1. About True Internet Data Center Co., Ltd.

True Internet Data Center Co., Ltd. ("Company" or the “True IDC") as a cloud service provider. (Cloud Service Provider: CSP). The company recognizes the importance of the privacy rights of data subjects and is committed to processing personal data in a transparent, fair and within the scope of relevant laws.

To comply with the Personal Data Protection Act B.E. 2562 (2019) and the requirements of relevant laws or international standards, the Company has issued this Notice to clarify the guidelines and measures for the collection. Use or disclose personal data by the Company as a data processor within the scope of services assigned by the Company from the Data Controller.

The Company will take appropriate measures to maintain the confidentiality, accuracy and security of personal data throughout the period during which such data is processed.

2. Definitions

• Personal Data means any information relating to a natural person who can be identified, directly or indirectly, but excludes information of deceased persons.
• Data Controller means a person or juristic person who has the authority and duty to make decisions regarding the collection, use or disclosure of Personal Data, who determines the purposes and methods of data processing, and has the authority to control all personal data processing.
• Data Processor means a person or juristic person who performs the collection, use, or disclosure of Personal Data in accordance with instructions received from the Data Controller or on behalf of the Data Controller, where such person or juristic person is not the Data Controller in the context of the Cloud Service. A Cloud Service Provider (CSP) is generally classified as a personal data processor because a Cloud Service Provider (CSP) provides an infrastructure or platform for data processing at the behest of the customer, who is the controller of personal data.

3. Scope of processing of personal data

True IDC, as the data processor, will process personal data assigned by the data controller for the purposes necessary to provide the True IDC Cloud system. The data processing will be subject to the scope of the provision of services and, as specified in the contract, which may cover at least the following activities:

1. Supervision and control of the process from installation, use to termination of True IDC Cloud services under the direction of the Data Controller.
2. Management to ensure data availability within the True IDC Cloud system
3. Implementation of backup and recovery measures to support the management of service continuity.
4. Data transmission within True IDC Cloud's network to comply with the existing service agreement between the Company and the Data Controller.
5. Implementation of information system security measures to prevent unauthorized access to the True IDC Cloud system.
6. Any other operations related to the provision of the True IDC Cloud system are carried out in accordance with the express instructions of the Data Controller.

4. Location of personal information

The Company will only store customer data within the Kingdom of Thailand and will not transfer or transfer data abroad unless expressly requested or requested by the customer.

5. Disclosure of Personal Data Processed

The Company shall not disclose or permit any third party to access personal data processed under this Agreement, except in the following circumstances:

1. When receiving written instructions or written consent from the Data Controller.
2. When disclosure is necessary for compliance with applicable laws
.
3. When disclosure is made to the company or an external party that is a contractual counterparty or has a legal or contractual relationship with the Data Processor, provided that such party is bound by confidentiality obligations regarding the disclosed data.
4. When disclosure is necessary to fulfill the objectives of fulfilling obligations under this Agreement.

However, The Personal Data Processor will operate under the obligation of confidentiality and take appropriate data security measures in accordance with international standards and relevant laws.

6. International Transfer of Personal Information

In the event that True IDC as the processor of personal data is required to transfer personal data to individuals. True IDC will ensure that the transfer of such data is lawful and will provide appropriate personal data protection measures at a level close to or equivalent to the standards required by Thai law. This includes conducting regular internal and external audits. To protect such personal information.

7. Retention and retention period of personal data

The Company has measures to maintain the security and retention period of your personal data. as follows

1. Effective security measures are in place to prevent unauthorized loss, access, use, alteration, correction or disclosure of personal information or illegally.
2. In the event of a complaint regarding the privacy violation of the Data Subject, the Company will immediately investigate and take appropriate steps to resolve the complaint.
3. Upon the expiration of the storage period, True IDC Cloud shall delete or return all personal information to the data controller in accordance with the instructions, unless retention is required by law.

8. True IDC's Responsibilities as a Personal Data Processor

True IDC has the following duties and responsibilities for the processing of personal data:

1. Only process personal data in accordance with the express and written instructions from the data controller.
2. Establish appropriate security measures to protect personal data from access. disclosure Unauthorized modification or destruction.
3. Maintain the confidentiality of personal data and not disclose such information to third parties unless authorized by the order of the data controller or as required by law.
4. Assist the Data Controller in responding to the rights of the Data Subject, such as accessing, correcting, or deleting data as required by Personal Data Protection Law.
5. Notify the Data Controller within 72 hours of becoming aware of the Data Breach or any irregularities affecting the Personal Data.
6. Do not use or process personal data for any other purpose unless instructed by the data controller.
7. Delete or destroy personal data according to the instructions of the data controller at the end of the service or when the personal data is no longer needed.
8. Allow the Data Controller or Designated Auditor to inspect and evaluate compliance with the Personal Data Processing Agreement within the agreed period. and do not cause damage or interfere with the service.
9. In the case of outsourcing The Company will appropriately select such service providers and enter into contracts with terms of personal data protection that are equivalent to or higher than those of the Company. To ensure that the processing of personal data of individuals is strictly protected in accordance with applicable laws and agreements.

9. Security and management of personal data

The Company implements security measures and personal information management as follows Type of measure detail

Type of Control	Descriptions
Access Control	True IDC will control and determine the right to access information based solely on the criteria of necessity and suitability for its duties. True IDC will not have direct or permanent access to the user's data within the True IDC Cloud unless it has received written instruction or consent from the data controller or data subject as required by law.
Data encryption	True IDC will implement appropriate data encryption measures and comply with industry standards. To prevent unauthorized access to data within the True IDC Cloud system.
Backup and Restore	True IDC will perform appropriate backups within the True IDC Cloud system to support service continuity and data security. True IDC will perform backups at reasonable intervals and store such backups in an environment with security controls equivalent to the original data.
Safety Testing	True IDC conducts regular security system testing, including vulnerability assessments. Vulnerability Assessment to identify and assess system security risks. The Company will manage and correct the detected vulnerabilities appropriately and in a timely manner. To ensure that the risk of unauthorized access to data within the True IDC Cloud system is reduced.
Monitoring and logging logs	True IDC will provide documentation of activities related to data access and processing. The Company also conducts appropriate and regular auditing and evaluation of such records for the purpose of detecting and identifying events that may be abnormal or unauthorized access, modification, or use of data within the True IDC Cloud system. If such an abnormal event is detected, the Company will respond and correct the incident without delay in order to limit the damage and restore the security of the system to normal as soon as possible.
International Standards Certification	To ensure that the True IDC Cloud system is secure and in line with the principles of personal data protection and Information Technology Management. The Company has implemented measures and passed international standard certification in related fields. As follows ISO/IEC 20000-1 ISO/IEC 27001 ISO/IEC 27701 ISO/IEC 27018 ISO/IEC 27799 CSA STAR

10. Rights of Data Subjects

The Company, as the Data Processor, will only process the rights of the Data Subject in accordance with the instructions of the Data Controller. The Company will cooperate and comply with requests from the Data Subject upon receipt of instructions or notices from the Data Controller. This is in accordance with the rights stipulated by the Personal Data Protection Law.

If the Data Subject wishes to exercise his legal rights. Please contact your Data Controller directly or if the Company receives a direct request, the Company will notify the Data Controller to consider taking appropriate steps.

This Addendum was issued on 25 July 2025 (Version 1.0)