Legal

Data Processing Agreement

Effective: 2026-06-01 · Last updated: 2026-05-27

Counsel review pending.

This document is the operator-published version. The text below reflects current business practice and was drafted from industry-standard B2B SaaS clauses adapted to object storage specifics. Final legal review by qualified counsel in Thailand and Singapore is in progress; the controlling version will be re-published here when complete.

This Data Processing Agreement (the "DPA") supplements and forms part of the Terms of Service between you (the "Customer" or "Controller") and the BangmodStorage Supplier identified on your invoice (the "Processor"). It applies whenever you upload Customer Data that contains personal data of identified or identifiable natural persons ("Personal Data").

Where you act as a processor on behalf of an end-customer (i.e., we are a sub-processor), this DPA also applies; you are responsible for ensuring your end-customers have authorized the engagement under terms no less protective than this DPA.

1. Definitions

Capitalized terms not defined here have the meanings in the Terms of Service. "Personal Data," "Controller," "Processor," "Process", "Data Subject," and "Personal Data Breach" have the meanings given in the General Data Protection Regulation (Regulation 2016/679, "GDPR"), as adapted by the Thai PDPA and Singapore PDPA. Where these laws diverge, the more protective definition applies.

2. Roles

You are the Controller of Personal Data uploaded to the Service as Customer Data. We are the Processor and act on your documented instructions. We are the Controller for limited purposes set out in our Privacy Policy (account data, billing data, operational metadata, support communications).

3. Subject matter, duration, nature, and purpose

  • Subject matter: Provision of S3-compatible object-storage services.
  • Duration: For the term of the Terms of Service, plus the post-termination retrieval window in §12 of the Terms.
  • Nature: Storage, replication, retrieval, deletion, and access-controlled distribution of objects.
  • Purpose: To provide the Service that you have contracted for.
  • Types of Personal Data: Determined by you. We do not require or restrict particular categories, but you must comply with §4.
  • Categories of Data Subjects: Determined by you (your employees, customers, end-users, etc.).

4. Customer obligations

  • You have, and will maintain, a lawful basis for processing the Personal Data you upload, including any cross-border transfer.
  • You are responsible for providing notices to Data Subjects required by applicable law.
  • You will not upload special-category Personal Data (medical, biometric, etc.) without first ensuring you have a lawful basis and notifying us so we can ensure appropriate safeguards.
  • You will configure bucket access permissions, encryption settings, and lifecycle policies appropriately for the sensitivity of your data.

5. Our obligations as Processor

  • We will Process Personal Data only on your documented instructions, including with respect to international transfers, except as required by applicable law (in which case we will notify you unless prohibited).
  • We will ensure persons authorized to Process Personal Data are bound by confidentiality obligations.
  • We will implement appropriate technical and organizational measures as described in §9 below.
  • We will assist you in responding to Data Subject requests insofar as is possible given the nature of the Processing.
  • We will assist you in ensuring compliance with your obligations under applicable law, including data-breach notification, Data Protection Impact Assessments, and consultations with supervisory authorities, taking into account the nature of Processing and information available to us.

6. Sub-processors

You generally authorize us to engage sub-processors for infrastructure, payment, email delivery, and monitoring as listed in our Privacy Policy and on our current sub-processor page (available on request). We will notify you of new sub-processors at least 14 days before engaging them, giving you the opportunity to object on reasonable grounds.

We will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain liable for sub-processors' acts and omissions in respect of Personal Data.

7. International transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or other jurisdictions requiring transfer safeguards to a country not deemed adequate, we rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or equivalent mechanisms, as applicable. The relevant module of the SCCs is hereby incorporated by reference; we act as the data importer in Module Two (controller-to-processor) and Module Three (processor-to-processor) configurations.

8. Data Subject rights

Where a Data Subject makes a request directly to us in respect of Personal Data that we Process for you, we will refer them to you and notify you of the request. Where you ask us to assist with responding to a Data Subject request, we will do so to the extent reasonable, including by enabling you to retrieve, delete, or export the relevant data via the Service.

9. Security

We implement and maintain technical and organizational measures appropriate to the risk, including:

  • Encryption of secrets at rest using AES-GCM authenticated encryption with key wrapping.
  • TLS 1.2+ for data in transit on all API endpoints.
  • Erasure-coded storage (4+2 by default) for durability.
  • Role-based access control with principle of least privilege within our staff.
  • Append-only audit logging of all admin actions, retained for 7 years.
  • Regular access reviews and revocation on personnel changes.
  • Network segmentation and host hardening against unauthorized access.
  • Vulnerability management process with timely patching.
  • Backup and disaster-recovery plans.

10. Personal Data Breach notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data. Our notification will include, to the extent then known: the nature of the breach, categories and approximate numbers of Data Subjects and records affected, likely consequences, measures taken or proposed to mitigate. We will cooperate with you in responding to the breach.

11. Audit

On reasonable prior written notice (and no more than once per year, except after a Personal Data Breach affecting Customer Data), you may audit our compliance with this DPA. Audit may consist of (a) reviewing our then-current security documentation, (b) submitting a written security questionnaire we will respond to within 30 days, or (c) for Enterprise customers, an on-site audit during business hours under appropriate confidentiality and security restrictions.

12. Deletion and return

Upon termination of the Terms, you may delete Personal Data via the Service. After the 30-day retrieval window in §12 of the Terms, we will delete remaining Personal Data, except where retention is required by law (e.g., financial records retained for tax-authority compliance per our Privacy Policy §6). On written request, we will certify deletion.

13. Liability

The liability provisions in §10 of the Terms apply to this DPA. Where applicable law requires uncapped liability for breach of data-protection obligations (e.g., GDPR fines passed through), that overrides the contractual cap to the extent required by law.

14. Order of precedence

In the event of conflict between this DPA and the Terms, this DPA prevails with respect to processing of Personal Data. In the event of conflict between this DPA and the SCCs, the SCCs prevail with respect to data falling within their scope.

15. Contact

Privacy and data-protection inquiries: privacy@bangmod.storage.