Bench active · EN ↔ TH · TEL +66 02-859-2145 · NDA from first email · 1-hour quote SLA
EN TH
Request RFP
DATA SECURITY POSTURE · GDPR + PDPA BACKBONE · NDA FROM FIRST EMAIL · BANGKOK-MANAGED · NO OUTSOURCING · AUDIT-TRAIL DISCIPLINE
Operational controls behind every engagement · AES-256 at rest & TLS 1.3 in transit · 72-hour breach window
Othello / Data Security
★ DATA SECURITY · OPERATIONAL CONTROLS · NDA-FROM-FIRST-EMAIL · GDPR + PDPA REGULATORY BACKBONE · FAR-GRADE AUDIT DISCIPLINE

Client data protected by design. Not as an afterthought.

Othello International was founded in 2020 on US Government bilingual contracts — US CDC, US State Department, UN Women, UK PACT — under FAR-grade contractor verification, the procurement standard the US Government applies to entities handling sensitive material. The firm’s data-security posture inherits from that origin: NDA-from-first-email, no outsourcing, Bangkok-managed throughout, with audit-trail discipline applied to every engagement regardless of size or sector. The technical backbone is the firm’s two data-protection credentials: GDPR (EU regulation operating in Thailand via extraterritorial reach), PDPA (Thai national framework under PDPC supervision) — both held at firm level and verifiable independently. Operational controls applied to all client data: encryption (AES-256 at rest, TLS 1.3 in transit), access controls (least-privilege, named user, no shared credentials), retention (default deletion at engagement close + 90 days plus statutorily required holds), breach notification (72-hour PDPA window aligned with GDPR), vendor management (data processing agreements with all sub-processors), and the procurement-grade audit-trail that documents every data touch. This page documents the operational controls themselves — the regulatory regimes that govern them are covered separately on the GDPR, PDPA, and Compliance Center pages. For corporate counsel, security teams, vendor risk officers, and procurement reviewers vetting Othello, this page is the operational posture statement that pairs with the firm’s NDA Standard, Privacy Policy, and Terms of Service to form a complete vendor-vetting documentation set.

Encryption Standard
AES-256
At rest · TLS 1.3 in transit
Breach Notification
72h
PDPA aligned with GDPR
Data Residency
Bangkok
Managed throughout · no offshoring
Default Retention
90d
Post-engagement + statutory holds
★ DATA SECURITY POSTURE · OPERATIONALLY DOCUMENTED
Procurement-grade. Audit-trail discipline.
  • Regulatory backboneGDPR + PDPA
  • Origin disciplineFAR-grade · 2020 USG contracts
  • NDA timingFrom first email
  • OutsourcingNone · Bangkok-managed
  • EncryptionAES-256 + TLS 1.3
  • Breach window72-hour · PDPA = GDPR
  • Pairs withNDA · Privacy · Terms
★ §01 · The Seven Security Pillars · Encryption Foundation + Six Operational Controls

Seven pillars. Encryption foundational. Six operational controls applied throughout.

Othello’s data-security posture is structured around seven operational pillars: encryption, access controls, retention, breach response, vendor management, audit trail, and human factors. Encryption is the foundational pillar — AES-256 at rest, TLS 1.3 in transit, applied to every byte of client data without exception. The other six pillars are operational controls applied throughout the data lifecycle. Each pillar is operationally documented in the firm’s internal Information Security Policy, supplied under NDA to procurement reviewers requesting full documentation as part of vendor onboarding.

PILLAR 01 · FOUNDATIONAL

Encryption. Every byte.

AES-256 at rest · TLS 1.3 in transit · no exceptions.

