This Data Processing Documentation intended to comply with the Personal Data Protection Act of Thailand (PDPA), the European Data Protection Regulation (GDPR), and the European Data Protection Act (wherein applicable).

Taximail wants to give emphasis on data processing documentation to show how safeguarding critical information and providing interested parties with correct details of records. With the practice of maintaining accurate documentation provides an accessible manageable framework for addressing any issues may occur.

1. Definition and Interpretation

The term “Taximail” refer to Orisma Technology Company Limited.

The term “Service” refer to the services offered by Taximail.

The term “Service User” refer to an individual or entity who is registered using the services of Taximail.

“Customer Data” (Customer Data) means any personal data. The Taximail processed on behalf of User’s name through the Service as specifically described in this Agreement.

“Terms of Service” (Terms of use) Refers to the standard terms of use of Taximail, or other written, or electronic agreements which controls the service to use the service users due to such terms or agreement maybe updated from time to time.

“Personal Data Controller” (Data controller) means a person who collects the personal information including determining the purpose of the use of personal data which is the service user.

“Personal Data Processor” (Data processor) means a person who uses personal data in accordance with the instructions on behalf of the Personal Data Controller to achieve the purpose of the Personal Data Controller which is Taximail.

“Sub-processor” (Sub-processor) means any processor hired by the Taximail or referring to the sub-service providers to assist in the fulfillment of obligations with respect to the provision of services under this Agreement or this Agreement. Sub-processors may include the third parties of Taximail. It does not include employees, contractors, or consultants of Taximail.

“Personal Information” (Personal Data) means name, surname, age, address, gender, occupation, date of birth, ID card number, nationality, telephone number, e-mail address, etc., or any other personal identification information.( Whether with that information or in combination with other information.

“Sensitive Information” (Sensitive Data) means

• Social Security Number tax file number, Passport number, Drivers license number, or similar identifiers (or any part thereof)
• Credit or debit card number (aside from the truncated last four digits of credit or debit card)
• Employment, financial, credit, generic, biometric or health information
• Racial, ethnic, political or religious affiliation trade union membership information about your sex life, or sexual orientation, or criminal record
• Account password
• Including other information within the definition of sensitive information under applicable data protection laws

“Data Protection Law” (Data Protection Laws) means all data protection laws and regulations applicable either party’s processing of Customer Data under this Agreement. This includes the Personal Data Protection Act of Thailand (PDPA), the European Data Protection Regulation(GDPR), an the Non-European Data Protection Law (where applicable)

“Security Incident” (Security Incident) means an unauthorized or unlawful breach of security leading to accidental, our unlawful destruction, loss, or alteration, or disclosure or access to Customer Data on the system managed and controlled by Taximail unintentional or unlawful.

2. Roles and Responsibilities

2.1 The role of parties
If the data protection law it applies to either party’s processing of customer data both sides acknowledge and agree that in relation to the processing of customer data.

In this case, the Taximail is just the data processor which services to achieve the goals of the data controller for the avoidance of doubt. This contact does not apply to the case where Taximail is the data controller ( as required by the data protection laws).

2.2 Objective Limitation
Taximail is required to process personal data as further described in the Exhibit A (Details of Data Processing) of this Agreement by request and the need to comply with data protection laws.

2.3 Forbidden Information
The service user must not submit information or import any sensitive data to the Taximail for processing under the agreement and the Taximail is not responsible for any sensitive information wether related to safety incidents or something else. For the avoidance of doubt, this contract does not apply to sensitive information.

2.4 User’s Compliance. The user must certify and guarantee that have complied with All Applicable Laws including data protection laws with respect to the processing of customer data and any processing request sent to Taximail and has given Taximail all the consents and rights necessary under the data protection law in the processing of customer data to meet the objective described in the agreement.

The User is solely responsible for the accuracy, quality and legality of Customer Data and how users obtain customer data without prejudice to the general nature of the foregoing. The user agrees to be responsible for complying with all laws ( including data protection laws) applicable to any activity (as defined in the Agreement) or other Content created, transmitted or managed through the Service including in connection with obtaining consent (if necessary) in the case of any email, SMS or text message content who wants to communicate through Taximail system must not contravene the law if contrary to the law, the service user shall be solely responsible.

