This Personal Data Processing Agreement (“Agreement”) forms part of the Service Agreement and Terms of Use (“Service Terms”) of True IDC Cloud and is binding upon customers who use the True IDC Cloud services. The purpose of this Agreement is to define the roles, responsibilities, and measures related to the processing of Personal Data, with the following key provisions:

1. Parties and Legal Status

True Internet Data Center Co., Ltd. (“Company” or “True IDC”), as a Cloud Service Provider (CSP) of True IDC Cloud, recognizes the importance of the privacy rights of Data Subjects and is committed to processing Personal Data transparently, fairly, and within the scope of applicable laws.

To comply with the Personal Data Protection Act B.E. 2562 (2019), as well as other applicable legal requirements and international standards, the Company has issued this Agreement to define the guidelines and measures for the collection, use, or disclosure of Personal Data by the Company in its role as a Data Processor, within the scope of services assigned by the customer, who acts as the Data Controller, in accordance with the meaning set forth under the Personal Data Protection Act B.E. 2562 (2019).

2. Definitions

• Personal Data means any information relating to a natural person who can be identified, directly or indirectly, but excludes data relating to deceased persons.
• Data Controller means a person or juristic person who has the authority and duty to make decisions regarding the collection, use or disclosure of Personal Data, determines the purposes and methods of data processing, and has the authority to control Personal Data processing in its entirety.
• Data Processor means a person or juristic person who performs the collection, use, or disclosure of Personal Data in accordance with instructions received from the Data Controller or on behalf of the Data Controller. A Cloud Service Provider (CSP) is generally classified as a Data Processor because a CSP provides infrastructure or platforms for processing Personal Data according to the instructions of the customer, who is the Data Controller.

3. Scope of processing of Personal Data

True IDC, in its role as the Data Processor, will process Personal Data assigned by the Data Controller for the purposes necessary to provide the True IDC Cloud system. The data processing will be subject to the scope of the provision of services, which may cover at least the following activities:

1. Supervision and control of the process from installation, use, through termination of True IDC Cloud services under the written instructions of the Data Controller;
2. Management to ensure the availability of data within the True IDC Cloud system;
3. Implementation of backup and recovery measures to support service continuity;
4. Data transmission within True IDC Cloud's network to comply with the applicable service agreement between the Company and the Data Controller;
5. Implementation of information system security measures to prevent unauthorized access to the True IDC Cloud system; and
6. Any other operations related to the provision of the True IDC Cloud system as expressly instructed in writing and in compliance with applicable law by the Data Controller.

4. Location of Personal Data

The Company will only store customer data within the Kingdom of Thailand and will not transfer data abroad unless explicitly instructed or requested in writing by the customer. In such case, the Company will ensure that the transfer is carried out lawfully and that appropriate data protection safeguards are in place as required by applicable law.

5. Disclosure of Personal Data Processed

The Company shall not disclose or permit any third party to access Personal Data processed under this Agreement, except in the following circumstances:

1. When receiving written instructions or written consent from the Data Controller.
2. When disclosure is necessary for compliance with applicable laws.
3. When disclosure is made to an external party that is a contractual counterparty or has a legal or contractual relationship with the Data Processor, for the purpose of providing services under the Agreement and Service Terms, provided that such party is bound by confidentiality obligations regarding the disclosed data.
4. When disclosure is necessary to fulfill the objectives of performing the operations under the Agreement.

The Company, in its role as the Data Processor, will operate under the obligation of confidentiality and use appropriate data security measures in accordance with international standards and relevant laws.

6. International Transfer of Personal Data

In the event that the Company, in its role as the Personal Data Processor, is required to transfer Personal Data to any person, entity, or international organization located in a country that has not been certified by the Personal Data Protection Committee as having adequate Personal Data protection standards, the Company will carry out such transfer only upon receiving a written instruction from the Data Controller. The Company will ensure the transfer is lawful and will implement appropriate Personal Data protection measures at a level close to or equivalent to the standards prescribed under Thai law. This includes regular internal and external audits to safeguard the transferred Personal Data.

In the case that the transfer is carried out per the Data Controller’s instruction, the Company reserves the right not to be held liable for any consequences arising from such transfer.

7. Retention and retention period of Personal Data

The Company has measures to maintain the security and retention period of Personal Data as follows:

1. The Company has implemented effective security measures to prevent unauthorized loss, access, use, alteration, correction, or disclosure of Personal Data, whether unauthorized or unlawful.
2. The Company has established procedures for handling suspected data breaches or data leaks. In the event of a complaint regarding the privacy violation of the Data Subject, the Company will immediately investigate and take appropriate steps to resolve the complaint.
3. Upon the expiration of the storage period as determined by the Company, the Company will delete or return all Personal Data to the Data Controller in accordance with written instructions, unless retention is required by applicable law.
4. The Company will retain Personal Data for the period necessary to fulfill the purposes of the services provided and in accordance with the period prescribed by law. If no specific legal retention period applies, the Company will delete or destroy the data within an appropriate time after the termination of the services.