Every byte of client data Othello holds is encrypted at rest with AES-256 — the symmetric encryption standard adopted by the US Government for protecting classified information at the SECRET level and below. Data in transit between the firm and clients uses TLS 1.3, the current version of Transport Layer Security with forward secrecy and authenticated encryption. There are no exceptions: encryption is applied to engagement files, working documents, email attachments, archive storage, backup media, and the engagement ledger itself. Encryption keys are managed via the cloud provider’s key management service with rotation policies, audit logging, and access restricted to named technical leads under the firm’s information security policy. For high-sensitivity engagements — legal, healthcare PHI, capital markets material non-public information — client-managed encryption keys (BYOK) are available under the engagement letter.

Encryption-in-place across the stack
  • Engagement files · AES-256 at rest
  • Email + attachments · TLS 1.3 + S/MIME on request
  • Working documents · cloud-encrypted (BYOK available)
  • Archive storage · AES-256, separate key, audit-logged
  • Backup media · encrypted, offline-cycled
  • Engagement ledger · encrypted, named-user audit log
PILLAR 02 · ACCESS

Least-privilege access controls.

Named user · no shared credentials · MFA mandatory.

Access to client data is granted on a least-privilege basis: only bench members materially assigned to an engagement have access. Multi-factor authentication is mandatory for all firm accounts; no shared credentials exist; access is logged at named-user granularity. Access is revoked within one business day of bench-member departure or engagement closure, whichever comes first.

PILLAR 03 · RETENTION

Retention and destruction.

90-day default · longer for statutory holds · certified destruction.

Default retention is 90 days after engagement closure, then certified destruction. Longer retention applies where statutory hold requirements exist (Thai legal retention, healthcare records, financial advisory file requirements). Destruction follows NIST 800-88 Clear/Purge guidelines with documented destruction certificate available on client request.

PILLAR 04 · BREACH

Breach response + notification.

72-hour PDPA-aligned + GDPR-aligned window.

In the event of a personal-data breach, Othello notifies the affected client within 72 hours of becoming aware — aligning with both the PDPA Thai breach notification window and the GDPR Article 33 controller notification window. Breach response runs to a documented internal procedure: containment, assessment, notification, remediation, post-incident review. Where regulator notification is required, the firm supports the client’s filing.

THREE FURTHER PILLARS APPLY ACROSS THE LIFECYCLE · The four pillars above cover the encryption foundation and the three highest-friction operational controls. Three further pillars apply across the data lifecycle: (5) Vendor management — data processing agreements with all sub-processors, documented sub-processor list, due-diligence on substantive vendors; (6) Audit trail — engagement-by-engagement documentation chain that pairs with the firm’s procurement-grade audit-trail standard inherited from US Government contracts; (7) Human factors — bench training on data handling, NDA-from-first-email discipline, no-outsourcing rule, Bangkok-managed throughout. These three are operationalised through the bench discipline itself — not bolt-on controls but built-in working practice.

★ §02 · The Data Lifecycle · Six Stages From Intake To Destruction

Six stages. One audit trail. Every engagement runs the same lifecycle.

Client data moves through six lifecycle stages from intake to destruction. Specific operational controls apply at each stage, with the audit-trail documentation continuous across stages. The lifecycle is the same for a five-day technical translation engagement and a twelve-month ESG advisory engagement — the scale of work varies, the discipline does not. The lifecycle is operationally documented and supplied to procurement reviewers under NDA on request.

01
STAGE · INTAKE

Data intake.

Client data enters Othello’s environment through encrypted channels only — encrypted email attachments, client-portal upload, or secure-share link. NDA is in place from first email; data is logged into the engagement ledger at receipt; assigned to the engagement folder with access controlled per Pillar 02. No client data is accepted via unencrypted channels.

Controls applied
  • NDA from first email · pre-intake
  • Encrypted channels only
  • Engagement ledger entry · audit log
  • Access control assignment · named users
02
STAGE · STORAGE

Storage.

Data is stored AES-256 encrypted at rest in the firm’s primary cloud environment, with logical separation per engagement. Backups are encrypted with separate keys; archive storage is segregated from working storage; encryption keys are managed via cloud key management service with rotation policies. No client data is stored on bench-member personal devices; all working is in the firm-managed environment.

