This Data Processing Agreement ("DPA") applies where Network365 Co., Ltd. ("Network365", "Processor") processes personal data on behalf of a customer ("Customer", "Controller") in the course of providing services. It forms part of, and is governed by, the agreement between the parties, and is designed to meet the requirements of Thailand's Personal Data Protection Act (PDPA) and, where applicable, the EU GDPR.
01 Scope & roles
For personal data processed by Network365 to provide services to the Customer, the Customer is the Controller and Network365 is the Processor. Network365 processes such personal data only on the Customer's documented instructions and for the purposes set out in Annex I.
02 Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject" and "Personal Data Breach" have the meanings given to them under the PDPA and, where applicable, the GDPR. "Sub-processor" means any third party engaged by Network365 to process personal data on the Customer's behalf.
03 Nature, purpose & duration of processing
The subject matter, nature and purpose of processing, the types of personal data and categories of data subjects are described in Annex I. Processing continues for the duration of the services and any wind-down period agreed by the parties.
04 Processor obligations
Network365 will:
- Process personal data only on the Customer's documented instructions, including for transfers, unless required otherwise by law (in which case it will inform the Customer where permitted).
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement the technical and organisational measures described in Annex II.
- Respect the conditions for engaging sub-processors set out below.
- Assist the Customer with data-subject requests, security, breach notification and impact assessments.
- Promptly inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.
05 Technical & organisational measures
Network365 maintains appropriate measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, as detailed in Annex II. These include encryption, access control, network segmentation, logging, vulnerability management and incident response.
06 Sub-processors
The Customer authorises Network365 to engage the sub-processors listed in Annex III. Network365 will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. Network365 will give the Customer reasonable prior notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.
07 Data-subject requests
Taking into account the nature of the processing, Network365 will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection.
08 Personal data breach notification
Network365 will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data, and will provide the information reasonably needed for the Customer to meet its own notification obligations.
09 Assistance to controller
Network365 will provide reasonable assistance to the Customer in ensuring compliance with its obligations regarding security of processing, breach notification, data-protection impact assessments and prior consultation with supervisory authorities, taking into account the information available to Network365.
10 Audit rights
Network365 will make available to the Customer information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice and during business hours. Recognised third-party certifications or reports (such as ISO 27001 or SOC 2, where available) may be provided to satisfy audit requests.
11 International transfers
Network365 will not transfer personal data outside Thailand or the data subject's jurisdiction without an appropriate transfer mechanism in place, such as the EU Standard Contractual Clauses, an adequacy decision or the cross-border transfer mechanisms permitted under the PDPA, together with any supplementary measures required.
12 Return or deletion of data
On termination of the services, Network365 will, at the Customer's choice, return or delete the personal data it processes on the Customer's behalf, and delete existing copies, within 90 days, unless applicable law requires continued storage.
13 Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the agreement between the parties.
14 Term & termination
This DPA takes effect on the effective date above and remains in force for as long as Network365 processes personal data on the Customer's behalf. Provisions intended to survive termination — including confidentiality, deletion and audit — continue to apply.
A·I Annex I — Processing details
| Item | Detail |
|---|---|
| Subject matter | Provision of the agreed Network365 services to the Customer |
| Duration | Term of the services plus any agreed wind-down period |
| Nature & purpose | Hosting, support, integration and administration as needed to deliver the services |
| Categories of data subjects | Customer personnel, end users and authorised contacts |
| Types of personal data | Identifiers (name, email, phone), organisational details, account and configuration data, and free-text content provided by the Customer |
| Special-category data | Not expected unless expressly authorised by the Customer in writing |
A·II Annex II — Security measures
- Encryption — TLS 1.2+ in transit; encryption of data at rest where supported.
- Access control — role-based access, least privilege and multi-factor authentication for administrative access.
- Network security — segmentation, firewalling and hardened configurations.
- Logging & monitoring — centralised logging and review of security-relevant events.
- Vulnerability management — regular patching and vulnerability assessment.
- Personnel — confidentiality obligations and security awareness.
- Resilience — backup and recovery procedures and incident response.
- Physical security — services hosted in facilities with appropriate physical and environmental controls.
A·III Annex III — Sub-processors
Network365 engages sub-processors only as needed to deliver the services — typically cloud hosting/infrastructure providers and email/communication providers. The current list of sub-processors for a given service is provided to the Customer on request and updated in line with the notice obligations in section 6.
15 Contact
Network365 Co., Ltd. · Bangkok, Thailand
Data protection: privacy@networks365.net · Legal: legal@networks365.net · Contact form
See also our Privacy Policy and Terms of Use.