backup, restoration, and resilience measures;
(g) incident response procedures;
(h) personnel confidentiality controls; and
(i) periodic testing and review of security controls.
7.3 The Parties agree that the technical and organisational measures described in Annex I form part of this PRC DPADPA.  
7.4 Ideals makes available within the VDR platform enhanced protective functionality appropriate for Sensitive Personal Information, including, at a minimum:
(a) stricter role-based access controls limited to specifically authorised personnel;
(b) enhanced audit logging of all access events relating to designated content;
(c) encrypted storage with key separation from standard-tier data; and
(d) configurable access restriction and permission management at folder or document level.
Client is responsible for activating and maintaining these enhanced features where Client Personal Information includes Sensitive Personal Information. Client’s election not to activate available enhanced features shall constitute Client’s assumption of sole responsibility for the resulting protection standard applicable to its data.
Client remains solely responsible for determining whether any supplemental restrictions, notices, consents, or impact assessments are required under Applicable PRC Data Protection Laws in connection with Sensitive Personal Information, and for ensuring such requirements are satisfied independently of Ideals’ technical measures.”
8. OVERSEAS ACCESS AND CROSS-BORDER DATA SCENARIOS
8.1 Client Personal Information shall be hosted and processed in the location selected by Client from the hosting options made available by Ideals. Client acknowledges that, under Applicable PRC Data Protection Laws, the selection of a hosting location outside mainland China may constitute a cross-border provision of personal information and may be subject to additional legal requirements. Client is responsible for ensuring that its selection of hosting location complies with Applicable PRC Data Protection Laws.
8.2 Ideals shall not provide, disclose, transmit, make available, or permit Overseas Access to Client Personal Information except:
(a) as expressly instructed or pre-authorised by Client in writing or in the VDR; and
(b) where Client has confirmed in writing that such activity is exempt or otherwise lawful under Applicable PRC Data Protection Laws.
8.3 Client acknowledges and agrees that any requested or authorised Overseas Access, including by support or engineering personnel located outside mainland China, shall be treated by the Parties as a potential cross-border provision of personal information for purposes of risk allocation and compliance under this PRC DPADPA.
8.4 Before any Overseas Access occurs, Client shall provide Ideals with written confirmation that:
(a) the relevant activity is exempt from any applicable PRC cross-border requirements; or
(b) the necessary legal mechanism and compliance steps have been completed, including as applicable:
(i) personal information protection impact assessment;
(ii) required notices and separate consent;
(iii) PRC standard contract;
(iv) personal information protection certification;
(v) CAC security assessment; and/or
(vi) any other required filing, submission, or approval.
8.5 Where Client has not provided the written confirmation described above, or where Ideals reasonably believes that the requested Overseas Access may be unlawful under Applicable PRC Data Protection Laws, Ideals may refuse, suspend, or limit the requested Overseas Access and may require that support be provided solely from within mainland China, where feasible.
8.6 Nothing in this PRC DPADPA obligates Ideals to carry out any Overseas Access that Ideals reasonably believes would expose Ideals to non-compliance risk under Applicable PRC Data Protection Laws.
8.7 The Parties acknowledge that the applicable PRC cross-border route depends on the nature and volume of data involved and may include exemption, certification, PRC standard contract, or CAC security assessment, depending on the circumstances.
9. EMERGENCY ACCESS
9.1 Client may separately authorise emergency Overseas Access for urgent troubleshooting, incident response, service restoration, security remediation, or other material operational necessity.
9.2 Any such emergency authorisation must be documented in writing, whether in the Agreement, an order form, support authorisation, ticket workflow, or other written record agreed by the Parties.
9.3 Emergency Overseas Access, if authorised, shall be limited to:
(a) specifically designated personnel;
(b) the minimum scope necessary;
(c) a need-to-know basis;
(d) least-privilege access;
(e) logging and auditability; and
(f) prompt post-event reporting to Client upon request.
9.4 Client remains solely responsible for ensuring that any such emergency Overseas Access is exempt or otherwise lawful under Applicable PRC Data Protection Laws.
10. SUB-PROCESSORS
10.1 Client grants Ideals a general authorisation to engage Sub-processors strictly as necessary to provide the Services, provided that Ideals remains responsible for their acts and omissions to the extent required by law and contract.