Controls applied
  • AES-256 at rest · no exceptions
  • Logical separation per engagement
  • Separate keys for backup vs active
  • No personal-device storage
03
STAGE · PROCESSING

Processing.

Substantive work on client data is performed by named bench members under access controls. Working documents are kept in the firm-managed cloud environment; offline working on local devices is permitted only with full-disk encryption and within the firm-managed device fleet. No client data is processed through public AI tools, free translation engines, or unmanaged third-party services — the no-outsourcing rule extends to algorithmic services.

Controls applied
  • Named bench access only
  • Firm-managed cloud workspace
  • No public AI tools · no free translation
  • Audit log per access event
04
STAGE · TRANSMISSION

Transmission.

Data in transit — including to the client at delivery — uses TLS 1.3 with authenticated encryption. S/MIME-encrypted email is available on request; secure-share-link delivery is preferred for substantial files; raw email attachments to public mailboxes are discouraged for personal-data-bearing content. Transfers to client-side jurisdictions outside Thailand follow GDPR-aligned transfer mechanisms (SCCs where applicable, adequacy decisions where applicable, derogations only with explicit client authorisation).

Controls applied
  • TLS 1.3 in transit
  • S/MIME available on request
  • Secure-share preferred over email
  • GDPR transfer mechanisms aligned
05
STAGE · RETENTION

Retention.

Default retention is 90 days after engagement closure; engagement-specific retention extensions apply for statutory or regulatory holds (Thai legal retention rules, healthcare records, financial advisory work-paper requirements). Retention is documented per-engagement in the engagement ledger; access during retention period remains restricted to named bench members under Pillar 02. Engagement-specific shorter retention available on client request in the engagement letter.

Controls applied
  • 90-day default · per-engagement extension
  • Statutory holds documented
  • Retention listed in engagement ledger
  • Shorter retention available on request
06
STAGE · DESTRUCTION

Destruction.

At end of retention, data is destroyed following NIST 800-88 Clear/Purge guidelines: cryptographic erasure for encrypted storage, overwrite for non-encrypted, physical destruction for failed media. Destruction is logged in the engagement ledger; destruction certificate available on client request. Backup-cycle data is destroyed on rolling schedule per Pillar 03; no client data persists beyond the documented retention window plus a defined backup-cycle clearing period.

Controls applied
  • NIST 800-88 Clear/Purge guidelines
  • Cryptographic erasure default
  • Destruction certificate on request
  • Backup cycle clearing on rolling basis

ONE AUDIT TRAIL ACROSS SIX STAGES · The engagement ledger documents every client-data event across the six lifecycle stages — intake timestamp, named-user accesses, working document revisions, transmission events, retention status, destruction certificate. This is the procurement-grade audit-trail discipline inherited from the firm’s 2020 US Government contract origin — not a marketing claim, an operationally documented practice. The engagement ledger is available to client procurement reviewers under NDA as part of vendor onboarding or post-incident review.

★ §03 · Vendor & Subcontractor Management · Six Operational Stages

Six stages. Every sub-processor documented. Every vendor under DPA.

Othello operates a strict no-outsourcing rule for substantive bench work — translation, ESG advisory, research, drafting are all performed by named bench members in Bangkok. But the firm uses technical sub-processors (cloud infrastructure, productivity tools, communication services, security tools) like every modern business; those sub-processors are managed under documented vendor controls. The vendor management workflow runs in six stages from screening through off-boarding, with documented evidence at each stage. The current sub-processor list is available to procurement reviewers under NDA on request; substantive changes to the sub-processor list are notified to active-engagement clients with reasonable advance notice.

★ NO OUTSOURCING OF SUBSTANTIVE WORK · TECHNICAL SUB-PROCESSORS DOCUMENTED · DPA-FIRST

From vendor screening to off-boarding. One workflow.

How Othello’s vendor management discipline operates: every technical sub-processor is screened, contracted, monitored, and off-boarded under documented controls. The output is a documented sub-processor list with active DPA evidence, supplied to procurement reviewers under NDA. See Compliance Center for the regulatory regime backbone, and Our Process for the broader bench discipline.