8. True IDC's Responsibilities as a Personal Data Processor

The Company has the following duties and responsibilities for the processing of Personal Data:

1. Process Personal Data only in accordance with express and written instructions from the Data Controller, unless required by law to act without instructions.
2. Establish appropriate security measures to protect Personal Data from unauthorized access, disclosure, alteration, or destruction.
3. Maintain the confidentiality of Personal Data and not disclose such information to third parties, except as authorized by the Data Controller or as required by law.
4. Assist the Data Controller in responding to data subject rights, such as access, correction, or deletion, as required by applicable data protection law.
5. Notify the Data Controller within 72 hours of becoming aware of any Personal Data breach or security incident that may affect Personal Data.
6. Not use or process Personal Data for any purpose other than that instructed by the Data Controller.
7. Delete or destroy Personal Data per the Data Controller’s instructions when services end or when the data is no longer necessary.
8. Allow the Data Controller or designated auditor to inspect and evaluate compliance with the DPA within the agreed timeframe, without causing harm or disruption to the service.
9. When engaging Sub‑Processors, select them appropriately and contractually oblige them to comply with data protection requirements at least equivalent to those imposed on the Company, ensuring consistency with applicable data protection laws.
10. Appoint a Data Protection Officer, and maintain contact channels for enquiries—including [email protected] , Call Center 0‑2494‑8300, and [email protected] —to facilitate coordination regarding Personal Data processing.
11. Maintain Records of Processing Activities (RoPAs) as required by law and make them available to the Data Controller upon reasonable request.

9. Security and management of Personal Data

The Company implements security measures and Personal Data management as follows:

Type of Control	Descriptions
Access Control	True IDC will control and determine the right to access information based on necessity and suitability for its operational duties. True IDC will not access user data within the True IDC Cloud system directly or permanently, unless explicitly instructed or consented to in writing by the Data Controller or Data Subject, as required by law.
Data encryption	True IDC will implement appropriate data encryption measures in compliance with industry standards to prevent unauthorized access to data within the True IDC Cloud system.
Backup and Recovery	True IDC will perform appropriate backups within the True IDC Cloud system to support service continuity and data security. Backups will be performed at appropriate intervals and stored in secure environments with controls equivalent to the original data.
Security Testing	True IDC conducts regular security system testing, including vulnerability assessments. The Company will manage and correct identified vulnerabilities appropriately and promptly to ensure risks of unauthorized access to data within the system are minimized.
Logging and Monitoring	True IDC will maintain logs related to data access and processing, and conduct regular audits of such records to detect and assess any abnormal or unauthorized access, alteration, or use of data. If such events are detected, the Company will act without delay to resolve and restore system security. The Company reserves the right to determine appropriate audit formats and intervals to avoid impacting service continuity.
Data Segregation	The Company will ensure that each Data Controller’s Personal Data is logically separated and processed distinctly from other customers’ data, to prevent unauthorized cross-access.
International Standards Certification	To ensure the True IDC Cloud system meets global security standards and aligns with Personal Data protection and IT management principles, the Company has implemented measures and received the following certifications: ISO/IEC 20000-1 ISO/IEC 27001 ISO/IEC 27701 ISO/IEC 27018 ISO/IEC 27799 CSA STAR

10. Rights of Data Subjects

The Company, as the Data Processor, will only act on matters related to the rights of the Data Subject upon receiving clear instructions from the Data Controller. The Company will cooperate in implementing the Data Subject’s legal rights in accordance with written instructions or notifications from the Data Controller.

If the Data Subject wishes to exercise their legal rights, they should contact their Data Controller directly. The Company will not directly respond to such requests but will forward any received request to the Data Controller for appropriate consideration and action.

11. No Liability as a Data Controller

The Company reserves the right not to be held liable in the event that the Data Controller fails to comply with data protection laws or with requests from Data Subjects. The Company acts solely as a Data Processor under the instructions of the Data Controller and cannot be held responsible for any decisions or actions taken by the Data Controller.

12. Amendments to This Agreement

The Company reserves the right to update, amend, or modify this Agreement from time to time, and will notify the Data Controller in advance within a reasonable period.

13. General Provisions

1. This Agreement shall be governed by and construed in accordance with Thai law, without regard to conflict of law principles.
2. This Agreement contains the entire agreement between the parties relating to the subject matter hereof, and supersedes all prior discussions, understandings, and agreements relating to such subject matter. The Company reserves the right to interpret the provisions of this Agreement at its reasonable discretion.
3. This Agreement shall remain in effect throughout the period in which the customer uses the True IDC Cloud services.

This Agreement is effective as of 26 September 2025 (Version 2).