10.2 Ideals shall enter into a written agreement with each Sub-processor imposing data protection and security obligations no less protective than those set out in this PRC DPADPA.
10.3 Without Client’s written authorisation, Ideals shall not permit any Sub-processor to perform Processing involving Overseas Access to Client Personal Information.
10.4 Client acknowledges that, under Applicable PRC Data Protection Laws, onward entrustment / subcontracting of entrusted processing requires the Personal Information Processor’s consent. This PRC DPADPA is intended to provide that contractual framework, subject to the limits in this Section.
10.5 Ideals shall make available to Client the then-current list of authorised Sub-processors upon request or by reference to the applicable public sub-processor list, as updated from time to time.
11. PERSONAL INFORMATION BREACH
11.1 If Ideals becomes aware of a Personal Information Breach affecting Client Personal Information, Ideals shall notify Client within 24 hours of becoming aware of a serious Personal Information Breach, and within 72 hours for other breaches, or sooner if required by Applicable PRC Data Protection Laws..
11.2 Such notification shall include, to the extent available:
(a) the nature of the incident;
(b) the categories of data concerned;
(c) the likely consequences;
(d) the measures taken or proposed; and
(e) a contact point for follow-up.
11.3 Ideals shall take reasonable steps to contain, investigate, mitigate, and remediate the Personal Information Breach and shall reasonably cooperate with Client.
11.4 Client remains responsible for determining whether any notification to individuals or regulators is required under Applicable PRC Data Protection Laws, unless applicable law expressly imposes such obligation directly on Ideals in the relevant circumstance.
11.5. Where Applicable PRC Data Protection Laws impose a direct notification obligation on Ideals as Entrusted Party independently of Client’s obligations as Personal Information Processor, Ideals shall:
(a) fulfil such direct notification obligations in accordance with the requirements and timelines prescribed by Applicable PRC Data Protection Laws;
(b) notify Client of any such direct regulatory notification before it is made, where circumstances permit, or immediately after, where prior notification is not practicable due to legal or operational constraints; and
(c) provide Client with a copy of any such regulatory notification to the extent permitted by applicable law.
Client shall cooperate with Ideals in meeting such obligations, including by providing information reasonably requested by Ideals or by competent authorities in connection with the incident, within the timeframes required.
12. ASSISTANCE WITH COMPLIANCE
12.1 Taking into account the nature of the Processing and the information available to Ideals, Ideals shall provide reasonable assistance to Client in connection with:
(a) individual rights requests;
(b) incident response;
(c) personal information protection impact assessments;
(d) regulatory inquiries; and
(e) other compliance obligations applicable to Client as Personal Information Processor.
12.2 If Ideals receives a request directly from an individual relating to Client Personal Information, Ideals may refer the request to Client unless Applicable PRC Data Protection Laws require otherwise.
13. AUDIT AND DEMONSTRATION OF COMPLIANCE
13.1 Upon reasonable written request, Ideals shall provide Client with information reasonably necessary to demonstrate compliance with this PRC DPADPA, including relevant third-party assurance materials such as security certifications or audit summaries, to the extent available.
13.2 If such materials are insufficient to reasonably demonstrate compliance, Client may, no more than once in any twelve-month period or following a verified Personal Information Breach, conduct a targeted audit, subject to:
(a) reasonable prior written notice;
(b) confidentiality obligations;
(c) normal business hours;
(d) no access to other Clients’ data; and
(e) no unreasonable interference with Ideals’ operations.
13.3 Client shall bear its own audit costs and reimburse Ideals for reasonable direct external costs necessarily incurred to support a Client-requested on-site audit, except where material non-compliance by Ideals is identified.
14. GOVERNMENT AND REGULATORY REQUESTS
14.1 If Ideals receives a legally binding request from a competent authority for access to Client Personal Information, Ideals shall, to the extent legally permitted:
(a) promptly notify Client;
(b) disclose only the minimum data legally required;
(c) document the request and the response; and
(d) where lawful and reasonable, seek clarification of overbroad requests.
14.2 If Ideals is legally prohibited from notifying Client, Ideals shall use reasonable efforts to obtain permission to disclose as much information as possible.
15. DATA RETURN AND DELETION
15.1 Upon termination or expiry of the Agreement and the end of the retention period specified in the Agreement, or earlier upon Client’s written request, Ideals shall securely delete Client Personal Information, unless retention is required by applicable law.