STAGE 01
Vendor screening · substantive due-diligence.Before any vendor processes Othello client data, the vendor undergoes documented screening. Substantive criteria: jurisdictional data residency (preference for GDPR-adequate or jurisdictions with adequacy decisions), public security posture (SOC 2 Type II, ISO 27001, or equivalent), public breach history (recent material breaches trigger heightened scrutiny), and contractual willingness to execute Othello’s standard DPA. Where a vendor’s security posture is below the firm’s threshold, the vendor is rejected and an alternative is selected; client data does not enter the vendor environment.
STAGE 02
Data classification · what touches the vendor.Each approved vendor is mapped to specific data categories it processes. Categories: client identity data (contact details, billing), engagement metadata (project names, scheduling), substantive content (the actual translation source/target, ESG report draft, advisory deliverable), and authentication credentials. The mapping determines applicable controls: substantive-content vendors are held to the strictest controls; metadata-only vendors face proportionate but lighter requirements. Sensitive engagements (legal, healthcare, capital markets) may have client-specific restrictions on which vendors may touch substantive content.
STAGE 03
Data processing agreement · contractual backbone.Every vendor that processes Othello client data operates under a Data Processing Agreement (DPA). DPA terms align with GDPR Article 28 and PDPA Section 40: documented processing purpose, security obligations (encryption, access controls, incident response), sub-processing chain disclosure, audit rights, breach notification timelines (typically 24-48 hours vendor-to-Othello so Othello can meet the 72-hour client-notification window), data-return-or-destruction at contract end. Where a vendor refuses Othello’s standard DPA terms, the vendor is not engaged; the substantive standard is non-negotiable.
STAGE 04
Sub-processor list · documented + disclosed.Othello maintains a documented sub-processor list with vendor name, processing purpose, data category, and jurisdiction. The list is supplied to procurement reviewers under NDA at vendor-onboarding diligence, and to active-engagement clients on request. Substantive changes to the list (new substantive-content sub-processors) are notified to active-engagement clients with reasonable advance notice, allowing the client to raise objection within the engagement letter terms. The disclosure discipline is GDPR Article 28(2)/PDPA Section 40-aligned — the regulatory regime that motivates the operational practice.
STAGE 05
Ongoing monitoring · annual review + incident response.Each substantive-content sub-processor is subject to annual review: confirmation of security posture, certification renewal, jurisdiction continuity, no material breach history, DPA continuing in force. Where a vendor’s security posture degrades or a material breach is disclosed, the firm assesses whether continued engagement is appropriate and notifies active-engagement clients if a sub-processor change is required. Vendor incident-response runs through the firm’s breach response procedure (Pillar 04): vendor notifies Othello within DPA-specified window, Othello assesses materiality to active engagements, Othello notifies affected clients within the 72-hour client-facing window.
STAGE 06
Off-boarding · data return or certified destruction.At end of vendor engagement, Othello directs the vendor to return or destroy all Othello client data held by the vendor. Where the vendor’s standard practice supports certified destruction (cryptographic erasure for encrypted storage, NIST 800-88-aligned), Othello relies on the destruction certificate; where the vendor’s standard practice requires data return for Othello-side destruction, the data returns through encrypted channel and is destroyed per Pillar 03. Off-boarded vendors are removed from the sub-processor list within 30 days of effective off-boarding; the list is updated and re-distributed to clients with active disclosure obligations.

THE NO-OUTSOURCING RULE IS THE FOUNDATIONAL DISCIPLINE · Substantive bench work (translation, advisory, drafting, research) is performed in-house by named Bangkok-managed bench members — never outsourced to freelance pools, offshored to lower-cost jurisdictions, or routed through marketplace platforms. Technical sub-processors (cloud infrastructure, productivity tools, secure communications) are used like every modern business uses them — but documented, contracted, monitored, and disclosed. The substantive work stays Bangkok; the documentation stays auditable. The combination is what makes the procurement-grade vendor-vetting picture coherent.

