Personal Data Management Structure
| Document Number | ARD/SPDP/2025/001 |
| Effective Date | February 2025 |
| Version | 1.0 |
| Status | In Effect / Active |
| Related Documents | Privacy Policy (ARD/KP/2025/001), Terms & Conditions |
Table of Contents
- Introduction
- Article 1 — Definitions
- Article 2 — Organisational Structure
- Article 3 — RACI Matrix
- Article 4 — Data Classification
- Article 5 — B2G Flow
- Article 6 — B2B Flow
- Article 7 — Third-Party Processors
- Article 8 — Access Control (RBAC)
- Article 9 — Data Lifecycle
- Article 10 — Monitoring & Audit
- Article 11 — Training
- Article 12 — Review & Updates
- Article 13 — Contact Us
Introduction
PT Ardindo (hereinafter referred to as "We") has prepared this Personal Data Management Structure document as a supplement to the Privacy Policy, to provide Users with transparency regarding the governance framework, organisational roles, processing flows, and access controls over Personal Data processed on the ardindo.com procurement platform.
This document is prepared in accordance with Law Number 27 of 2022 on Personal Data Protection, Government Regulation No. 71 of 2019 on the Organisation of Electronic Systems and Transactions, and LKPP Regulations applicable to the organisation of government procurement of goods/services electronically.
This structure applies to two service channels operated by the Platform:
- B2G — Government Procurement Channel: transactions between government institutions/agencies and verified Providers.
- B2B — Partner-to-Partner Channel: transactions between Partners/Providers on the procurement marketplace.
Article 1 — Definitions
-
"Personal Data Controller"refers to PT Ardindo as the party that determines the purposes and means of processing Personal Data on the Platform.
-
"Personal Data Processor"refers to a third party that processes Personal Data on behalf of and under the instructions of PT Ardindo.
-
"Personal Data Protection Officer (DPO)"refers to the official appointed by PT Ardindo to oversee the Platform's compliance with the Personal Data Protection Law.
-
"Data Subject"refers to an individual whose Personal Data is processed, including procurement officials (PPK, PP, KPA, Pokja), institutional representatives, and representatives of Providers/Partners.
-
"B2G Channel"refers to the procurement transaction flow from government institutions to Providers through the Platform.
-
"B2B Channel"refers to the transaction flow between two Partners/Providers on the Platform outside the context of institutional procurement.
Article 2 — Personal Data Protection Organisational Structure
PT Ardindo has established a multi-layered governance structure that ensures accountability in Personal Data processing at all levels of Platform operations:
| Level | Unit / Role | Primary Responsibilities |
|---|---|---|
| Level 1 — Strategic | Board of Directors, PT Ardindo | Sets strategic data protection policies, approves information security budgets, and serves as the ultimate responsible party for compliance with the Personal Data Protection Law. |
| Level 2 — Supervisory | Personal Data Protection Officer (DPO) | Monitors day-to-day compliance, serves as the primary contact point for Data Subjects, conducts Data Protection Impact Assessments (DPIA), and reports incidents to the supervisory authority. |
| Level 3 — Operational | Information Security Team | Implements technical controls (encryption, RBAC, monitoring), conducts vulnerability assessments, and manages cybersecurity incidents. |
| Level 3 — Operational | Verification & Onboarding Team | Verifies the validity of institutional/Provider documents (decrees, tax numbers, IDs, business licences, articles of incorporation) in accordance with data minimisation principles. |
| Level 3 — Operational | User Services Team | Handles Data Subject rights requests (access, correction, deletion), privacy complaints, and official communications related to Personal Data. |
| Level 3 — Operational | Platform Development Team | Applies privacy by design & by default principles in every new feature, conducts code reviews, and maintains source code security. |
| Level 4 — Audit | Internal & External Auditors | Conducts periodic compliance reviews, access control audits, and recommendations for improvements in data governance. |
Article 3 — Roles and Responsibilities (RACI Matrix)
The matrix below illustrates the division of roles in Personal Data processing activities on the Ardindo Platform:
R = Responsible · A = Accountable · C = Consulted · I = Informed
| Processing Activity | Board of Directors | DPO | Security Team | Verification Team | Development Team |
|---|---|---|---|---|---|
| Collection of institutional/Partner registration data | I | C | I | R | A |
| Verification of official and Provider identity documents | I | C | I | R A | I |
