.png){kind=small}
PRIVACY NOTICE For i-Balance Application
invitrace Co., Ltd., the provider of the i-Balance application—a health platform designed to support patients with hypertension in managing dietary habits, monitoring blood pressure, and enhancing health literacy—hereby issues this announcement. As the application collects, stores, and processes personal and health data to enable physicians and medical personnel to utilize such information for clinical care and the reduction of hypertension-related complications, this document is established to define the framework and support the data protection operations of the i-Balance application. This ensures full compliance with the Personal Data Protection Act (PDPA) and international data protection standards.
Scope of Application
This Announcement applies to the i-Balance application regarding the collection, use, and processing of users' personal data for the purpose of monitoring and tracking user outcomes.
_edited.jpg)
1. General Data Protection Governance
To ensure systematic data management with clearly defined accountabilities.
1.1.1 Roles and Responsibilities: A Working Committee has been appointed, consisting of the Data Controller, Data Processor, and Data Protection Officer (DPO).
1.1.2 Segregation of Duties: Implementing Role-Based Access Control (RBAC) and the Need-to-Know Basis principle. Access is granted only to relevant personnel based on their duties, with access rights reviewed on a quarterly basis.
1.2 Data Privacy Standards
Focusing on compliance with Personal Data Protection laws and referencing international HIPAA standards.
1.2.1 Lawful Basis: The processing of health data (Sensitive Data) will be conducted solely under "Explicit Consent."
1.2.2 Protection of Vulnerable Groups: Specific measures are in place for children under 10 years of age and incompetent persons; consent must be obtained from the legal guardian or person exercising parental power.
1.2.3 Data Lifecycle Management: Clear data retention periods are defined. Upon a request for account deletion, a Soft Delete period of 90 days applies before proceeding to a permanent Hard Delete or Anonymization.
1.3 Data Security Measures
The application of technology to prevent data leaks and cyberattacks.
1.3.1 Encryption: Mandatory encryption for data In Transit (across networks) and At Rest (within databases).
1.3.2 Proactive Security: Regular Penetration Testing (Pen Test) to simulate system breaches and patch vulnerabilities before actual deployment.
1.3.3 Perimeter Defense: Deployment of Web Application Firewall (WAF) and DDoS Protection systems to intercept malicious external traffic.
1.4 Monitoring & Incident Response
Measures for handling abnormal incidents.
1.4.1 Audit Logging: Detailed recording of system access to ensure full Traceability for retrospective audits.
1.4.2 Incident Response Plan: In the event of a personal data breach, the company is committed to reporting the incident to the regulatory authority (PDPC) within 72 hours.
1.4.3 Business Continuity (BCP/DR): Implementation of Daily Backups and regular Restore Tests to ensure data integrity and constant system availability.
2. General Data Keeping, Collecting, Using and Processing
The company shall collect, use, and process data in its capacity as a Data Processor lawfully, fairly, and transparently, while respecting the accuracy of information and the rights of the data subjects. The company will define the scope, objectives, and retention periods for data processing only as necessary, as specified by the company, or as required by law. All processing activities will be conducted under lawful purposes and company guidelines, ensuring adequate and appropriate confidentiality, integrity, and security.
2.1 The company will establish processes, controls, and management systems for all data stages to align with legal requirements and the company’s Data Protection Policy.
2.2 Record of Processing (ROPA): The company will maintain and record all data collection and processing activities in compliance with the law, ensuring records are updated whenever there are changes to related items or activities.
2.3 Consent and Notification: Clear processes will be established to ensure that notifications of data purposes and consent requests are legally compliant. This includes measures for the oversight, retention, and auditing of these procedures.
2.4 Mechanisms will be provided to verify data accuracy and to regularly rectify information to ensure it remains up-to-date.
2.5 The company will execute agreements or contracts with assignees/transferees to define rights, duties, and liabilities regarding data transmission or transfer, ensuring consistency with the law and company policy.
2.6 International Transfers: If it is necessary to transfer data to a third party abroad, the company will comply with the relevant laws and data measures of that specific country.
2.7 Disposal and Pseudonymization: Upon the expiration of the retention period, the company will destroy the data or implement pseudonymization processes in accordance with the law and company operational guidelines.
2.8 The Company shall collect, use, and process data in its capacity as a Data Processor in a lawful, fair, and transparent manner, taking into account the accuracy of the data and the rights of the data subjects. The Company shall define the scope, purposes, and retention periods for data processing only as necessary, or as prescribed by the Company, applicable standards, or relevant laws. All activities must be conducted under lawful objectives and company guidelines, ensuring that data is processed with adequate and appropriate levels of confidentiality, integrity, and security.
2.9 The Company must establish processes, controls, and management systems for every stage of data handling to ensure full compliance with the law and the Company’s Data Protection Policy.
2.10 The Company must maintain and record the collection, use, and processing of relevant data in accordance with legal requirements. Furthermore, these records must be updated whenever there are changes to the associated entries or activities.