★ §04 · The Regulatory Backbone Behind Operational Practice

Six anchors. One regulatory backbone.

The data-security operational practice documented above sits on a documented regulatory backbone: two firm-level data-protection credentials (GDPR + PDPA), one foundational discipline (NDA-from-first-email), one origin standard (FAR-grade contractor verification), and two integrating documents (the firm’s 20-credential register and the Compliance Center). The six anchors below are what makes the operational posture defensible under procurement scrutiny, regulator inquiry, and contractual review.

STD 01 · EU REGULATION

GDPR extraterritorial.

The EU General Data Protection Regulation operates extraterritorially under Article 3 — applying to Othello when handling personal data of EU data subjects or providing services to EU-established controllers. Othello holds firm-level GDPR compliance posture documented at /certifications/gdpr/: lawful bases mapped, Article 28 controller-processor terms in place, Article 33 breach notification procedure operational, data subject rights procedure documented. The 72-hour breach notification window is operationally calibrated to the GDPR Article 33(1) standard.

RegulationGDPR (EU) 2016/679
ReachArticle 3 extraterritorial
Detail/certifications/gdpr/
STD 02 · THAI REGULATION

PDPA Thai framework.

The Thai Personal Data Protection Act B.E. 2562 (2019) is the domestic regulatory framework, supervised by the Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society. Othello holds firm-level PDPA compliance posture documented at /certifications/pdpa/: lawful bases under Section 24 mapped, controller-processor terms under Section 40 in place, breach notification under Section 37 procedure operational. The PDPA breach notification window aligns with GDPR’s 72 hours — Othello’s single 72-hour standard satisfies both regimes simultaneously.

RegulationPDPA B.E. 2562
SupervisorPDPC / MDES
Detail/certifications/pdpa/
STD 03 · NDA STANDARD

NDA from first email.

Othello’s NDA is in place from the first email of any prospective engagement, not from contract signature. This is the foundational confidentiality discipline inherited from US Government contract origin: any client data, business context, or substantive information shared with the firm at any stage of engagement scoping is treated as confidential under the firm’s NDA Standard. The substantive standard is mutual — Othello equally protects its bench composition, methodology, pricing, and engagement structure under the same confidentiality discipline. See /nda-confidentiality/ for the NDA Standard document.

TriggerFirst email
DirectionMutual
Document/nda-confidentiality/
STD 04 · FAR-GRADE ORIGIN

FAR-grade contractor verification.

Othello was founded in 2020 on US Government bilingual contracts — US CDC, US State Department, UN Women, UK PACT. US Government contracting requires Federal Acquisition Regulation (FAR) compliance on the contractor side: contractor verification, audit-trail discipline, conflict-of-interest screening, security clearance protocols where applicable. The firm’s procurement-grade audit-trail discipline is inherited from this origin — not retro-fitted commercial language but the practice the firm was founded operating under. Bench training, engagement ledger discipline, and the no-outsourcing rule all trace to FAR-grade origin.

OriginUSG contracts 2020
StandardFAR-grade discipline
ClientsCDC, State, UN, PACT
STD 05 · 20 CREDENTIALS

Firm-level credential register.

The firm holds five firm-level credentials and 15 bench practitioner credentials, all independently verifiable on the issuing body’s registry. Firm-level credentials directly relevant to data-security posture: ISO 17100 (translation quality management with ISO 9001 paired), ATA (American Translators Association membership), ATC (Association of Translation Companies membership), GDPR + PDPA (the data-protection backbone). Bench credentials add 15 further independent practitioner-level credentials across climate & carbon, ESG reporting, and EU cross-border disclosure. The complete register is at /certifications/.

Total20 credentials
Firm-level5 (incl. GDPR+PDPA)
Register/certifications/
STD 06 · COMPLIANCE CENTER

Compliance center.

