{"id":13556,"date":"2025-03-24T06:06:18","date_gmt":"2025-03-24T06:06:18","guid":{"rendered":"https:\/\/www.othellointernational.com\/?page_id=13556"},"modified":"2026-05-31T00:00:32","modified_gmt":"2026-05-31T00:00:32","slug":"data-security-confidentiality-thailand","status":"publish","type":"page","link":"https:\/\/www.othellointernational.com\/th\/company\/data-security-confidentiality-thailand\/","title":{"rendered":"\u0e01\u0e32\u0e23\u0e23\u0e31\u0e01\u0e29\u0e32\u0e04\u0e27\u0e32\u0e21\u0e1b\u0e25\u0e2d\u0e14\u0e20\u0e31\u0e22\u0e02\u0e2d\u0e07\u0e02\u0e49\u0e2d\u0e21\u0e39\u0e25"},"content":{"rendered":"\n<!-- ===================================================================\n     OTHELLO INTERNATIONAL \u2014 DATA SECURITY \u00b7 v12 INTERACTIVE\n     URL: \/data-security\/\n     Firm-level posture statement \u00b7 linked from footer compliance bar\n     Pairs with: GDPR + PDPA detail pages + Compliance Center + NDA Standard\n     Operationally focused: NOT a regulatory overview (Compliance Center handles that)\n   =================================================================== -->\n\n<style>\n\n@import url('https:\/\/fonts.googleapis.com\/css2?family=Poppins:wght@300;400;500;600;700;800;900&family=Fraunces:ital,wght@0,300;0,400;0,500;0,600;0,700;1,300;1,400;1,500;1,600;1,700&family=JetBrains+Mono:wght@400;500;600;700&family=Sarabun:wght@400;500;600;700&display=swap');\n\n.oth-ds{\n  --k:#000;--k0:#050505;--k1:#0a0a0a;--k2:#141414;--k3:#1a1a1a;--k4:#1f1f1f;\n  --line:#242424;--line2:rgba(255,255,255,.06);\n  --r:#ED4036;--r1:#FF5046;--r2:#C2261C;--r3:#8a1a13;--r4:rgba(237,64,54,.1);\n  --w:#fff;--w1:rgba(255,255,255,.84);--w2:rgba(255,255,255,.60);--w3:rgba(255,255,255,.42);--w4:rgba(255,255,255,.20);\n  --gold:#FF5046;--gold1:#FF6B5C;--g:#4ade80;--blue:#3b82f6;--amber:#f59e0b;\n  --s:'Poppins',-apple-system,sans-serif;--d:'Fraunces',Georgia,serif;\n  --m:'JetBrains Mono',Menlo,monospace;--th:'Sarabun',sans-serif;\n  --ease:cubic-bezier(.16,1,.3,1);\n  font-family:var(--s);color:var(--w);background:var(--k);line-height:1.6;font-size:16px;\n  margin:0;padding:0;width:100%;overflow-x:hidden;scroll-behavior:smooth;scroll-padding-top:76px;\n}\n.oth-ds *,.oth-ds *::before,.oth-ds *::after{box-sizing:border-box}\n.oth-ds .wrap{max-width:1340px;margin:0 auto;padding:0 40px}\n.oth-ds a:focus-visible,.oth-ds button:focus-visible,.oth-ds summary:focus-visible{outline:2px solid var(--r1);outline-offset:3px;border-radius:2px}\n\n.oth-ds [data-reveal]{opacity:1;transform:none;transition:opacity .9s var(--ease),transform .9s var(--ease)}\n.oth-ds.js-on [data-reveal]:not(.in){opacity:0;transform:translateY(24px)}\n.oth-ds [data-reveal].in{opacity:1;transform:translateY(0)}\n.oth-ds [data-reveal-stagger] > *{opacity:1;transform:none;transition:opacity .8s var(--ease),transform .8s var(--ease)}\n.oth-ds.js-on [data-reveal-stagger]:not(.in) > *{opacity:0;transform:translateY(20px)}\n.oth-ds [data-reveal-stagger].in > *:nth-child(1){transition-delay:0s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(2){transition-delay:.06s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(3){transition-delay:.12s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(4){transition-delay:.18s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(5){transition-delay:.24s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(6){transition-delay:.30s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(7){transition-delay:.36s}\n.oth-ds [data-reveal-stagger].in > *:nth-child(8){transition-delay:.42s}\n.oth-ds [data-reveal-stagger].in > *{opacity:1;transform:translateY(0)}\n\n.oth-ds .eyebrow{display:inline-flex;align-items:center;gap:14px;font-family:var(--m);font-size:11px;font-weight:600;letter-spacing:.18em;text-transform:uppercase;color:var(--r);margin-bottom:22px}\n.oth-ds .eyebrow::before{content:\"\";width:36px;height:1px;background:var(--r)}\n.oth-ds h2.title{font-size:clamp(34px,4.6vw,58px);line-height:1.06;font-weight:700;letter-spacing:-.025em;margin:0 0 22px;color:var(--w)}\n.oth-ds h2.title em{font-family:var(--d);font-style:italic;font-weight:500;color:var(--r)}\n.oth-ds .lead{font-size:17px;color:var(--w1);max-width:74ch;line-height:1.65}\n.oth-ds .lead strong{color:var(--w);font-weight:600}\n.oth-ds .lead em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .lead a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n.oth-ds .lead a:hover{border-bottom-color:var(--r)}\n.oth-ds .section{padding:110px 0;background:var(--k);position:relative}\n.oth-ds .section.alt{background:var(--k1)}\n.oth-ds .section-head{margin-bottom:56px;max-width:920px}\n.oth-ds .section-head.center{margin-left:auto;margin-right:auto;text-align:center}\n.oth-ds .section-head.center .eyebrow{justify-content:center}\n.oth-ds .section-head.center .eyebrow::after{content:\"\";width:36px;height:1px;background:var(--r);margin-left:14px}\n\n.oth-ds .btn{display:inline-flex;align-items:center;gap:12px;padding:17px 30px;font-family:var(--s);font-size:13px;font-weight:600;letter-spacing:.06em;text-transform:uppercase;text-decoration:none;border-radius:4px;transition:all .35s var(--ease);cursor:pointer;border:2px solid;position:relative;overflow:hidden}\n.oth-ds .btn::after{content:\"\u2192\";font-family:var(--d);font-style:italic;font-size:17px;transition:transform .3s var(--ease)}\n.oth-ds .btn:hover::after{transform:translateX(5px)}\n.oth-ds .btn-primary{background:var(--r);color:var(--w) !important;border-color:var(--r)}\n.oth-ds .btn-primary:hover{background:var(--r1);border-color:var(--r1);transform:translateY(-3px);box-shadow:0 16px 40px rgba(237,64,54,.45)}\n.oth-ds .btn-outline{background:transparent;color:var(--w) !important;border-color:var(--w4)}\n.oth-ds .btn-outline:hover{background:var(--w);color:var(--k) !important;border-color:var(--w);transform:translateY(-3px)}\n\n@keyframes ds-pulse{0%,100%{box-shadow:0 0 0 0 rgba(74,222,128,.6)}50%{box-shadow:0 0 0 10px rgba(74,222,128,0)}}\n@keyframes ds-shimmer{0%{background-position:200% 50%}100%{background-position:-200% 50%}}\n@keyframes ds-glow{0%,100%{opacity:1}50%{opacity:.7}}\n@keyframes ds-arrow{0%,100%{transform:translateX(0)}50%{transform:translateX(6px)}}\n\n.oth-ds .strip{background:var(--k1);border-bottom:1px solid var(--line);padding:12px 