| Transaction and payment processing | I | C | R | I | A |
| Data storage and encryption | I | C | R A | I | R |
| Handling Data Subject rights requests | I | R A | C | C | I |
| Investigation and reporting of data breaches | A | R | R | C | C |
| Review and update of privacy policies | A | R | C | C | C |
| Data protection awareness training | I | R A | C | I | I |
Article 4 — Personal Data Classification
PT Ardindo classifies Personal Data in accordance with Article 4 of Law No. 27 of 2022, which distinguishes between General Personal Data and Specific Personal Data:
| Category | Type of Data | Sensitivity Level | Access Control |
|---|---|---|---|
| General Personal Data | Name, position, NIP, office email, office phone number | Medium | RBAC — Verification & User Services Teams |
| ↳ | Institutional address, institutional tax number, delivery address | Medium | RBAC — Operations Team & Logistics Partners (limited) |
| ↳ | Procurement transaction history, BAST documents, invoices | Medium–High | RBAC — Operations Team & Auditors |
| Specific Personal Data | Institutional financial data (bank accounts, virtual accounts, payment history) | High | Strictly limited access, mandatory MFA, full audit log |
| ↳ | Copies of responsible official's National ID/Passport | High | Stored encrypted, access only during verification |
| ↳ | Certified electronic signatures (TTE) | High | Stored by TTE provider; Ardindo only retains reference |
| System Data | IP address, activity logs, device & browser type | Low | Aggregate access — Security Team |
Article 5 — Data Management Flow: B2G Channel (Government Procurement)
Personal Data processing on the government institutional procurement channel follows the seven-stage flow below:
-
1Institutional & Official RegistrationInstitutions register accounts providing: institution name, institutional tax number, appointment decree for PPK/PP/KPA, NIP, and official institutional email (government @*.go.id preferred).
-
2Official Identity VerificationVerification of decree validity, NIP-to-position matching, and institutional email validation via email confirmation mechanism. Verification results are recorded in the audit log.
-
3General Procurement Plan (RUP) & NegotiationProcurement officials prepare the General Procurement Plan (RUP), select Providers, and conduct price negotiation through the encrypted chat feature. All negotiation conversations are stored for audit purposes.
-
4Checkout & Purchase Order IssuanceThe user completes the transaction, the system issues an electronic Purchase Order and assigns the vendor. Shipping data is shared on a limited basis with logistics partners.
-
5PaymentPayment processing is conducted through certified banking partners (Bank BRI, Bank BJB, QRIS/VA partners). Account data is submitted directly to the bank and is not stored in the Platform's database.
-
6Handover Report (BAST) & Electronic Signature (TTE)After goods/services are received, the system issues a Handover Report (BAST) signed electronically through a certified TTE provider (BSrE/PrivyID).
-
7Reporting, Archiving & AuditAll transaction documents are archived for a minimum of 10 (ten) years to comply with archiving and tax regulations. Archive access is restricted to auditors and relevant institutions.
Article 6 — Data Management Flow: B2B Channel (Partner-to-Partner)
On the B2B channel, the Platform facilitates transactions between Partners/Providers without involvement of government institutions. The data processing flow differs from the B2G channel in terms of verification and retention:
| Stage | Activity | Data Processed | Processor |
|---|---|---|---|
| 1 | Partner Onboarding (Seller & Buyer) | Business name, NIB, corporate tax number, responsible person's ID, articles of incorporation | Verification Team |
| 2 | Product/service listing by Seller Partner | Product information, pricing, photos, warehouse/pickup address | Development Team (automated) |
| 3 | Order by Buyer Partner | Order data, delivery address, buyer PIC contact | Operations Team |
| 4 | Negotiation communication between Partners | Chat records, attachments, offer history | Stored encrypted, opened only in dispute cases |
| 5 | Payment via escrow / VA | Amount, payment reference (bank-managed accounts) | Payment Partner |
| 6 | Delivery & receipt confirmation | Tracking number, destination address, handover proof photo | Logistics Partner |
| 7 | Settlement & rating | Reviews, ratings, transaction history | Involved Partners (limited public) |
On the B2B channel, Seller Partners who upload products and receive orders also act as joint controllers over Buyer Partner Personal Data related to their transactions, and are bound by the confidentiality agreement in the Partner Terms & Conditions.
