Informing customers of their rights and responsibilities under the Personal Data Protection Act.

Referring to the Personal Data Protection Act B.E. 2562 (2019), Rakcom Co., Ltd. (“the Company”) places importance on compliance with the law, including providing material information to service users. Therefore, the Company would like to inform you of the following:

This document applies to all of the company’s services, including Web Hosting, WordPress Hosting, VPS Hosting, Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

definition
Service provider Rakcom Company Limited
Service recipient Users of the company’s services may be individuals or legal entities.
customer Users of the service recipient (third parties who own the personal data that the service recipient has collected).
1. From the service provider’s perspective.
  1. The company provides services based on the type chosen by the client. The characteristics of each service are as follows:
    serve Service characteristics
    Web Hosting / WordPress Hosting This service model allows clients to host their websites on the provider’s servers, enabling them to be online on the internet 24/7. Website data, databases, emails, etc., are stored on the web server, which then displays the website pages to visitors via the domain name at all times.
    VPS Hosting A virtual private server (VPN) service model where the client can manage the system themselves, providing clients with online service via the internet 24 hours a day.
    Platform as a Service (PaaS) This service provides a platform for software and application developers, with the provider supplying and maintaining the necessary infrastructure, operating systems, and resources such as database servers and web application development, ensuring readiness for use. This allows users to focus on developing and managing their applications and data.
    Infrastructure as a Service (IaaS) The service provides computing infrastructure in the form of virtual resources such as central processing units (CPUs), memory, storage, and networking, allowing subscribers to install and manage operating systems, software, and applications themselves.
  2. The service provider has duties and responsibilities as a “data processor” under the Personal Data Protection Act B.E. 2562 (2019). The company has implemented security measures according to the type of service as follows:
    serve Measures provided by the service provider.
    Web / WordPress / VPS Hosting A web application firewall (WAF) that is regularly patched for vulnerabilities and undergoes vulnerability assessments at least once a week.
    Platform as a Service (PaaS) Maintaining the security of servers, operating systems/platforms, networks, and connections.
    Infrastructure as a Service (IaaS) The security of physical infrastructure, virtualization systems, and core networks is the responsibility of the service provider. The service provider is responsible for the security of the operating system and above.

    All of the company’s services run on enterprise-standard equipment and are provided in high-standard data centers located in Thailand and Singapore.

  3. The company cannot access, view, and/or know about anything the service recipient has uploaded, imported, and/or stored on the company’s servers, including accessing confidential, business, commercial, or any other customer information of the service recipient. This is because such information is under the control of the service recipient, and the company will not use such information for any other purpose, especially for advertising or marketing, unless it has obtained the consent of the service recipient or is in compliance with the law.
2. From the perspective of the service recipient.
  1. The service recipient has the duty and responsibility as a “Data Controller” under the Personal Data Protection Act B.E. 2562 (2019), as the service recipient has the authority to make decisions regarding the personal data collected or processed in the company’s services. Therefore, it is the service recipient’s responsibility to comply with the Personal Data Protection Act B.E. 2562 (2019) and/or any other relevant regulations and laws.
  2. Service providers are responsible for controlling their customers’ data and maintaining appropriate security standards commensurate with the nature of their services. This includes, but is not limited to, data classification, data encryption, access control management, data risk assessment, data custodial, and security authentication . For VPS Hosting, Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) services: because service providers manage their own systems, the required level of security depends on the design of their service processes and procedures.
  3. The service recipient must submit back to the company the type and list of data they have entered into the service, specifying which type of data the company defines in clause 3, and signed and certified by the service recipient’s data controller.
3. Types of personal data.
Type 1
  • Name, Surname, Nickname
  • National identification number, passport number, social security number, driver’s license number, tax identification number, bank account number, credit card number (including the storage of images or copies of national identification cards or other cards containing personal information).
  • Address, email, phone number
Type 2
  • Device or tool information such as IP Address, MAC Address, Cookie ID.
  • Biometric data includes facial images, fingerprints, X-ray films, iris scans, voice identification data, and genetic information.
  • Information identifying an individual’s assets, such as vehicle registration documents and land title deeds.
  • Information that can be linked to the above data includes, for example, date of birth, place of birth, ethnicity, nationality, weight, height, location information, medical information, educational information, financial information, and employment information.
  • Reference number information stored on microfilm.
  • Performance evaluation data or employer feedback on employee performance.
  • Various types of records used to track and monitor an individual’s activity, such as log files.
  • Information used to search for other personal information on the internet.
Type 3
  • Ethnicity, Tribe
  • sex
  • Group, Affiliation, Population Group
  • Family and relatives
  • Physical characteristics
  • Knowledge and belief
  • Data or references; Reference settings (Preference)
  • Property; ownership of property.
  • Physical and mental health
  • financial status
  • occupation
  • Personal behavior
  • Activities and Associations
  • Sports and recreation
  • personality
  • Members of groups, clubs, and activities.
Category 4 — Sensitive personal data.
  • political opinions
  • Belief in a doctrine, religion, or philosophy.
  • Sexual behavior
  • Criminal record
  • Health and disability information, such as chronic diseases, vaccinations, and medical certificates.
  • Labor union information.
Category 5 — Non-personal information.
  • Company registration number
  • Non-personally identifiable business contact information, such as phone numbers, work fax numbers, office addresses, work email addresses, and company email addresses like [email protected].
  • Anonymous data, tacit data, data that has been technically rendered unidentifiable.
  • Deceased information
  • Legal entity information
4. Data security system.