15.2 Where retention is required by law, Ideals shall:
(a) retain only the minimum data required;
(b) restrict further Processing to the minimum required lawful purpose; and
(c) delete the retained data promptly when the legal retention obligation expires.
16. GOVERNING LAW AND DISPUTE RESOLUTION
16.1 This PRC DPADPA shall be governed by the laws of the People’s Republic of China, excluding conflict-of-law rules.
16.2 Any dispute arising out of or in connection with this PRC DPADPA shall first be resolved through friendly consultation.
16.3 If the dispute is not resolved within thirty (30) days, the dispute shall be submitted to Shanghai International Arbitration Center (SHIAC) for arbitration in accordance with its then-current Arbitration Rules. The arbitration shall be conducted in English, and the seat of arbitration shall be Shanghai, PRC.
17. TERM
This PRC DPADPA shall remain in effect as long as the Ideals VDR Agreement is valid.
ANNEX I
Technical and organisational Measures (TOM)
Ideals shall implement and maintain technical and organisational measures appropriate to protect Client Personal Information in accordance with Applicable PRC Data Protection Laws, taking into account the nature, scope, context, and purposes of processing, as well as the risks to the rights and interests of individuals.
1. Confidentiality
| Technical Measures | organisational Measures |
| Identity & Access Enforcement. SSO + adaptive MFA for all workforce/admin access; minimum passphrase strength ≥ 12 characters or equivalent; account lockout after consecutive failed attempts; session hardening (idle lock, re-auth on sensitive ops). Role-Based Access Control (RBAC) & Least Privilege. Fine-grained roles; partial/access-scoped permissions per job function; privileged access time-bound and logged. Tenant Isolation & Logical Segregation. Per-tenant data namespaces; application-level authorization checks; service-side ACLs to prevent cross-tenant access. Network Security. Segmentation (VPCs/subnets/security groups), WAF, IDS/IPS, network monitoring, rate-limiting, and egress controls. Endpoint Security. Full-disk encryption, EDR/anti-malware, host firewalls, USB/port control policies enforced by MDM/endpoint management. Cryptography. Data at rest encryption using strong algorithms and managed keys; in-transit TLS 1.3 for all external and internal service hops; key separation for environments; pseudonymisation/tokenisation where feasible. Key Management. Keys stored and managed in dedicated KMS/Key Vaults separate from encrypted data; rotation and access logs enforced. Data Loss Prevention (DLP). DLP rules on endpoints and collaboration tools; quarantine/justification workflows for sensitive data exfiltration attempts. Digital Signatures. Approved e-signature mechanisms for contracts and release processes; signature validation logged. | Access Governance. Documented access & user-role policy; joiner–mover–leaver process; periodic access reviews; SoD for admin grants. Confidentiality Obligations. Employee and contractor NDAs; background checks per role and local law. Third-Party/Supplier Due Diligence. Risk-based vetting of contractors/sub-processors (certifications, references, PRC DPADPAs). Information Handling. Data classification & handling policy; secure media handling and sanitisation/disposal procedures; BYOD regulation where applicable. |
2. Integrity
| Technical Measures | organisational Measures |
| Secure Transport & Interfaces. TLS 1.2+; HSTS; strong cipher suites; API auth with signed tokens/keys. Auditability. Immutable/auditable logs for data access, admin actions, config changes, and data entry logging; clock sync (NTP). Application & Data Controls. Server-side validation, referential integrity, checksums/hashes, and versioning where appropriate. Session Controls. Enforced timeouts and re-authentication for sensitive operations. Vulnerability & Patch Management. Continuous vuln scanning; SLA-based patching; configuration baselines (CIS) with drift detection. Endpoint/Port Controls. USB/port lockdown and device control at OS/EDR level. | Change & Release Management. Formal change control (CAB where needed), approvals, separation of duties, rollback testing. Secure SDLC. Threat modeling, code reviews, dependency health (SCA), secrets management, and pre-prod security gates. Policies & Procedures. Information Security Policy, Data Protection Policy, and rules for any physical transfer of data (exception-only). Need-to-Process. Only authorised personnel process personal information; duties and responsibilities are documented. |
3. Availability and Resilience
| Technical Measures | organisational Measures |