2.5 The legitimacy if the user’s instructions. The user will ensure that the request for the Taximail to process the customer data. It will not case Taximail to violate any law, regulation or rules related including but not limited to data protection laws.

Taximail will immediately notify the service user in writing except where it is prohibited to do so under data protection laws. If you know or believe that the oder process information from the service user violates the data protection law in the event that the service user acts as a processor on behalf of a third-party controller ( or other intermediaries, the user warrants that the processing instructions as set out in this Agreement, and this Agreement including authorization Taximail appoints a sub-processor pursuant to this contract with the permission to the relevant controller.

The service user will act as the sole point of contact for the Taximail and the Taximail does not need to interact directly with (including notifying or seeking permission from) any third party controller. In addition to the normal provision of service within the scope specified under the Agreement. The user is responsible for forwarding any notifications received under this Agreement relevant to the relevant controls as appropriate.

3. Sub-processing

3.1 Authorized sub-processors. The service user admits that the Taximail Sub-processors may engaged to process Customer Data in behalf o the User. Sub-processors hired by Taximail and permission from service users are as follows:

Taximail must notify the service user of any additions or delete the sub-processor at least 14 days before the change.

3.2 Sub-processor’s obligations. Taximail must enter into a written agreement with each sub-processor having an obligation to protect Customer Data at least the same level as those contained in this Agreement to the extent relevant to the nature of the services provided by such sub-processors for any act or omission of the sub-processor that makes Taximail breaches any obligations under this contract. The user acknowledges that the Taximail maybe protected from Disclosure of the sub-processor agreement but Taximail will make reasonable efforts. In order for the service user to receive sub-processor’s agreement upon request.

4. Security

4.1 Security measures.Taximail shall operate and maintain appropriate technical and organizational safety measures. It is designed to protect customer data from security incidents and is designed to maintain the security and confidentiality of customer data in accordance with Taximail security standards described in Exhibit B (“Security Measures”) if this Agreement.

4.2 Processing confidentiality. The Taximail must be sure that the person is authorized by the Taximail in processing customer data. All employees (including employees, agents, and sub-contractors) will be subject to reasonable confidentiality obligations. (Wether contractual or statutory duty).

4.3 Improving security measures. It is the service user’s responsibility to verify the information provided by the Taximail which relates to data security and independently decides whether the service is compliant and legal obligations of the user under the data protection law. Users acknowledge that security measures are subject to technical advances and developments. And Taximail may update or revise its security measures from time to time provided that such updates and revisions do not compromise the overall security of the Services provided to the User.

4.4 Response to Security Incidents. When aware of a safety incident Taximail will notify the User without delay and if possible in any event not later than 48 hours after the safety incident is known. It must provide timely information about the known or reasonably requested security incidents and take appropriate steps promptly to control and monitor any security incidents. Taximail alert this response to a security incident under Section 4.4 shall not be construed as an acceptance by the Taximail to any errors or liability about the security incident that occurred.

4.5 Service User Responsibilities. The user is responsible for using the service safely including keeping customer data files before and after importing to Taximail.

It also includes removing customer information from the Taximail. Customer data files must be properly and securely stored.

5. Reports and Security Audits

5.1 Audit permissions Taximail will provide users with reasonable access to the information they need to demonstrate the performance of the contract Taximail are allowed and support audits appropriate. This includes an audit by the User to assess their compliance with this agreement. Service users acknowledge and agrees to exercise the audit rights under this contract an any audit rights provided by the Data Protection Act, directing Taximail to comply with the verification measure described in Articles 5.2 and 5.3 below.

5.2 Safe Report. Users acknowledge that Taximail is regularly audited in accordance with ISO 27001 by independent auditors and internal auditors respectively upon request in writing . The Taximail will provide ( on confidential basis) a copy of the evidence or documents related to the audit to the service user as appropriate to enable users to verify compliance with Taximail inspection standards assessed.

5.3 Security Status Check. In addition to copies of the evidence or documents the Taximail will respond to all reasonable requests. For information on documents provided by the service user for inquiries or confirm the performance of this contract of Taximail including responding to information security status analysis and questionnaires support@taximail.com provided that the User must not use this right more than once per calendar year.

