← IN65

Legal

Data Processing Agreement

Last updated: 2026-07-05 · Effective on acceptance.

Template — not legal advice, pending counsel review.

This Data Processing Agreement is a working template. It has not yet been reviewed by qualified counsel and does not constitute legal advice. The processor/controller obligations, breach cadence, cross-border mechanism, and audit scope must be reviewed by a Thai PDPA-qualified lawyer (and, where EU data subjects are in scope, GDPR counsel) before go-live with real customer data. If you have signed a separate data-processing addendum or SOW with Opsian Technologies, that document prevails over anything stated here.

1. Parties and roles

This Data Processing Agreement (“DPA”) forms part of the agreement between Opsian Technologies Pte. Ltd. (“Opsian”, “IN65”, “we”) and the organization operating a Tenant workspace on the IN65 platform (“Tenant”, “you”).

  • You are the data controller. You determine the purposes and means of processing the personal data of your customers, staff, suppliers, and other data subjects whose data you enter into IN65.
  • IN65 is the data processor. We process that personal data only on your documented instructions, to provide the Service.

Terms not defined here take the meaning given in Thailand’s Personal Data Protection Act B.E. 2562 (“PDPA”) and, where applicable, the EU General Data Protection Regulation (“GDPR”).

2. Subject matter and duration

The subject matter of the processing is the operation of the IN65 platform for interior-design firms (BOQs, quotes, work orders, procurement, customer records, files, and related workflows). This DPA applies for as long as IN65 processes personal data on your behalf — i.e. for the life of your Tenant plus the post-termination return/deletion window in Section 11.

3. Nature and purpose of processing

We process personal data to host, store, transmit, secure, and display your workspace content; to operate the features you use; to send transactional notifications on your behalf; and to provide support, billing, and security. We do not process your customers’ personal data for our own purposes, do not sell it, do not share it across Tenants, and do not use it to train AI models shared with other tenants.

4. Categories of data subjects and personal data

The personal data you may process through IN65 typically includes:

Category of data subjectCategories of personal data
Your customers / clientsName, email, phone, project address, quote + payment history, messages
Your staff / workspace usersName, email, role, activity + audit-log entries
Suppliers + factory contactsName, business + contact details, catalog and quotation data
Individuals in uploaded filesIncidental personal data in drawings, site photos, spec sheets

You are responsible for ensuring you have a lawful basis to enter this data into IN65 and to instruct us to process it. IN65 is not intended for special-category / sensitive personal data (health, race, religion, biometrics); do not upload it.

5. Controller obligations

  • Establish and document a lawful basis for the personal data you process through IN65, and provide any required notices to your data subjects.
  • Issue processing instructions only through the Service’s features or in writing, and only for lawful purposes.
  • Respond to your data subjects’ requests as the controller (we assist — see Section 8).

6. Processor obligations

As your processor, IN65 will:

  • Process personal data only on your documented instructions, including for cross-border transfers, unless required by law (in which case we notify you unless legally prohibited).
  • Ensure personnel authorized to process personal data are bound by confidentiality.
  • Implement the technical and organizational security measures in Section 9.
  • Assist you, taking into account the nature of processing, with data-subject rights, security, breach notification, and data-protection impact assessments (Sections 8, 9, 10).
  • Make available information reasonably necessary to demonstrate compliance with this DPA (Section 12).
  • Return or delete personal data at the end of the engagement (Section 11).

7. Sub-processors

You give general authorization for IN65 to engage the sub-processors listed in our Privacy Policy — currently Supabase, DigitalOcean, Cloudflare, Stripe, LINE, Resend, PostHog, and Sentry — each engaged under a written contract imposing data-protection obligations no less protective than those in this DPA. We remain responsible for our sub-processors’ performance. We will give you reasonable notice of any intended addition or replacement of a sub-processor via the Service or by email, giving you the opportunity to object on reasonable data-protection grounds.

8. Assistance with data-subject rights

The PDPA and GDPR grant data subjects rights of access, rectification, erasure, restriction, portability, and objection. Taking into account the nature of the processing, IN65 will assist you in meeting these obligations through the platform features (workspace data export, editing, and the anonymization / right-to-be-forgotten flow) and, where those features are insufficient, by reasonable additional support. If we receive a request directly from one of your data subjects, we will refer them to you rather than respond on your behalf.

9. Security measures

IN65 maintains technical and organizational measures appropriate to the risk, including:

  • TLS in transit and encryption at rest at the storage layer.
  • Row-level security at the database to isolate one Tenant’s data from another’s.
  • argon2id password hashing; HMAC-signed webhooks.
  • Rate-limited APIs and per-request audit logging.
  • Least-privilege access controls and need-to-know restrictions.

10. Personal data breach notification

IN65 will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably available to help you meet your own notification obligations. Under the PDPA, a controller must notify Thailand’s Personal Data Protection Committee within 72 hours of becoming aware of a notifiable breach; our notification is designed to support that timeline. Our internal incident-response path is documented in our runbooks. For data-protection and breach matters, contact legal@opsian.io.

11. Return and deletion on termination

On termination of your Tenant, and at your choice, IN65 will delete or return your personal data and delete existing copies, unless retention is required by law. Consistent with our Privacy Policy, Customer Content is deleted from primary storage within 90 days of termination; encrypted backups expire on a 7-day rolling window; billing records are retained for the period required by tax and accounting law.

12. Audit rights

IN65 will make available to you the information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior written notice and no more than once per year (unless required by a supervisory authority), allow for and contribute to audits conducted by you or an auditor you mandate. Audits must respect the confidentiality and security of other tenants and be conducted during business hours without unduly disrupting the Service.

13. Cross-border transfer

IN65 hosts primary data (database and files) with Supabase in Singapore (AWS ap-southeast-1) and runs application compute on DigitalOcean in Singapore (SGP1). For Thai data subjects this is a cross-border transfer outside Thailand; some sub-processors (e.g. Stripe, Resend, Sentry) operate in the US or EU. Such transfers are made under appropriate safeguards, including standard contractual clauses (SCCs) and the sub-processors’ own data-protection commitments, or on another lawful transfer basis under the PDPA / GDPR.

14. Liability and governing law

This DPA is subject to the liability provisions and governing law of the Terms of Service between the parties (currently the laws of Singapore), except where the PDPA or GDPR mandates otherwise. In the event of a conflict between this DPA and the Terms on the subject of personal-data processing, this DPA prevails.

15. Contact

Data-protection questions and requests under this DPA can be sent to legal@opsian.io. Our Data Protection Officer can be reached at the same address.