2.11 The Company must establish clear procedures to ensure that the notification of processing purposes and the acquisition of consent from data subjects are legally compliant. This includes implementing measures for the oversight, retention, and auditing of such procedures.
2.12 The Company must provide mechanisms for verifying the accuracy of data, as well as regular update mechanisms to ensure that the information remains correct and current.
2.13 Contractual Requirements: A formal agreement must be established for every transfer to determine the responsibilities and liabilities of the parties involved.
2.14 Cross-border & Deletion Protocols: For international transfers, the company must adhere to the destination country's legal standards. Furthermore, it is mandatory to destroy data or perform Pseudonymization once the data's purpose or retention period has concluded, following both legal requirements and company protocols.
3. Data Subject Right
The Company shall establish measures, guidelines, and methods to enable data subjects to exercise their rights as prescribed by law, as follows:
_edited.jpg)
If you wish to exercise your rights as a data subject, the Company shall process and fulfill your request within a period not exceeding 30 (thirty) days from the date of receipt. However, the Company reserves the right to refuse such requests if the refusal is based on legal grounds, a court order, or if fulfilling the request may adversely affect the rights and freedoms of other individuals.
4. Roles, Duties, and Responsibilities
The Company shall appoint personnel responsible for overseeing and controlling project management to ensure the systematic structuring of data collection, usage, and processing. The management structure is categorized by functions as follows:
4.1 Service Owner / System Owner
4.1.1 Define goals and expectations regarding availability, stability, security, and service recoverability.
4.1.2 Approve high-risk maintenance plans or those that may impact service delivery.
4.1.3 Acknowledge maintenance reports and monitor the closure of action items to ensure completion within the scheduled timeframe.
4.2 Infrastructure/DevOps
4.2.1 Plan and perform server health checks and maintenance according to defined cycles.
4.2.2 Execute preventive and corrective maintenance as necessary, including preparing and controlling Change Request documentation.
4.2.3 Conduct operational security reviews and Access Reviews in accordance with policy.
4.2.4 Perform Patch Management to mitigate security risks.
4.2.5 Monitor daily backup success, conduct restore tests, and prepare result reports.
4.2.6 Prepare and maintain operational logs and evidence to ensure traceability.
4.3 Application Owner / Developer
4.3.1 Provide information regarding limitations and dependencies of related systems to support maintenance planning.
4.3.2 Support post-maintenance application-level verification and collaborate on root cause analysis for application-related incidents.
4.3.3 Implement improvements or fixes to the application when maintenance or reviews identify issues requiring remediation.
4.4 QA/Tester
4.4.1 Perform verification testing after maintenance or changes to confirm that services are functioning normally.
4.4.2 Record test results and report any identified abnormalities to the responsible parties for resolution.
4.5 Support / Customer Service
4.5.1 Coordinate communications with users/customers regarding maintenance windows or service impacts.
4.5.2 Act as the initial point of contact for incidents, gather necessary information, and escalate to relevant teams according to the incident management process.
4.5.3 Support status tracking and case closure to ensure compliance with defined SLAs/agreements.
5. Executives hold the roles, duties, and responsibilities to monitor and oversee that the departments under their supervision comply with the policy
The Company’s Data Protection Policy, and to promote awareness among the Company’s employees and staff. The Data Protection Officer (Invitrace DPO) holds the roles, duties, and responsibilities as prescribed by law, which include the following duties:
5.1 Regularly report the data protection status to the Data Protection Committee and provide recommendations to modernize the Company’s data protection practices in alignment with the law.
5.2 Provide guidance to employees regarding compliance with legal requirements and the Company’s Data Protection Policy.
5.3 Audit the operations of internal departments to ensure compliance with the law and Company policy; collaborate with the Data Protection Committee on data risk assessments; and serve as the central liaison for government agencies regarding data matters.
Employees/Staff have the following roles, duties, and responsibilities:
5.4 Conduct themselves in accordance with the Company’s Data Protection Policy, operating standards, guidelines, procedures, and other related data protection documentation.
5.5 Report any data protection abnormalities or non-compliance with legal requirements and Company policy to their respective supervisors.
6. General Data Security
The Company shall implement appropriate and sufficient data security measures, including prevention against data leakage and breaches resulting from unauthorized use.
6.1 Appropriate and sufficient security measures must be established, including safeguards against data leaks and unauthorized access or use.
6.2 A management system and response guidelines for data-related incidents must be established to identify and handle abnormalities as required by law.
6.3 Processes must be in place to notify data subjects, government officials, Data Controllers (in cases where the Company acts as a Data Processor), and other relevant parties in compliance with legal requirements.
6.4 Appropriate and up-to-date data security management must be applied to personal data, general data, and pseudonymized data in digital formats.
6.5 For personal data in paper/document format, the Company shall maintain access logs whenever such information is used for work purposes.