| Redundancy & Fault Tolerance. Multi-AZ deployments, load-balancing, and auto-scaling for critical services. Backups & Recovery. Automated, regular backups; multiple storage tiers; versioning/immutability where supported; restoration tests on a defined cadence. Monitoring & Alerting. Centralised logging/SIEM; health checks; capacity/utilisation monitoring; actionable alerts. Hardening Against Disruption. DDoS protection, rate limiting, circuit breakers, and graceful degradation patterns. Traceable Transfers. Controls to ensure data cannot be read/copied/modified/deleted without authorisation during transmission/transport; destination verification and integrity checks. | BCP/DRP. Documented business continuity and disaster recovery plans with RTO/RPO; crisis communications runbooks. Backup Governance. Backup schedule policy, retention, encryption, storage location approvals, periodic evidence reviews. Incident Response. Defined IR plan, playbooks, post-incident reviews, and corrective actions. Crisis/Emergency Management. Initiation protocol, roles, and escalation paths; periodic exercises and protocol evaluation. |
4. Process for Regularly Testing, Accessing and Evaluating
| Technical Measures | organisational Measures |
| Security Testing. Annual independent penetration tests, continuous bug bounty/responsible disclosure, routine automated scanning (SAST/DAST/Cloud). Control Telemetry. Security metrics, control health dashboards, and automated policy compliance checks. | Management System & Assurance. ISO/IEC 27001 ISMS in force; SOC 2 Type II audits; control attestations and remediation tracking. Governance & Documentation. Central repository for policies/TOMs; documented Controller–Processor delineation; formal assignment of responsibilities. Training & Awareness. Regular data protection and security training (role-based); phishing simulations; secure engineering training. BYOD/Device Handling. Written BYOD and asset handling rules; enforcement via MDM. Periodic Review. At least an annual TOMs effectiveness review; updates after material changes, incidents, or risk assessments. |
5. Privacy Governance and Data Lifecycle Controls
| Technical Measures | organisational Measures |
| Data Minimisation & Masking. Field-level minimisation; masking/pseudonymisation for non-prod; selective logging to avoid sensitive payloads. Retention & Deletion Automation. Policy-driven retention with automated deletion jobs; verified purge of backups when feasible per policy. | DPIA/TRA. Risk-based DPIAs for new/changed processing; records of processing (RoPA). Sub-processor Management. Contractual PRC DPADPAs/SCCs, transfer impact assessments, and ongoing monitoring. Requests from Data Subjects. Defined procedures and SLAs for rights requests; identity verification steps. |
ANNEX II
Description of Processing
A. Subject Matter
Provision of the Ideals Virtual Data Room and related services under the Agreement.
B. Purpose of Processing
To host, store, organise, transmit, secure, make available, maintain, support, and otherwise Process Client Personal Information solely as necessary to provide the Services to Client.
C. Nature of Processing
May include collection from Client, recording, organisation, structuring, storage, retrieval, consultation, access, transmission, backup, restoration, deletion, destruction, and other Processing necessary for the provision of the Services.
D. Categories of Data Subjects
As determined solely by Client and reflected in Client Data, which may include, depending on Client’s use of the Services:
(a) Client personnel;
(b) Client counterparties;
(c) end users;
(d) investors;
(e) directors;
(f) employees;
(g) consultants;
(h) representatives of transaction parties; and/or
(i) other individuals whose information Client elects to upload.
E. Categories of Client Personal Information
As determined solely by Client and reflected in Client Data, which may include, depending on Client’s use of the Services:
(a) identification data;
(b) contact data;
(c) employment or professional information;
(d) financial information;
(e) transaction-related data;
(f) user account data;
(g) communications;
(h) audit trail or access information; and/or
(i) any other Personal Information Client elects to upload.
F. Sensitive Personal Information
Only to the extent uploaded or otherwise made available by Client. Client remains solely responsible for identifying whether Client Data contains Sensitive Personal Information and for ensuring that any additional legal requirements applicable thereto have been satisfied.
G. Processing Location
Default Processing location: Any location offered by Ideals chosen by the Client, who remains responsible for ensuring that any selection outside mainland China complies with applicable PRC data protection laws.
H. Overseas Access
Only where separately instructed or pre-authorised by Client in writing and only where Client has confirmed that such access is exempt or otherwise lawful under Applicable PRC Data Protection Laws.