title: Data Protection Addendum (DPA)
documentCode: FM-PI-15
language: EN
organization: Smart Finder Co., Ltd.
Data Protection Addendum (DPA)
This Data Protection Addendum (“Addendum”) forms an integral part of the Privacy Policy of Smart Finder Co., Ltd. and the Terms and Conditions available at https://soraso.net/addendum/ (“Principal Agreement”)[cite: 96].
This Addendum covers the operations of the website https://soraso.net/ (“Website”) and private label services (collectively referred to as the “Business” in this Addendum)[cite: 97]. These are operated on behalf of a third party (“Customer”) regarding the processing of personal data related to the use of the Customer’s services, in compliance with Personal Data Protection Laws[cite: 98].
This Addendum applies only when Smart Finder Co., Ltd. processes Customer Data and User Data subject to Personal Data Protection Laws on behalf of the Customer as a Data Processor while providing Business services under the Principal Agreement[cite: 99].
Smart Finder Co., Ltd. and the Customer agree to comply with the following provisions regarding consumer personal data[cite: 100]:
1. Definitions
- “Account User”: Any individual who accesses and/or uses the Business services through the Customer’s account with the Customer's authorization[cite: 102].
- “Soraso”: Smart Finder Co., Ltd[cite: 103].
- “Customer Data”: Any personal data that Smart Finder Co., Ltd. processes as a Data Processor on behalf of the Customer[cite: 104].
- “Data Controller”: The entity that determines the purposes and means of processing personal data[cite: 105]. The Customer is the Data Controller regarding Customer Data[cite: 106].
- “Data Processor”: The entity that processes personal data on behalf of the Data Controller[cite: 107]. Smart Finder Co., Ltd. is the Data Processor for Customer Data under the Personal Data Protection Act B.E. 2562 (PDPA)[cite: 108].
- “Personal Data Protection Laws”: The Personal Data Protection Act B.E. 2562 (PDPA) and other relevant laws, including the General Data Protection Regulation (GDPR)[cite: 109, 110].
- “Personal Data”: Personal data processed in the context of the Customer’s access and use of the services[cite: 112].
- “Request”: A written request from a Data Subject to exercise their rights under Personal Data Protection Laws[cite: 113].
- “Services”: Soraso web-based software and applications for hotel management, including mobile applications, customization, e-commerce solutions, and POS system sales[cite: 114].
- “Sub-processor”: Any data processor engaged by Smart Finder to assist in fulfilling obligations under the Principal Agreement or this Addendum[cite: 115].
2. Data Processing
2.1 Roles of the Parties
- The Customer is the Data Controller for Customer Data[cite: 120].
- Soraso is the Data Processor, processing personal data on behalf of the Customer under their instructions[cite: 121].
2.2 Customer Obligations
The Customer agrees to[cite: 123]:
- (i) Comply with Personal Data Protection Laws[cite: 124].
- (ii) Provide accurate privacy policies and notices[cite: 125].
- (iii) Obtain necessary consent or legal bases for data processing[cite: 126].
- (iv) Be responsible for data accuracy and legality[cite: 127].
2.3 Processing on Behalf of Customer
Soraso will process data only on behalf of the Customer and according to their instructions for service provision[cite: 128, 129, 130, 131].
2.4 Details of Processing
- Subject: Customer Data[cite: 134].
- Duration: Duration of the Principal Agreement[cite: 135].
- Purpose: Service provision and contract fulfillment[cite: 136].
- Nature: Processing via PMS, POS, IBE systems, and related services[cite: 137].
- Data Types: Identification, contact, and system usage data[cite: 139].
2.5 Use of Aggregated & Anonymized Data
Soraso has the right to use data in an Aggregated & Anonymized format for statistical analysis, market intelligence, and service improvement[cite: 141, 142, 143].
- Data must be irreversibly anonymized[cite: 148].
- It must not identify the Customer, hotel, or specific guests[cite: 149].
- This data is not considered "Customer Data" under this Addendum[cite: 156].
3. Personal Data Requests
- 3.1 Data Requests: The Service provides functions for the Customer to access, edit, or delete data[cite: 158]. Soraso will provide reasonable cooperation if direct access is unavailable[cite: 159].
- 3.2 Non-Disclosure: Soraso will not disclose or sell Customer Data to third parties (excluding anonymized data)[cite: 162].
- 3.3 Government Requests: Soraso will attempt to redirect law enforcement requests to the Customer directly unless legally prohibited[cite: 163, 164].
- 3.4 Contact: Data protection requests can be sent to dpo@smartfinder.tech (Attn: Ms. Irin Somboon)[cite: 165, 166, 167].
4. Sub-processors
- Soraso may engage third-party Sub-processors only as necessary for services[cite: 169, 170].
- Soraso must notify the Customer of changes, allowing 14 days for objection[cite: 171].
5. Relationship with the Principal Agreement
- The Principal Agreement remains in full effect[cite: 173].
- Claims are subject to the "Limitation of Liability" in the Principal Agreement[cite: 174].
6. Legal Binding Effect
This Addendum becomes binding when signed or through implied acceptance via continued use of services after publication[cite: 179, 180, 181, 182].
7. Annual Updates
This Addendum will be reviewed and updated annually[cite: 184].
Execution
CUSTOMER Customer Name: .................................................................
Signature: .................................................................
Date: .................................................................
Soraso (Smart Finder Co., Ltd.) Signature: .................................................................
Name: .................................................................
Position: .................................................................
Date: .................................................................