The Compliance Center documents the regulatory regimes Othello operates within across sectors: capital markets (SEC Thailand & SET disclosure rules), healthcare (HIPAA + Thai MoPH), legal (privilege + court rules), government (FAR + UN procurement). The Data Security page covers operational controls; the Compliance Center covers the regulatory regimes those controls are calibrated to. Together with the NDA Standard, Privacy Policy, and Terms of Service, the Compliance Center forms the firm’s complete vendor-vetting documentation set. Located at /compliance/.

PageCompliance Center
ScopeRegulatory regimes
Location/compliance/

THE STACK IS WHY THE POSTURE IS DEFENSIBLE · Data-security posture statements are only as credible as the regulatory backbone behind them. Othello’s stack — GDPR + PDPA credentials independently verifiable, FAR-grade origin documented through 2020 US Government contracts, NDA-from-first-email as foundational discipline, 20 credentials on the register, and the Compliance Center integrating regulatory regimes — is what allows the operational claims on this page to hold up under procurement scrutiny. For corporate counsel, security teams, and vendor risk officers vetting Othello, the documentation set is complete and the verification routes are clear: contact the firm under NDA for the Information Security Policy, the sub-processor list, and the engagement ledger sample.

★ Adjacent · The Vendor-Vetting Documentation Set

Three adjacent documents. One complete set.

The Data Security page is one of three substantive documents procurement reviewers, corporate counsel, and security teams consult when vetting Othello. Each document covers a distinct dimension: this page covers operational controls; the GDPR + PDPA credential pages cover the regulatory backbone; the Compliance Center covers the regulatory regimes across sectors. Together with the NDA Standard, Privacy Policy, and Terms of Service, the four-document set is the complete vendor-vetting picture.

★ Data Security FAQ · Ten Procurement Questions

Procurement questions answered up front.

Substantive answers to what corporate counsel, security teams, vendor risk officers, and procurement reviewers routinely ask when vetting Othello against client information security requirements.

Q.01What encryption standards apply to client data?

AES-256 at rest, TLS 1.3 in transit, applied to every byte of client data without exception. AES-256 is the symmetric encryption standard adopted by the US Government for protecting classified information at the SECRET level and below; TLS 1.3 is the current Transport Layer Security version with forward secrecy and authenticated encryption. Coverage includes: engagement files, working documents, email attachments, archive storage, backup media, and the engagement ledger itself. Encryption keys are managed via the cloud provider’s key management service with rotation policies, audit logging, and access restricted to named technical leads. For high-sensitivity engagements (legal, healthcare PHI, capital markets material non-public information), client-managed encryption keys (BYOK) are available under the engagement letter.

Q.02What is the breach notification process and timeline?

72-hour client notification window from becoming aware of a personal-data breach, aligning with both GDPR Article 33 (controller notification window) and PDPA breach notification requirements. Breach response runs to a documented internal procedure: (1) Containment — immediate technical steps to limit scope; (2) Assessment — categorisation, affected data identification, harm assessment; (3) Notification — client notification within 72 hours, regulator notification support where required by the client; (4) Remediation — technical fix, access review, vendor escalation if vendor-side breach; (5) Post-incident review — root-cause analysis, process improvement, documentation update. Vendor sub-processor incidents trigger faster vendor-to-Othello notification (typically 24-48 hours per DPA) so Othello can meet the 72-hour client-facing window. The breach response procedure is documented and supplied to procurement reviewers under NDA.

Q.03Where is client data physically stored and processed?

Substantive work is Bangkok-managed throughout; technical storage is in the firm’s cloud environment with documented data residency. Bench-member working location is Bangkok — the no-outsourcing rule prevents substantive work from being routed through freelance pools, offshored to lower-cost jurisdictions, or processed via marketplace platforms. For cross-border transfers to client-side jurisdictions outside Thailand, the firm follows GDPR-aligned transfer mechanisms: Standard Contractual Clauses (SCCs) where applicable, adequacy decisions where applicable, derogations only with explicit client authorisation in the engagement letter. Cloud data residency can be configured per engagement — clients with regulatory requirements pinning data to a specific jurisdiction (EU residency, healthcare-specific) can specify in the engagement letter; the technical configuration follows.

