ORCADRIO

As a business that provides data engineering services, Orcadrio is at the forefront of helping companies transform their raw data into a strategic asset. Our expertise lies in the entire data lifecycle, from the moment data is generated to its final use in advanced analytics and machine learning models. We specialize in building robust, high-performance data pipelines, ensuring data quality and governance, and implementing scalable data architectures that are the foundation for business growth and innovation. The purpose of this privacy policy is to provide our clients with a clear and comprehensive understanding of how we handle, process, and protect the data we are entrusted with in the course of our work.

1. Introduction and Scope

This Privacy Policy applies to the data engineering services provided by Orcadrio, services provided in data transformation and management. It outlines our commitment to protecting the privacy and security of the data we process on behalf of our clients. This policy is designed to align with major international data protection standards, including the Thai Personal Data Protection Act (PDPA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant global frameworks, ensuring a robust and consistent approach to data privacy.

2. The Data We Collect and Process

In the course of providing our data engineering services, we handle two distinct types of data, and our role and responsibilities differ for each:

• Client’s Customer Data (Our Role: Data Processor): We act as a data processor for the data you provide to us about your customers or other data subjects. This means we process this data strictly on your behalf, and under your direct instructions, as outlined in our service agreement. We do not determine the purpose or means of the processing; you, our client, remain the data controller. Our processing activities are limited to what is necessary to perform the requested data engineering tasks, such as building data pipelines, cleansing, transformation, and loading data into your designated environments.
• Our Client’s Business Data (Our Role: Data Controller): We act as a data controller for the information we collect directly from you, our client. This includes business contact details, billing information, project requirements, and communication records. We determine the purpose and means of processing this data—for example, to manage your account, issue invoices, provide support, and communicate with you about our services.

Our Use of Google Cloud Platform (GCP):

To provide our services, we exclusively utilize Google Cloud Platform as our cloud infrastructure provider. Google Cloud is a sub-processor to us, as it stores and processes the data under our direction. We have a contractual agreement with Google that includes robust data processing terms, ensuring they adhere to the highest standards of security and privacy, consistent with global regulations like GDPR and PDPA. We leverage GCP’s advanced security features to protect your data, including its built-in encryption, access controls, and logging capabilities.

3. How We Use the Data

Our use of data is strictly limited to the purposes for which it was provided and is governed by our professional commitment to data privacy, security, and the terms of our service agreement with each client.

Purpose of Processing:

• To Provide and Maintain Our Services: We use Client’s Customer Data exclusively to perform the data engineering tasks for which we have been engaged. This includes, but is not limited to, the design, development, and maintenance of data pipelines, data cleansing and transformation, and the implementation of robust data storage and retrieval systems within the Google Cloud Platform (GCP).
• Adherence to Best Practices: Our data engineering practices are built upon and strictly adhere to the professional and security best practices recommended by Google Cloud Platform. We leverage GCP’s native capabilities, such as fine-grained access controls (IAM), data encryption at rest and in transit, and advanced security logging and monitoring, to ensure the highest standards of data security and integrity. This professional approach ensures that your data is handled with the utmost care and in an environment engineered for security.
• To Manage Our Client Relationship: We use our Client’s Business Data to communicate about projects, manage your account, process billing, and provide technical support. This data is essential for the smooth operation of our business and our partnership with you.

4. Data Sharing and Disclosure

We understand the sensitive and strategic value of the data we process for our clients. We are bound by strict confidentiality obligations, which are explicitly detailed in our service agreements.

• Commitment to Non-Disclosure: We commit to not sharing, selling, renting, or disclosing your Client’s Customer Data with any third party, except as required for the provision of our services or as explicitly authorized by you, the client. We recognize that unauthorized disclosure could severely impact your business strategies and competitive advantage, and we take every measure to prevent it.
• Third-Party Sub-Processor (Google Cloud): As stated, our only third-party sub-processor is Google Cloud Platform. Google is contractually bound by comprehensive data processing addenda to handle data with the same level of confidentiality and security that we uphold. These agreements include strict confidentiality obligations that ensure your data is protected from unauthorized access or disclosure on their end.
• Legal Requirements: In rare circumstances, we may be required by law to disclose data in response to a valid legal request, such as a subpoena, court order, or enforceable governmental request. We are committed to transparency and will, to the extent legally permissible, notify our clients of any such request and work with them to challenge it if appropriate. Our policy is to only disclose the minimum amount of data legally required.

5. Data Security

Our security measures are built upon the robust framework and best practices of Google Cloud Platform (GCP), ensuring that your data is protected with enterprise-grade controls.

Our security program includes:

• Encryption Everywhere: We employ end-to-end encryption to protect your data at every stage.
  • Encryption in Transit: All data moving between our clients’ systems and our GCP environment is encrypted using industry-standard protocols.
  • Encryption at Rest: All client data stored in our GCP environment is automatically encrypted by default. This includes data in storage services like Cloud Storage and databases. We leverage GCP’s native encryption capabilities which use the Advanced Encryption Standard (AES) with 256-bit keys, ensuring that data is unreadable without the proper keys.
• Principle of Least Privilege: We enforce strict access controls using Google Cloud’s Identity and Access Management (IAM). This ensures that our employees and automated processes are granted only the minimum level of access necessary to perform their specific tasks. We use predefined and custom IAM roles to avoid granting broad permissions and to limit access to sensitive data on a need-to-know basis.
• Secure Infrastructure: Our services run on the highly secure, globally distributed infrastructure of Google Cloud. GCP’s physical data centers are protected by multiple layers of security, and its systems are designed to withstand a wide range of cyber threats. We leverage GCP’s built-in security features, including VPC Service Controls to mitigate data exfiltration risks and firewall rules to control network traffic.
• Auditing and Monitoring: We maintain a comprehensive audit trail of all data access and processing activities. Google Cloud’s logging and monitoring tools enable us to track who accessed what data, when, and for what purpose. This continuous monitoring helps us detect and respond to any suspicious activity in a timely manner, reinforcing our commitment to accountability and data integrity.
• Data Deletion: Upon completion of a project or as per the terms of our agreement, we follow a secure data deletion process. We ensure that all client data is securely wiped from our systems in accordance with industry standards and our data retention policy, leaving no traces of sensitive information behind.