6. International Transfer

Data Center Location. The User acknowledges that Taximail may transfer and process Customer Data both in Thailand and/or any other country in the world Taximail and Taximail sub-processors must always be sure that such transfer will comply with the requirements of data protection laws and this contract.

7. Returning or Deleting Information

When the Agreement expires, the Taximail will delete all customer information within 24 hours.

In the event that the service user requests that the customer's information is needed to be used elsewhere Users must request before the agreement expires or expired. Taximail provides a tool that allows users to extract information on their own which the information that the service user brings out will be considered in custody and is responsible of service users solely. Only in this case Taximail will give the user time to extract the information within 7 days after the termination of the agreement or the expiration and when the user informs that the process is complete or past the specified time Taximail will delete all customer data within 24 hours.

Except that this provision does not apply to the extent required by applicable law for Taximail retain some or all of the customer data Or customer data stored in a backup system, which Taximail must separate such data to store in a safe place to prevent further processing. And finally delete according to Taximail's deletion policy except to the extent necessary according to applicable law.

8. Data Subject Rights and Cooperation

8.1 Data Subject Requests. As for the Taximail service a number of self-service features have been provided to its users which users can use to retrieve, edit, delete, import, export or restrict the use of Customer Data. The service user may use for the obligations of the data controller who is an insider or for the obligations of the third party data controller depending on responsibility and the discretion of the service user must be subject to data protection laws. It is also used in connection with responding to requests from data subjects through the user's account at no additional cost. Taximail is also required to provide reasonable additional assistance to the service user to the extent possible for the service user. The third party (or third party controller) fulfills its data protection obligations with respect to the rights of the data subject under data protection law.

In the event that the data subject has a request directly to the Taximail will not respond to such communications except as appropriate (for example, to notify the owner of the contact information directly to the user) or as required by law. Without requiring prior permission from the service user if the Taximail is required to respond to such requests. The Taximail must notify the service user immediately and provide a copy of the request.

In the event that the service user is identified or identifiable from the request, unless the Taximail is prohibited from doing so. For the avoidance of doubt nothing in the agreement (including this Agreement) to limit or prevent Taximail from responses to data subjects or a data protection authority request in relation to personal data controlled by Taximail.

8.2 Data Protection Impact Assessment. To the extent necessary under applicable data protection laws Taximail is required (Considering the nature of the processing and information provided by Taximail) provide all reasonably requested information about the service. To enable service users to conduct data protection impact assessments or prior consultation on data protection as required by data protection laws Taximail is required to comply with the above in the section “Reports and Safety Audits”.

9. Limitation of Liability

9.1 Liability of each party incurred related to this contract must be subject to exceptions and limitations of liability set forth in the agreement.

9.2 Any claim incurred with Taximail under or in connection with this Agreement. The entity of the user who is a party to this Agreement shall be the sole operator.

10. Relationship with the Agreement

10.1 This contract will remain in effect for as long as Taximail processes customer data on behalf of the user or until the termination of the agreement (and all customer data is returned or delete according to section 7 above).

10.2 The parties agree that this contract will supersede the existing data processing agreement or similar documents that the parties may have previously made in connection with the use of the Taximail service.

10.3 In case of conflict or inconsistent with this contract with general terms of use shall be deemed that this contract prevail over the general conditions of use.

10.4 Except for any changes made by this contract, The deal remains unchanged and is in full force and effect.

10.5 None other than the parties to this Agreement, Successors and authorized delegates shall have the right to enforce any provision under this contract.

10.6 This Agreement shall be governed by and construed in accordance with applicable law and the provisions of the jurisdiction in the agreement unless otherwise specified by applicable data protection laws.

Contact Information

If you have any questions about this Data Processing Addendum or would like to exercise your rights, you can contact us by using the following details:

Data Protection Officer

DPO Team
Orisma Technology Co., Ltd.
1050 Phatthanakan Road, Suan Luang, Suan Luang, Bangkok, 10250
dpo@orisma.com

Attachment A – Details of Data Processing

1.Type of data subject

The types of data subjects whose personal data is processed include:

• Service users (e.g., individual users who have access to the services of Taximail)
• A list of users of the service (e.g. customers of the service users and other people that users provide information to us or interacting with users through the Taximail service)

2. Categories of personal data

Users may import, export or provide certain personal information to the Taximail service which are generally set and controlled by the User at his or her discretion and may include the following types of personal data:

• Service user information: identity and contact information (name, address, location, contact details, username); financial information (credit card details account details payment information).
• User's List Information: Personal Identifiable Information and Contact Information (Name, Date of Birth, Gender, General Information, Occupation or Demographic Information, Address, Location, Contact Details. including email address), personal interests or preferences, (including purchase history marketing settings and publicly available social media profile data), IT data (IP address, usage data, cookie data, online navigation data location information browser information).

