SawasdeeHealth

Legal

Data Processing Addendum

This DPA forms part of the Terms of Service between Sawasdee Health and the clinic Customer and governs the processing of personal data on Customer's behalf when Customer uses the Service.

Effective date
May 10, 2026
Last updated
May 10, 2026

1.Context and structure

This Data Processing Addendum (the “DPA”) is entered into between Meridian Compass LLC, a Wyoming limited liability company doing business as Sawasdee Health (“Sawasdee Health”), and the clinic that accepts the Terms of Service(“Customer”). It applies whenever Sawasdee Health processes personal data on Customer’s behalf in connection with the Service.

This DPA is designed to satisfy the requirements of, and is to be read consistently with: (a) Thailand’s Personal Data Protection Act, B.E. 2562 (2019) (“PDPA”); (b) the EU and UK General Data Protection Regulation (“GDPR”); and (c) other applicable data-protection laws.

By accepting the Terms of Service or by signing an order form that references them, Customer agrees to this DPA. The DPA takes effect on the same date as the Terms of Service.

2.Definitions

Capitalized terms used but not defined here have the meanings given in the Terms of Service. The terms “controller,” “processor,” “data subject,” “personal data,” “processing,” “sub-processor,” and “personal data breach” have the meanings given in the GDPR or, where applicable to Customer, the equivalent meanings under the PDPA. “Customer Personal Data”means personal data processed by Sawasdee Health on Customer’s behalf in the course of providing the Service.

3.Roles of the parties

For Customer Personal Data, Customer is the controller and Sawasdee Health is the processor. Where Customer acts as a processor for a third party (for example, on behalf of a clinic group), Sawasdee Health acts as a sub-processor and the obligations of this DPA apply accordingly. Sawasdee Health acts as a controller in respect of (i) account, billing, and contact data of Customer’s personnel and (ii) data described in our Privacy Policy.

4.Subject matter, duration, and nature of processing

  • Subject matter: the provision of the Service, including the AI conversation agent, lead qualification, scheduling, dashboard, and related features.
  • Duration: for the term of the Subscription, plus any period in which Sawasdee Health retains Customer Personal Data after termination as required by law or under Section 15.
  • Nature and purpose: hosting, transmitting, displaying, analyzing, and otherwise processing Customer Personal Data to provide and support the Service in accordance with the Terms.

5.Categories of data subjects and personal data

Data subjectsinclude Customer’s personnel and the End Users who interact with the agent. Categories of Customer Personal Data typically include:

  • identifiers and contact data (name, email, phone, identifiers of channel accounts);
  • conversation transcripts and metadata;
  • treatment-interest signals and qualification tags assigned by the agent;
  • scheduling and booking data, including calendar event identifiers;
  • device and connection metadata such as IP address and user agent.

Customer Personal Data may include sensitive or special-category personal data (such as data concerning health) where End Users provide it. Customer is responsible for establishing the lawful basis for processing such data under PDPA, GDPR, or other applicable law, and for providing any required notices and obtaining any required consents.

6.Processing on documented instructions

Sawasdee Health will process Customer Personal Data only on Customer’s documented instructions, including those given through the Service’s configuration tools, support requests, and the Terms. Sawasdee Health will inform Customer if, in its opinion, an instruction infringes applicable data-protection law, unless prohibited from doing so by law. Sawasdee Health will not sell Customer Personal Data and will not use it for advertising.

7.Personnel confidentiality

Sawasdee Health will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and receive training appropriate to their role and access level. Access is granted on a need-to-know basis with role-based permissions.

8.Security measures

Sawasdee Health will implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and accidental loss, destruction, damage, or disclosure, taking into account the state of the art and the risks presented by the processing. Current measures include:

  • encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
  • tenant isolation through database row-level security keyed to Customer identifiers;
  • least-privilege access controls, multi-factor authentication for administrative access, and role-based authorization;
  • audit logging of administrative and security-relevant events;
  • secrets management through a dedicated secrets store; no production secrets in source control;
  • regular vulnerability scanning, dependency monitoring, and security patching;
  • backups with restoration testing; documented business-continuity practices;
  • secure software development lifecycle, including code review and pre-deployment testing;
  • vendor security assessments before engaging sub-processors that process Customer Personal Data;
  • a documented incident response and notification process.