6. Data Retention and Deletion

6.1 Guiding Principles

Our data retention and deletion policies are guided by the principle of storage limitation, which dictates that personal data should not be kept for longer than is necessary to fulfill the purpose for which it was collected. This aligns with global privacy standards, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By adhering to this principle, our clients can minimize risk, reduce storage costs, and build greater trust with their customers.

6.2 Data Categories and Retention Periods

The appropriate retention period for data depends on its type, purpose, and any legal or regulatory obligations. Clients should conduct a thorough data inventory to identify and classify the personal information they hold. A recommended approach is to categorize data and establish specific retention periods for each, as outlined below:

• Customer Personal Information (e.g., Name, Address, Contact Details): Retained for the duration of the customer relationship and for a period thereafter to comply with legal, tax, or business requirements. For example, financial records may need to be kept for 6-7 years for tax compliance, while records related to a customer account might be retained for a shorter period after the account is closed.
• Transaction and Financial Data (e.g., Payment History, Invoices): Typically subject to mandated retention periods set by tax and financial laws, which often range from 5 to 10 years depending on the jurisdiction.
• Marketing and Communication Data (e.g., Newsletter Subscriptions, Browsing History): Retained for a defined period, such as up to 2 years, or until the customer withdraws consent. This data should be periodically reviewed and deleted if it is no longer relevant for its original purpose.
• Employee and HR Records: Retention periods are determined by national employment and tax laws. These can vary widely, but often range from 3 to 10 years after an employee’s departure.
• Data Collected for a Specific, Short-Term Purpose: Deleted as soon as the purpose for which it was collected is fulfilled. For example, data gathered for a one-time event registration should be removed shortly after the event is over.

6.3 Secure Deletion and Anonymization

Once the retention period has expired, personal data should be securely deleted or anonymized to ensure it cannot be linked back to an individual.

• Secure Deletion: Involves the permanent and irreversible removal of data from all systems, including live databases and backups. This requires robust protocols to ensure no trace of the data remains.
• Anonymization: A process of transforming data so that it no longer relates to an identifiable person. This can be a viable alternative to deletion, allowing for the long-term use of data for statistical or research purposes without privacy risks.

6.4 Client Responsibilities

Clients are responsible for implementing and regularly auditing their data retention and deletion policies. This includes:

• Developing and maintaining a data inventory and retention schedule.
• Training employees on data handling procedures and the importance of compliance.
• Establishing automated processes for data deletion where possible to minimize human error.
• Responding promptly to data deletion requests from customers.

By following these recommendations, our clients can establish a robust data retention strategy that protects personal information while maintaining legal compliance and operational efficiency.

7. Client’s Rights and Respondsibilities

7.1 Our Role as a Data Processor

As a data processor, we are committed to assisting our clients in fulfilling their obligations under global data protection regulations, such as the GDPR and PDPA. These regulations grant customers fundamental rights over their personal information, and our policies and systems are designed to support our clients in responding to these customer requests efficiently and securely.

7.2 Core Data Subject Rights

Our platform and services are built to facilitate our clients’ compliance with the following core data subject rights:

• Right of Access: We will assist clients in providing a copy of a customer’s personal data that we process on their behalf. Upon a valid request from a client, we will provide the necessary data in a structured, commonly used, and machine-readable format.
• Right to Rectification (Correction): We will enable clients to correct or update inaccurate personal data. Our systems are designed to allow clients to make these changes, and we will process the updated information in a timely manner, ensuring data accuracy is maintained.
• Right to Erasure (Deletion): We will support clients in securely deleting a customer’s personal data when they receive a valid deletion request. Upon receiving an instruction from a client to delete specific data, we will permanently remove it from our active systems and backups in accordance with our data retention and deletion protocols.

7.3 Client Responsibilities

While we provide the tools and support to handle these requests, our clients, as data controllers, retain the primary responsibility for managing their customer relationships and legal obligations. Clients are responsible for:

• Customer Interaction: Receiving and verifying the identity of the customer making the request.
• Instruction: Providing us with clear and valid instructions regarding which data needs to be accessed, rectified, or deleted.
• Record-Keeping: Maintaining records of customer requests and the actions taken to fulfill them.

Our cooperative approach ensures that clients can meet their legal requirements while benefiting from our secure and streamlined data processing environment.

8. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make a change, we will update the “Last Updated” date at the top of this document. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

For any significant changes that may affect your rights or responsibilities, we will provide a more prominent notice, such as an email notification or a banner on our website, before the changes become effective. Continued use of our services after such updates constitutes your acceptance of the revised policy.

General

This Privacy Policy is an integral part of our Terms of Service. By using our services, you acknowledge that you have read and understood both documents. In the event of any conflict between this Privacy Policy and the Terms of Service, the provisions of the Terms of Service will prevail.