3. Process sensitive data (if any)

Taximail does not want and does not intend to collect or process any sensitive information related to the terms of service.

4. Processing frequency

Continuously and as specified by the service user.

5. Subject and nature of processing

Taximail provides a marketing tool and marketing automation including other services related as described especially in the agreement. The essence of the data processing under this contract is customer information. Customer data will be processed in accordance with the agreement (including this Agreement) and may be subject to the following processing activities:

• Storage and other processing necessary to find, maintain and improve the services provided to users under the Agreement.
• Disclosures pursuant to and/or enforced by applicable law.

6. The purpose of processing

Taximail will only process Customer Data for authorized purposes including:

• Processing to the extent necessary to provide the Services in accordance with the Agreement.
• Processing initiated by the user in the use of the Service.
• Processing to satisfy other appropriate requests provided by the User (for example, via e-mail or subscriber support system) in accordance with the terms of the Agreement.

7. Processing time and the length of time to collect personal information

Taximail will process the Customer Data as described in the section. "Return or Deletion" of this Agreement.

Attachment B – Security Measures

The security measures that apply to taxi mail services are as follows:

As a company that values ​​information security and privacy we recognize that the information security practices of Taximail is important for service users. Although we don't want to reveal too many details about our practices (because there may be people who use such information in a wrong way), but we try to provide general information as detailed below so that users can be confident In a way that Taximail secures the customer information it is assigned to.

Data Center Security

• Our data center manages 24/7 physical security with biometric scanners and the high security standards that a data center must have.
• Computer traffic is monitored and prevented at all data centers used by Taximail.
• Have a backup plan for data center continuity and have tested the plan annually.

Prevention Of Data Loss and Fraud

• All databases are stored separately for each subscriber. The database is also encrypted.
• Customer data will be backed up on a regular basis.

Application Level Security

• The Taximail user’s account password is processed and stored in hash format which cannot be viewed or convert data back to password. If the user has lost the password will not be recoverable. Only need to reset password.
• All Taximail Websites, Applications and APIs, it receives and transmits data using the TLS encryption standard.
• Login page and logging in via the Taximail API has consecutive password protection.
• We regularly perform security penetration testing, including in-depth testing for vulnerabilities within the application.

Internal IT Security

• The company is secured with key card access and is monitored by infrared cameras all the time.
• The company provides two-factor authentication to access the server.
• When employees resign, the company can revoke the right to access information and the whole system within 5 minutes.
• The company scans the source code to check the security of the system at least once a year.
• The company's network has a process to detect any abnormalities that occur.

Internal Process and Training

• The company has trained employees on information security awareness for employees to understand and be aware of the potential dangers to personal data in the provision of services and as stipulated in the Company's policy.
• All employees are subject to a criminal background and history check.
• All company employees are required to sign confidentiality agreements to ensure protection of all information relating to the provision of services.

PCI DSS certification according to SOC standards
Sub-processor about credit card payments for Taximail services uses security measures to protect your information both during the transaction and after finishing and has PCI DSS certification according to SOC standards.

ISO 27001 Certification
Taximail has passed ISO 27001 certification, the standard for information security that ensures that offices, development centers, support centers and data center managed safely. Accreditation/renewal audits are conducted every three years and there is an ongoing surveillance audit annually.

Protecting Yourself from Invasion

• The system will review and suspend your account automatically when encountering unusual or suspicious login activity.
• The system will verify the account and activities in the Taximail system to look for signs of violation of the Terms of Service. Whether it is a fraudulent used in connection with illegal things or any action leading to unlawful acts.
• The system has the ability to determine the level of access to information or using the Services under different user account.

Updated on January 11, 2024