Last updated: May 26, 2026
This page summarizes the Data Processing Agreement (DPA) between the customer, acting as Data Controller, and BT San Technology (Thailand) Co., Ltd., acting as Data Processor.
The signable DPA is a separate document. Email [email protected] with subject "DPA Request" and we will send the PDF for your legal team to review.
1. Scope and parties
- This DPA applies to processing of personal data submitted by customers to the BT San Technology platform (AI Training Cloud, Machine Vision, Smart Factory, and related services).
- Customer (Data Controller) determines the purposes and means of processing.
- Company (Data Processor) processes data solely on the customer's instructions and in accordance with our Privacy Policy.
2. Types of data and data subjects
- Categories of personal data customers may upload:
- Images, videos, and datasets that may contain faces, employee name tags, license plates, or other identifying information.
- Platform user data (the customer's own employees) — name, email, role, permissions.
- Device logs and telemetry from Jetson or other devices deployed on customer sites.
- Categories of data subjects: employees, contractors, visitors, and other individuals appearing in customer-uploaded content.
3. Purpose and duration
- Purpose: storage, labeling, model training, evaluation, and deployment per the customer's instructions.
- Duration: for the duration of the service contract and any customer-defined retention period.
- On termination, we delete or return data per the customer's instructions within the agreed timeframe.
4. Processor obligations
- Process data only on the customer's documented instructions, unless required by law.
- Ensure that personnel and contractors with access are bound by confidentiality obligations.
- Apply appropriate technical and organisational security measures, as described on our Security Page.
- Assist the customer in responding to data subject requests (access, correction, deletion, etc.) within a reasonable timeframe.
- Notify the customer without undue delay if a data breach affects the customer's data.
5. Sub-processors
- We may engage sub-processors to deliver the service — the current list is at our subprocessors page.
- Before adding or replacing a material sub-processor, we will notify the customer with reasonable advance notice and provide an opportunity to object on reasonable grounds.
- We require sub-processors to maintain security and confidentiality obligations no less protective than those in this DPA.
6. International transfers
- Some sub-processors have servers outside Thailand — for example, Cloudflare, Google, and Resend.
- Cross-border transfers are subject to appropriate safeguards, such as the provider's Data Processing Addendum or equivalent measures accepted under PDPA.
7. Security
- Encryption in transit (HTTPS/TLS) and at rest for datasets and models.
- Role-based access control, audit logging, and tenant isolation between customer organisations.
- Backups, anomaly monitoring, and periodic review of security measures.
- Details: Security Page.
8. Data breach notification
- If a data breach or incident affecting the customer's personal data occurs, we will notify the customer without undue delay after detection and initial triage.
- Notifications will include the information available at the time, such as the nature of the incident, categories of data potentially affected, and remediation steps taken.
9. Audit rights
- The customer may review our compliance through certifications, security questionnaires, or reports we make available.
- On-site audits may incur fees, must be scheduled with reasonable notice, and must not disrupt service to other customers.
10. Deletion or return of data
- On termination, or on customer request, we will delete or return datasets, labels, models, and personal data within the agreed timeframe.
- Backups may retain data for the system's backup retention window and are deleted on the backup system's schedule.
11. Governing law
- This DPA is governed by the laws of Thailand, in particular the Personal Data Protection Act (PDPA).
- Where the signed DPA differs from this summary, the signed document controls.
This page is a public summary, not a binding contract. For the signable DPA, email [email protected] with subject "DPA Request" and we will send the PDF within 3 business days.
