Data Processing Agreement

1. Preface

This Data Processing Agreement (the "DPA") forms part of the agreement between the Company and the Customer and applies where the Company processes Personal Data on behalf of the Customer as a Processor in connection with the Platform. The DPA is intended to address requirements under PDPA and, where applicable, GDPR and other applicable data protection laws. Effective Date: February 21, 2026. Last Updated: February 21, 2026.

2. Definitions and Relationship to Other Documents

Capitalized terms used in this DPA have the meanings set out in the Terms of Service, including Company, Platform, Customer, Organization, Instructor, Learner, End User, Content, Personal Data, Controller, Processor, and Subprocessor.

For the purposes of this DPA, "Customer Personal Data" means Personal Data processed by the Company as a Processor on behalf of the Customer in connection with the provision of the Platform. "Applicable Data Protection Law" means the PDPA and its subordinate regulations, and, where applicable based on the Customer’s and End Users’ locations and activities, GDPR and other mandatory privacy or data protection laws. "Security Incident" means an event that compromises the confidentiality, integrity, or availability of Customer Personal Data, including a personal data breach as defined under PDPA or GDPR, as applicable.

If there is a conflict between this DPA and the Terms of Service regarding the parties’ data protection obligations, this DPA will prevail to the extent of that conflict. If there is a conflict between this DPA and any executed order form, precedence is as follows: an executed order form prevails over the DPA with respect to commercial terms, and the DPA prevails over the Terms of Service with respect to data protection obligations, except that the parties may agree in an order form to additional security or audit obligations.

3. Scope of Processing

3.1 Roles of the Parties

The Customer is the Controller of Customer Personal Data and the Company is the Processor, except where the Company acts as a Controller for its own processing as described in the Privacy Policy. The Customer determines the purposes and means of processing Customer Personal Data and instructs the Company to process Customer Personal Data to provide the Platform.

3.2 Processing Details

The subject matter, duration, nature, and purposes of processing, together with categories of data subjects and types of Customer Personal Data, are described in Annex 1. The Company will process Customer Personal Data only for the duration of the Customer’s use of the Platform, unless otherwise required by applicable law.

3.3 Customer Instructions

The Company will process Customer Personal Data only on documented instructions of the Customer, including with respect to transfers of Customer Personal Data to a third country or international organization, unless required to do so by applicable law. Where the Company is required by law to process Customer Personal Data other than on the Customer’s instructions, the Company will, to the extent permitted, inform the Customer of that legal requirement.

4. Processor Obligations

4.1 Confidentiality

The Company will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations, whether contractual or statutory, appropriate to the nature of the processing.

4.2 Security Measures

The Company will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access. The security measures are described at a high level in the Security Policy and may be further described in Annex 1. Specific control frameworks, certifications, and audit reports, if any, are as follows: The Company currently maintains security practices consistent with industry standards for SaaS platforms. The Company may pursue formal certifications as the Platform matures and will make relevant audit reports or certifications available upon request.

4.3 Subprocessors

The Customer authorizes the Company to engage Subprocessors to process Customer Personal Data for the purposes of providing the Platform. The Company will enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective than those in this DPA, to the extent applicable to the services provided by the Subprocessor.

The Company maintains a list of Subprocessors available upon request by emailing heretohelp@openmirai.com. The Company will provide at least 30 days’ advance notice before engaging a new Subprocessor. The Customer may object to a new Subprocessor on reasonable data protection grounds within 14 days of receiving notice. If the parties cannot resolve the objection, the Customer may terminate the affected services.

4.4 Assistance with Data Subject Rights

Taking into account the nature of the processing, the Company will provide reasonable assistance to the Customer to enable the Customer to respond to requests by data subjects to exercise their rights under Applicable Data Protection Law, to the extent such requests relate to Customer Personal Data. The Company’s assistance may include providing features that enable access, correction, export, and deletion, subject to the Platform’s functionality. The Company provides self-service features for data access, correction, and deletion where technically feasible, and will assist with requests that cannot be fulfilled through self-service within 30 days.

4.5 Assistance with Compliance

Taking into account the nature of processing and information available to the Company, the Company will provide reasonable assistance to the Customer with the Customer’s compliance obligations relating to security of processing, personal data breach notifications, and, where applicable, data protection impact assessments and prior consultation with regulators. The scope and method of such assistance will be agreed between the parties on a case-by-case basis. Reasonable assistance is provided at no additional charge; extended assistance may be subject to fees at the Company's then-current professional services rates.

4.6 Security Incident Notification

The Company will notify the Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. The Company will notify the Customer without undue delay and in any event within 72 hours after becoming aware of a Security Incident. Notifications will be sent via email to the Customer's designated security or privacy contact. Notifications will include the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. The Company will provide information reasonably necessary for the Customer to meet applicable notification obligations, taking into account information available to the Company.