Maintaining security and complying with legal requirements is a shared responsibility between the company and its clients, and its scope can be divided as follows:

Security of the Cloud Security “in” the cloud
The service provider is responsible for operating, managing, and controlling the hosting operating system, network, client control systems, and the physical security of the data center. The service recipient is responsible for managing their virtual machines and/or containers, including the operating systems under them (security updates and patches), software and applications, firewall configuration, connectivity to their own IT systems, and compliance with applicable laws.

The scope of responsibility at each layer varies depending on the type of service, as shown in the following table (Layer = Responsible Service Provider, Layer = Responsible Service Recipient).

Layer Web / WordPress VPS PaaS IaaS
Data and content in the system/database. R R R R
Application R R R R
Runtime / Middleware / Database Engine³ Ph R Ph R
Operating system (OS) Ph Ph R
Virtualization Ph Ph Ph Ph
Network Ph Ph Ph Ph
Physical infrastructure Ph Ph Ph Ph

note
1. VPS Hosting services: The client is responsible for managing the operating system, unless a managed service (such as DirectAdmin) is purchased, in which case the provider will provide support within the agreed-upon scope.
² The data and content in the database created or imported by the service recipient (e.g., tables, records, data structures, and actual data) are the responsibility of the service recipient for all types of services.
³ Database Engine refers to the database software/service (e.g., MySQL/MariaDB) that enables the system to function properly. For managed services (Web/WordPress/PaaS), the provider ensures that the “service itself is operational,” while the internal data remains the property of the client, as per point ².
In summary, the more control the service provider has over the system (VPS, IaaS), the greater the responsibility for security falls on the service provider.

The security measures provided by the company include:

  1. Web Application Firewall (WAF) — For Web/WordPress/VPS Hosting, it’s a standard system for filtering, monitoring, and blocking malicious HTTP/HTTPS traffic sent to the client’s web application, preventing data leakage. It operates as a reverse proxy to prevent threatening traffic from accessing the web application server’s internal data . Exceptions for VPS Hosting: If the client chooses to install only the operating system, does not purchase DirectAdmin from the provider, and/or has root access to or customizes the VPS settings, WAF protection may not be comprehensive.

    Note: Web Application Firewalls are only basic security measures and cannot guarantee 100% protection against attacks. This is because each client’s application is different, including but not limited to the development team, behavior, system design, and third-party components such as CMS, Frameworks, Plugins, Themes, Libraries, and various usage scenarios.

  2. Vulnerability Assessment is an initial evaluation of vulnerabilities discovered in an operating system (OS), software, or network/security device to identify the types and severity of vulnerabilities, in order to implement corrective actions and close those vulnerabilities.
  3. Restricting employee access rights , limiting data access based on employee job functions, and establishing data confidentiality agreements.
  4. The company’s data security team consists of personnel holding ICDL Personal Data Protection certification from the International Computer Driving License, based on European Union standards.
    • Data Protection Officer (DPO) — This officer is responsible for managing and protecting all personal data within an organization, both internal and external. Their duties include preparing, controlling, verifying, collecting, and storing data in accordance with the law, as well as coordinating with the Data Protection Committee when problems arise.
    • Data Processor — An officer who processes personal data, acting solely under the instructions or on behalf of the data controller.
5. Reporting a personal data breach.

In the event of a data breach, the company, as the data processor, shall notify the service recipient (data controller) without delay so that the service recipient can report the incident to the Office of the Personal Data Protection Commission within 72 hours, in accordance with Section 37(4) of the Personal Data Protection Act B.E. 2562 (2019).

6. Penalties

Violations or non-compliance with the Personal Data Protection Act B.E. 2562 (2019) are subject to criminal, civil, and administrative penalties as prescribed by law.

Communication and data transmission.

If you have any questions or require further information, please contact us via email at [email protected] between 9:00 AM and 6:00 PM.

You must submit the data types listed in points 2 and 3 to the company within 30 days of receiving this document via email at [email protected]. Otherwise, it will be considered that you do not possess personal data as required by law, and the company will be deemed not to have any liability as a data processor under the Personal Data Protection Act B.E. 2562 (2019).

Rakcom Company Limited