Q.04How long is client data retained after the engagement closes?

Default retention is 90 days after engagement closure, then certified destruction. Longer retention applies where statutory hold requirements exist: Thai legal-sector retention rules, healthcare records retention, financial advisory work-paper requirements, legal-privilege documentation, capital markets working-paper requirements. Shorter retention is available on client request in the engagement letter — some clients prefer 30-day retention with destruction certificate issued shortly after closure; the firm accommodates with engagement-letter documentation. Destruction follows NIST 800-88 Clear/Purge guidelines: cryptographic erasure for encrypted storage, overwrite for non-encrypted, physical destruction for failed media. Destruction certificate available on client request as part of engagement closure. Backup-cycle data is destroyed on rolling schedule per the encryption pillar; no client data persists beyond the documented retention window plus the defined backup-cycle clearing period.

Q.05Does Othello use AI tools to process client data?

No client data is processed through public AI tools, free translation engines, or unmanaged third-party services. The no-outsourcing rule extends to algorithmic services: client data does not enter ChatGPT, free translation engines, public LLM APIs, or any service where the data could be used for model training or could be accessed outside the firm’s documented sub-processor list. Where AI-assisted tooling is used within bench work, it is through enterprise-grade contracts with documented data handling terms: no model training on client data, no retention beyond processing window, encryption in transit and at rest, full audit logging. The firm’s stance on AI tooling is documented in the engagement letter: if the client wants to restrict AI tooling entirely from their engagement, the restriction is implemented; if the client wants AI-assisted work, the specific terms are agreed. Bench credentials prioritise substantive technical and domain expertise over AI-augmentation — consistent with the firm’s substantive-over-performative positioning.

Q.06What sub-processors does Othello use?

The current sub-processor list is documented internally and supplied to procurement reviewers under NDA on request. Typical sub-processor categories: enterprise cloud infrastructure (compute, storage), enterprise productivity suite (collaboration, documents), enterprise email and secure messaging, security tooling (endpoint protection, access management), and engagement-specific tooling where required (specialised translation memory tools, ESG reporting platforms). All substantive-content sub-processors operate under Data Processing Agreements aligned with GDPR Article 28 and PDPA Section 40; the firm’s standard DPA is non-negotiable on substantive terms (encryption, access controls, breach notification timeline, sub-processing disclosure, data return-or-destruction at end). Substantive changes to the sub-processor list are notified to active-engagement clients with reasonable advance notice, allowing the client to raise objection within the engagement letter terms.

Q.07What audit trail does Othello maintain on client data?

Engagement-by-engagement documentation chain is maintained in the firm’s engagement ledger. Documented events per engagement: intake (timestamp, channel, file inventory, NDA status), access (named-user accesses, timestamps), processing (working document revisions, methodology decisions), transmission (delivery events, channels, recipients), retention (extension events, statutory hold flags), and destruction (certified destruction event, certificate identifier). The engagement ledger is the substantive procurement-grade audit-trail discipline inherited from the firm’s 2020 US Government contract origin — not a retrofitted commercial control but the practice the firm was founded operating under. The ledger is available to client procurement reviewers under NDA as part of vendor onboarding or post-incident review. Substantive material non-public information engagements (capital markets, healthcare PHI, legal-privilege-relevant) may have engagement-specific audit-trail enhancements documented in the engagement letter.

Q.08Does Othello have ISO 27001 / SOC 2 certification?

