Child Protect Platform logo mark Child Protect Platform
Englishไทย
Home / Legal & Trust
Legal & Trust

Data Processing Agreement

This DPA template describes data processing commitments for customer-controlled platform data.

Last updated: June 12, 2026

Designed to support PDPA-aware safeguarding operations in Thailand.

Child Protect Platform helps schools and child-focused organizations improve data control, evidence preservation, user access, and auditability in ways that support responsible Thailand-focused safeguarding operations.

View Thailand AlignmentVisit Trust Center

Parties and roles

The customer, school, tenant, or education organization is normally the data controller for safeguarding records. Child Protect Platform normally acts as data processor for platform data processed on behalf of that customer, except where it determines processing for its own website, security, billing, or business purposes.

Processing instructions

The processor will process customer personal data only under documented customer instructions, the agreement, this DPA, applicable law, and necessary security/operational requirements. The processor may reject instructions that appear unlawful, unsafe, or contrary to data protection obligations.

Categories of data

CategoryExamples
Platform user dataNames, emails, roles, tenant/school assignments, login and account status data.
Safeguarding dataReports, case notes, status history, assignments, comments, decisions, escalation records.
EvidenceUploaded documents, images, screenshots, CCTV-related materials, metadata, scanning results.
Audit and security dataAccess logs, admin actions, evidence events, IP addresses, health and security logs.

Security measures

The processor will maintain appropriate technical and organizational measures, which may include encryption, access control, tenant/school scoping, audit logging, malware scanning, backup controls, firewall and reverse proxy hardening, SSH hardening, health checks, monitoring, and controlled deployment practices.

Subprocessors

Subprocessors may include hosting, email delivery, security monitoring, backup, malware scanning, analytics, and support tooling providers. Child Protect aims to keep customer data handling transparent, controlled, and aligned with customer agreements.

Security incidents

The processor will notify the customer without undue delay after becoming aware of a confirmed personal data breach affecting customer data, provide information reasonably available, and support the customer's assessment of notification duties under Thailand PDPA and other applicable rules.

Assistance and rights requests

The processor will reasonably assist the customer with data subject requests, audits, DPIAs or risk assessments, security reviews, deletion/return of data, and regulatory enquiries, taking account of the nature of the processing and available information.

Return or deletion

At termination, customer data will be returned, deleted, archived, or retained according to the agreement, safeguarding retention obligations, backup cycles, legal holds, evidence preservation requirements, and applicable law.

Legal and regulatory sources considered:

This page outlines the main data-processing responsibilities and security controls used to support schools and education groups when Child Protect handles safeguarding-related information on their behalf.

Thailand PDPA official text · Child Protection Act text hosted by MOE · MOE SAFE SCHOOL announcement · MOE Safety Center information