Article 7 — List of Personal Data Processors (Third Parties)
The list of Data Processor partners we use, along with the purposes and types of data processed:
| Partner Category | Example Providers | Type of Data Processed | Processing Location |
|---|---|---|---|
| Payment Providers | Bank BRI, Bank BJB, QRIS partners, VA aggregators | Transaction data, destination accounts, amounts | Indonesia |
| TTE Providers | BSrE, PrivyID, or Kominfo-certified providers | Signatory identity, document hash | Indonesia |
| Hosting & Infrastructure | Cloud providers with data centres in Indonesia | All Platform data (encrypted) | Indonesia |
| Logistics Partners | Courier & freight service providers | Delivery address, recipient contact, package content (description) | Indonesia |
| Email & Notification Services | Transactional SMTP providers | Email addresses, notification content | Indonesia / Regional |
| Analytics Services | Internal analytics & privacy-friendly analytics | Aggregated data, anonymised IPs | Indonesia |
Each Processor is bound by a Data Processing Agreement (DPA) requiring compliance with the Personal Data Protection Law, confidentiality, and data security.
Article 8 — Data Access Matrix (Role-Based Access Control)
Access to Personal Data is governed by the principles of least privilege and need-to-know:
| Role | General Data | Transaction Data | Financial Data | Identity Documents | System Logs |
|---|---|---|---|---|---|
| Board of Directors | Aggregate | Aggregate | Aggregate | — | — |
| DPO | Full* | Full* | Full* | Full* | Full |
| Security Team | Full | Full | Encrypted | Encrypted | Full |
| Verification Team | Full | — | — | Full* | Limited |
| User Services Team | Full* | Limited* | — | — | Limited |
| Development Team | Anonymised | Anonymised | — | — | Full |
| Logistics Partners | Delivery only | Delivery only | — | — | — |
| Auditors | Full* | Full* | Full* | — | Full* |
*) Access with full audit log recording and automatic notification to the DPO.
Article 9 — Personal Data Lifecycle
Each piece of Personal Data follows a documented lifecycle from collection to destruction:
| Phase | Controls Applied |
|---|---|
| 1. Collection | Only necessary data (data minimisation), explicit consent, transparent registration forms. |
| 2. Processing | Purpose limitation, role-based access, automated audit logs, encryption during processing. |
| 3. Storage | Encryption at rest, separation of sensitive databases, storage within Indonesian territory. |
| 4. Sharing | Only to DPA-bound Processors, transmission via TLS 1.2+, data sharing logs. |
| 5. Retention | As per the schedule in the Privacy Policy (active accounts, transactions 10 years, logs 12 months). |
| 6. Destruction / Anonymisation | Deletion within 30 business days from approval of request, or anonymisation for statistical purposes. |
Article 10 — Monitoring and Audit
To ensure the effective implementation of this structure, PT Ardindo conducts:
- Quarterly internal audits by the DPO on access logs and team compliance.
- Annual external audits by certified independent auditors.
- Data Protection Impact Assessments (DPIA) for every new feature that may process Personal Data at scale.
- Penetration tests at least once per year by a third party.
- Management reviews by the Board of Directors on compliance reports each semester.
Article 11 — Training and Awareness
All personnel handling Personal Data are required to complete:
- Basic Personal Data Protection Law training during onboarding of new personnel.
- Annual refresher training on information security and data ethics.
- Incident response simulations at least twice a year.
- Signing of a Non-Disclosure Agreement as a condition of production access.
Article 12 — Review and Update of Structure
This document is reviewed at least once every 12 (twelve) months, or at any time when:
- Significant changes occur in relevant laws and regulations;
- New types of Platform services or features are added;
- A security incident requires changes to governance;
- Changes to the organisational structure of PT Ardindo occur.
The latest version of this document will be published on this page, with version history maintained by the DPO.
Article 13 — Contact Us
For questions, clarifications, or reports regarding this Personal Data governance structure, please contact:
Personal Data Protection Officer (DPO) — PT Ardindo
-
Email
-
Websiteardindo.com
-
AddressJl. Tamblong No.46, Kb. Pisang, Kec. Sumur Bandung, Kota Bandung, West Java 40112
-
Phone
-
Service HoursMonday–Friday, 09:00–17:00 WIB