Othello does not currently hold ISO 27001 or SOC 2 Type II certification at firm level. The firm’s data-security posture rests on the GDPR + PDPA credentials documented at firm level, the FAR-grade contractor verification origin from US Government contracts, and the operationally documented controls described on this page. For clients with mandatory ISO 27001 / SOC 2 vendor requirements, the substantive sub-processors (enterprise cloud infrastructure, enterprise productivity suite) typically hold these certifications, and the firm’s DPA terms enforce the underlying controls regardless of certification status. Where a client requires a substantively equivalent attestation, the firm can provide its internal Information Security Policy under NDA, supplied with the sub-processor list and engagement ledger sample, for the client’s vendor-vetting review. The firm is open about what it holds and what it does not hold — honest scoping is the standing principle.

Q.09What happens to data on bench-member departure?

Access is revoked within one business day of bench-member departure, formally cycled through the firm’s access management system. No client data is stored on bench-member personal devices; all working is in the firm-managed cloud environment, so departure does not transfer any data physically off-firm. Departing bench members are subject to ongoing confidentiality obligations under the firm’s mutual NDA — the NDA is mutual (firm-bench), and the confidentiality obligation survives the bench engagement. For engagements with elevated sensitivity (capital markets MNPI, legal privilege, healthcare PHI), additional engagement-specific confidentiality terms apply documented in the engagement letter; bench members assigned to such engagements have specific exit procedures including written confirmation of returned/destroyed materials. The bench has been stable since founding 2020; bench turnover is low, and the documentation discipline supports a clean handover when departure does occur.

Q.10How do we complete vendor-vetting documentation for Othello?

The vendor-vetting documentation set comprises four publicly accessible documents and three NDA-protected documents. Publicly accessible: this Data Security page (operational controls), Compliance Center at /compliance/ (regulatory regimes), GDPR + PDPA credential pages at /certifications/ (regulatory backbone), NDA Standard at /nda-confidentiality/, Privacy Policy, Terms of Service. Available under NDA on request: the firm’s Information Security Policy (internal operational policy document), the current sub-processor list (substantive vendors with DPA evidence), and an engagement ledger sample redacted to remove client-identifying information (demonstrating the audit-trail discipline). To initiate vendor-vetting: contact [email protected] with the procurement team’s vendor-onboarding requirements; the firm typically completes a full vendor-vetting documentation supply within 3-5 business days of NDA execution. For accelerated vetting (where the engagement scoping is time-sensitive), 1-2 business day completion is available on request. Founded 2020 on US Government bilingual contracts under FAR-grade contractor verification, the firm’s standing position is that procurement-grade documentation is a precondition for substantive engagement, not a friction to be minimised. Email [email protected] or call +66 02-859-2145.

Data security operationally documented. Twenty credentials behind the practice.

The operational data-security controls described on this page are inherited from Othello’s FAR-grade origin and operationalised through the firm’s GDPR + PDPA credentials, NDA Standard, Compliance Center, and 20-credential register — one bench, one audit trail, one engagement letter, one set of controls applied to every engagement regardless of size or sector. For procurement reviewers, corporate counsel, security teams, and vendor risk officers vetting Othello, the full documentation set (Information Security Policy, sub-processor list, engagement ledger sample) is available under NDA on request, typically supplied within 3-5 business days of NDA execution. ≤1 BH acknowledgement · vendor-vetting scoping within 1 BD · NDA from first email.

+66 02-859-2145 · [email protected]
Unit 12-03, Chartered Square · 152 N Sathon Rd · Si Lom · Bangkok 10500
Data Security Posture · AES-256 At Rest · TLS 1.3 In Transit · NDA From First Email · Mutual Confidentiality · Bangkok-Managed · No Outsourcing Of Substantive Work · GDPR + PDPA Regulatory Backbone · 72-Hour Breach Notification · PDPA = GDPR Aligned · 90-Day Default Retention · NIST 800-88 Destruction · Least-Privilege Access Controls · MFA Mandatory · Sub-Processor List Documented · DPA-First Vendor Management · Engagement Ledger Audit Trail · No Public AI Tools On Client Data · FAR-Grade Origin From 2020 US Government Contracts · 20 Credentials On The Register · Pairs With Compliance Center · NDA Standard · Privacy Policy · Terms Of Service Othello International