7. Health Data Security
The Company shall implement appropriate and sufficient security measures to prevent data leakage and unauthorized use. To ensure that users' health data is managed under the highest international standards, the i-Balance Project has designed its systems and workflows based on the Health Insurance Portability and Accountability Act (HIPAA) criteria as follows:
7.1 Privacy Rule: Adhering to the Minimum Necessary Standard by limiting the access, use, and disclosure of Protected Health Information (PHI) to the extent necessary for medical services and treatment purposes only.
7.2 Security Rule: Strict protection of electronic health information (ePHI) across three dimensions:
7.2.1 Technical Safeguards: Implementing data encryption both In Transit and At Rest, supplemented by Audit Logs to record detailed access history.
7.2.2 Administrative Safeguards: Appointing data security officers and conducting regular information security risk assessments.
7.2.3 Physical Safeguards: Strictly controlling access to infrastructure and hardware storing patient data.
7.3 Breach Notification Rule: In the event of suspected unauthorized access or a data breach that may affect user rights, the Company has measures to assess risks and immediately notify relevant parties as required by law to effectively mitigate and remediate damages.
7.4 Integration with Domestic Law: The Company processes data by integrating HIPAA standards with the Personal Data Protection Act B.E. 2562 (PDPA) and other relevant privacy laws. This ensures users that their personal data is protected by transparent, accountable, and secure technology following global standards.
8. Incident Response and Reporting
8.1 The Company shall establish processes to notify data subjects, government officials, Data Controllers, and other relevant parties in its capacity as a Data Processor, ensuring full compliance with legal requirements.
9. Data Protection Compliance
9.1 The Company shall establish an oversight process to monitor changes in the law or the enactment of new relevant regulations, ensuring data protection measures are consistently updated and legally aligned.
9.2 The Company shall regularly review and update policies, operating standards, guidelines, procedures, and other related documentation to remain modern and responsive to changing circumstances.
9.3 Appropriate structures must be established to oversee the protection of personal and general data as follows:
9.3.1 Clearly define roles, missions, and responsibilities for relevant units and personnel to establish a framework for governance, control, accountability, enforcement, and monitoring.
9.3.2 Formally appoint the Data Controller and the Data Protection Officer (DPO).
9.4 Policies, Standards, Guidelines, and Procedures must be developed in alignment with legal requirements.
9.5 A management process must be established to ensure continuous adherence to the Data Protection Policy.
9.6 Regular training must be provided to ensure employees understand the importance of data protection and possess the knowledge to comply with Company policies.
9.7 An oversight process must be established to monitor changes in the law or the enactment of new relevant legislation. Furthermore, data protection measures must be consistently updated to remain current and in full alignment with legal requirements.
9.8 The Company must regularly review and revise policies, operating standards, guidelines, procedures, and other related data protection documentation to ensure they remain modern and responsive to legal updates and evolving circumstances.
10. Related Policies
The Company prescribes specific data practice and security regulations as follows:
10.1 Access Control Policy
10.1.1 Least Privilege: Access is granted only to the extent "necessary" for job functions.
10.1.2 RBAC: Rights are assigned based on job roles (e.g., Admin, Doctor, Developer).
10.1.3 Access Review: Quarterly reviews of access rights; immediate revocation upon resignation or change of duty.
10.2 Data Lifecycle Policy
10.2.1 Retention Period: Defined storage periods (e.g., health data stored for 5-10 years per medical regulations).
10.2.2 Secure Disposal: Permanent "Hard Delete" or destruction once data is no longer necessary.
10.2.3 Soft Delete: A 90-day holding period prior to final deletion to prevent errors.
10.3 Backup & BCP
10.3.1 Daily Backup: Daily backups stored in secure, cross-zone locations (e.g., AWS Cross-Region).
10.3.2 Restore Testing: Mandatory quarterly restoration tests to ensure backup integrity.
10.3.3 Availability: Systems must be continuously available with contingency plans for primary server failures.
10.4 Change Management
10.4.1 No Manual Change: Unauthorized manual modifications to Production systems or databases are strictly prohibited.
10.4.2 Request & Approve: All modifications require a Change Request (CR), impact assessment, and authorized approval.
10.4.3 Rollback Plan: Every update must include a rollback plan in case of failure.
10.5 Awareness & Response
10.5.1 Incident Reporting: All employees are obligated to report abnormalities or suspected leaks immediately.
10.5.2 Security Training: Mandatory regular training on data security and PDPA.
10.5.3 Audit Trail: Logs must be maintained for all critical activities to ensure traceability.
11. Penalties for Non-Compliance
In the event that a data subject files a legal complaint and the Company fails to act or perform its duties regarding those rights, or if the Company violates the PDPA resulting in a data breach or unauthorized disclosure causing damage, the Company shall be subject to legal penalties. The Personal Data Protection Act (PDPA) prescribes three types of penalties: Civil Liability, Criminal Penalties, and Administrative Fines.
Notice: This policy is a provisional version. The final version will be promulgated within 90 days. The Company is committed to strict compliance with the Personal Data Protection Act B.E. 2562 and relevant international standards to ensure transparent data processing.