4.7 Audits and Information

The Company will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits as required by Applicable Data Protection Law, subject to reasonable confidentiality and security controls. Audits may be conducted once per year, with at least 30 days' advance written notice. Audits will be limited to documentation review and review of third-party audit reports or certifications. On-site audits may be conducted where documentation review is insufficient, subject to reasonable confidentiality and security controls. Audit costs are borne by the Customer unless the audit reveals material non-compliance by the Company.

4.8 Return and Deletion

Upon termination of the Customer’s use of the Platform, the Company will, at the Customer’s choice and to the extent technically feasible, return or delete Customer Personal Data, unless retention is required by applicable law. Upon termination, the Customer may export Customer Personal Data through the Platform’s export features for a period of 30 days. After this period, the Company will delete Customer Personal Data within 60 days, unless retention is required by applicable law.

5. International Transfers

Where Customer Personal Data is transferred outside Thailand or outside the jurisdiction of a data subject, the Company will implement safeguards required by Applicable Data Protection Law. For transfers subject to GDPR, the parties will enter into Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914). The applicable modules and annexes will be documented in Annex 3.

6. Customer Obligations

The Customer represents and warrants that it has provided all notices and obtained all rights, consents, and lawful bases required to process Customer Personal Data and to instruct the Company to process Customer Personal Data under this DPA. The Customer is responsible for the legality of its instructions and for ensuring that Customer Content and the Customer’s use of the Platform comply with Applicable Data Protection Law.

7. Liability and Allocation of Risk

Liability allocation between the parties for claims arising under this DPA is intended to follow the Terms of Service, including any limitation of liability, except to the extent prohibited by Applicable Data Protection Law. Any DPA-specific liability follows the limitation of liability in the Terms of Service. The aggregate liability of each party under this DPA shall not exceed the total fees paid or payable by the Customer in the twelve (12) months preceding the event giving rise to the claim.

8. Term and Termination

This DPA remains in effect for as long as the Company processes Customer Personal Data on behalf of the Customer. Sections intended to survive, including confidentiality, deletion and return obligations, and liability provisions, will survive termination to the extent necessary.

9. Updates to this DPA

The Company may update this DPA where necessary to reflect changes in Applicable Data Protection Law or in the Platform. The Company will publish the updated version within the legal documentation portal and may provide additional notice by reasonable means. Updates to this DPA will be published within the legal documentation portal with at least 30 days' advance notice. Material changes require the Customer's written acceptance, which may be provided through the Platform. Continued use of the Platform after the notice period constitutes acceptance of non-material changes.

Annex 1. Processing Details

A1.1 Subject Matter and Nature of Processing

The Company provides a hosted learning management system that processes Customer Personal Data to enable Organizations to create and administer learning websites, manage End Users, deliver learning content, and operate associated workflows. Processing activities may include storage, hosting, transmission, access control, display, and deletion, as initiated by the Customer’s configuration and use of the Platform.

A1.2 Categories of Data Subjects

Categories of data subjects may include Customer administrators, Instructors, Learners, employees, contractors, and other End Users whose Personal Data is included in Customer Content or otherwise processed through the Platform.

A1.3 Types of Customer Personal Data

Types of Customer Personal Data may include identifiers and contact information, account credentials, role and permission data, learning participation records, communications, and technical and usage data generated through Platform use. Types of Customer Personal Data include name, email address, username, profile information, role and permission data, course enrollment and progress records, assessment results, communications through the Platform, IP addresses, device information, and usage logs. The specific fields depend on Customer configuration and use.

A1.4 Purpose and Duration

The purpose of processing is to provide the Platform and related support and security functions as instructed by the Customer. The duration of processing is the term of the Customer’s use of the Platform, plus an additional period of up to 90 days for export, deletion, backup cleanup, and legal compliance.

A1.5 Security Measures

Security measures may include access controls, authentication, logging and monitoring, encryption in transit, backups, and incident response processes, as further described in the Security Policy. Security measures include role-based access controls, multi-factor authentication, audit logging and monitoring, encryption in transit using TLS 1.2 or higher, encryption at rest using AES-256, regular backups with 30-day retention, and documented incident response procedures.

Annex 2. Subprocessors

The Company’s current Subprocessors are listed below. The Company maintains a current list and provides at least 30 days’ advance notice of changes via email to the Customer’s designated contact.

Annex 3. Transfer Mechanisms

For transfers subject to GDPR, Standard Contractual Clauses as approved by the European Commission will be used. The applicable module is Module Two (Controller to Processor). Related appendices will be completed and documented in Annex 3 upon execution.