Sawasdee Health may update these measures from time to time, provided the level of security is not materially decreased.

9.Sub-processors

Customer provides general written authorization for Sawasdee Health to engage sub-processors to process Customer Personal Data, subject to this Section 9. The current list of sub-processors is set out in our Privacy Policy. Sawasdee Health will:

  • impose data-protection obligations on each sub-processor that are no less protective than those in this DPA;
  • remain liable to Customer for the acts and omissions of its sub-processors;
  • provide notice through the Service or by email of the addition or replacement of any sub-processor that processes Customer Personal Data, at least thirty (30) days before the change takes effect (or such shorter period as is necessary to address an urgent security or legal need).

Customer may object to a new sub-processor on reasonable data-protection grounds within fifteen (15) days of the notice. The parties will work in good faith to resolve the objection. If they cannot, Customer may terminate the affected portion of the Subscription with a pro-rata refund of any prepaid, unused fees attributable to that portion.

10.International transfers

Customer acknowledges that the Service is provided from, and Customer Personal Data may be transferred to and processed in, the United States and other countries where Sawasdee Health or its sub-processors operate.

  • For transfers from the EEA, UK, or Switzerland to a country not the subject of an adequacy decision, the parties incorporate by reference the European Commission’s Standard Contractual Clauses(Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable) and, where relevant, the UK International Data Transfer Addendum, with Customer as data exporter and Sawasdee Health as data importer. Customer authorizes Sawasdee Health to enter into onward transfer mechanisms with sub-processors on Customer’s behalf where required.
  • For transfers of personal data of individuals in Thailand to other countries, the parties will rely on transfer mechanisms permitted under Sections 28 and 29 of the PDPA, including Customer’s consent, contractual commitments, or other lawful bases.

11.Data subject requests

Sawasdee Health will, taking into account the nature of the processing, provide reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligation to respond to requests by data subjects to exercise their rights. If a data subject contacts Sawasdee Health directly with such a request, Sawasdee Health will, without undue delay, forward the request to Customer and not respond directly except to confirm receipt and direct the data subject to Customer.

12.Personal data breach

Sawasdee Health will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent known: a description of the nature of the breach, categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Sawasdee Health will cooperate with Customer and provide reasonable information to assist Customer in meeting its own breach-notification obligations to regulators and data subjects.

13.DPIA and prior consultation assistance

Sawasdee Health will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out under applicable law, taking into account the nature of the processing and the information available to Sawasdee Health.

14.Audit and information rights

Sawasdee Health will make available to Customer information necessary to demonstrate compliance with this DPA and, on reasonable request and at Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to (a) reasonable advance notice of at least thirty (30) days, (b) audits conducted no more than once per year unless required by a regulator or following a confirmed material breach, (c) audits limited to information directly relevant to compliance with this DPA, and (d) appropriate confidentiality obligations. Sawasdee Health may satisfy this obligation by providing relevant audit reports, certifications, or written summaries of its security and compliance program.

15.Return and deletion of personal data

On termination of the Subscription and at Customer’s choice, Sawasdee Health will delete or return all Customer Personal Data and delete existing copies, except to the extent applicable law requires retention. Within thirty (30) days of termination, Customer may export Customer Personal Data through tools Sawasdee Health makes available. After that period, Sawasdee Health may delete Customer Personal Data in accordance with its retention practices, subject to backups that cycle out within a documented period.

16.Liability

Each party’s liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits a data subject’s rights under applicable data-protection law or either party’s direct liability to a data subject as required by such law.

17.Order of precedence and changes

In case of conflict between this DPA and the Terms of Service, this DPA controls with respect to processing of Customer Personal Data. Sawasdee Health may update this DPA from time to time as necessary to comply with applicable law or to reflect changes to the Service, with notice to Customer at least thirty (30) days before material changes take effect.

18.Contact

For data-protection matters, contact Sawasdee Health at privacy@sawasdeehealth.com. Notices required under this DPA may be sent to that address. Notices to Customer may be sent to the email address on Customer’s account.

Questions about this document? Email legal@sawasdeehealth.com.