0;font-family:var(--m);font-size:11px;letter-spacing:.12em;text-transform:uppercase;color:var(--w2)}\n.oth-ds .strip-row{display:flex;align-items:center;justify-content:space-between;gap:24px;flex-wrap:wrap}\n.oth-ds .strip-row .l{display:flex;align-items:center;gap:12px}\n.oth-ds .strip-dot{width:8px;height:8px;background:var(--g);border-radius:50%;animation:ds-pulse 2s ease-in-out infinite}\n.oth-ds .strip-row .r{color:var(--w3)}\n.oth-ds .strip-row .r b{color:var(--w);font-weight:500}\n\n.oth-ds .crumb{background:var(--k);border-bottom:1px solid var(--line);padding:18px 0;font-family:var(--m);font-size:11px;letter-spacing:.10em;text-transform:uppercase;color:var(--w3)}\n.oth-ds .crumb a{color:var(--w2);text-decoration:none;transition:color .2s}\n.oth-ds .crumb a:hover{color:var(--r)}\n.oth-ds .crumb .sep{margin:0 12px;color:var(--w4)}\n.oth-ds .crumb .here{color:var(--w)}\n\n\/* ============ HERO ============ *\/\n.oth-ds .hero{padding:90px 0 120px;background:var(--k);position:relative;overflow:hidden}\n.oth-ds .hero::before{content:\"\";position:absolute;inset:0;background:radial-gradient(ellipse 1400px 900px at 78% 25%,rgba(237,64,54,.22),transparent 60%),radial-gradient(ellipse 700px 500px at 12% 80%,rgba(237,64,54,.08),transparent 60%);pointer-events:none;animation:ds-glow 8s ease-in-out infinite}\n.oth-ds .hero::after{content:\"\";position:absolute;inset:0;background-image:linear-gradient(rgba(255,255,255,.03) 1px,transparent 1px),linear-gradient(90deg,rgba(255,255,255,.03) 1px,transparent 1px);background-size:64px 64px;pointer-events:none;mask-image:radial-gradient(ellipse 1400px 800px at 50% 30%,black,transparent 75%);-webkit-mask-image:radial-gradient(ellipse 1400px 800px at 50% 30%,black,transparent 75%)}\n.oth-ds .hero-inner{position:relative;z-index:2}\n.oth-ds .hero-tag{display:inline-flex;align-items:center;gap:14px;padding:10px 22px;background:rgba(237,64,54,.12);border:1px solid rgba(237,64,54,.35);border-radius:100px;font-family:var(--m);font-size:11px;letter-spacing:.16em;text-transform:uppercase;color:var(--r1);font-weight:600;margin-bottom:30px;backdrop-filter:blur(6px);-webkit-backdrop-filter:blur(6px);box-shadow:0 0 30px rgba(237,64,54,.15)}\n.oth-ds .hero-tag .dot{width:7px;height:7px;background:var(--g);border-radius:50%;animation:ds-pulse 2s ease-in-out infinite}\n\n.oth-ds .hero h1{font-size:clamp(34px,5.4vw,68px);line-height:1.04;font-weight:700;letter-spacing:-.03em;margin:0 0 30px;color:var(--w);max-width:26ch}\n.oth-ds .hero h1 em{font-family:var(--d);font-style:italic;font-weight:500;color:var(--r);background:linear-gradient(90deg,var(--r) 0%,var(--r1) 30%,var(--gold) 50%,var(--r1) 70%,var(--r) 100%);background-size:200% 100%;-webkit-background-clip:text;background-clip:text;-webkit-text-fill-color:transparent;animation:ds-shimmer 6s linear infinite}\n.oth-ds .hero h1 .arrow{display:inline-flex;align-items:center;color:var(--r);animation:ds-arrow 2.5s ease-in-out infinite;margin:0 .1em;font-family:var(--d);font-style:italic;font-weight:300}\n\n.oth-ds .hero-grid{display:grid;grid-template-columns:minmax(0,1.45fr) minmax(0,1fr);gap:56px;align-items:start;margin-top:24px}\n.oth-ds .hero-left p{font-size:17px;line-height:1.7;color:var(--w1);margin:0 0 32px;max-width:66ch}\n.oth-ds .hero-left p strong{color:var(--w);font-weight:600}\n.oth-ds .hero-left p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .hero-left p a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n\n.oth-ds .hs-grid{display:grid;grid-template-columns:repeat(4,1fr);gap:1px;background:var(--line);border:1px solid var(--line);margin-bottom:32px;position:relative;overflow:hidden}\n.oth-ds .hs{background:var(--k1);padding:24px 20px;transition:all .4s var(--ease);position:relative;overflow:hidden}\n.oth-ds .hs::before{content:\"\";position:absolute;inset:0;background:radial-gradient(circle at 50% 100%,rgba(237,64,54,.15),transparent 70%);opacity:0;transition:opacity .4s var(--ease)}\n.oth-ds .hs:hover::before{opacity:1}\n.oth-ds .hs:hover{background:var(--k3);transform:translateY(-3px)}\n.oth-ds .hs .ic{width:28px;height:28px;color:var(--r);margin-bottom:14px;position:relative;z-index:2;transition:transform .4s var(--ease)}\n.oth-ds .hs:hover .ic{transform:scale(1.15) rotate(-5deg)}\n.oth-ds .hs .ic svg{width:100%;height:100%}\n.oth-ds .hs .v{font-family:var(--d);font-style:italic;font-weight:500;font-size:42px;line-height:1;color:var(--r);margin-bottom:6px;letter-spacing:-.02em;position:relative;z-index:2;display:flex;align-items:baseline;gap:2px}\n.oth-ds .hs .v .num{display:inline-block;min-width:1ch}\n.oth-ds .hs .v .sm{font-size:.40em;color:var(--w2);font-style:normal;font-family:var(--m);font-weight:600;letter-spacing:.02em;margin-left:3px}\n.oth-ds .hs .lb{font-family:var(--m);font-size:9.5px;letter-spacing:.10em;text-transform:uppercase;color:var(--w2);font-weight:600;margin-bottom:4px;line-height:1.3;position:relative;z-index:2}\n.oth-ds .hs .sb{font-size:10.5px;color:var(--w3);line-height:1.4;position:relative;z-index:2}\n\n.oth-ds .hctas{display:flex;gap:14px;flex-wrap:wrap}\n\n\/* Posture card *\/\n.oth-ds .lp-card{background:linear-gradient(135deg,var(--k3) 0%,var(--k1) 100%);border:1px solid var(--line);padding:36px 30px;position:relative;overflow:hidden;transition:all .5s var(--ease)}\n.oth-ds .lp-card:hover{box-shadow:0 20px 60px rgba(0,0,0,.5),0 0 30px rgba(237,64,54,.15);border-color:rgba(237,64,54,.20)}\n.oth-ds .lp-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n.oth-ds .lp-card:hover::before{width:6px}\n.oth-ds .lp-card::after{content:\"\";position:absolute;inset:0;background:radial-gradient(circle at 100% 0%,rgba(237,64,54,.18),transparent 50%);opacity:.5;transition:opacity .5s var(--ease);pointer-events:none}\n.oth-ds .lp-card:hover::after{opacity:1}\n.oth-ds .lp-lb{font-family:var(--m);font-size:10px;letter-spacing:.16em;text-transform:uppercase;color:var(--r);margin-bottom:18px;display:flex;align-items:center;gap:8px;font-weight:600;position:relative;z-index:2}\n.oth-ds .lp-lb::before{content:\"\u25cf\";color:var(--g);animation:ds-pulse 2s ease-in-out infinite}\n.oth-ds .lp-head{font-family:var(--d);font-style:italic;font-size:22px;font-weight:500;color:var(--w);letter-spacing:-.015em;line-height:1.2;margin-bottom:22px;position:relative;z-index:2}\n.oth-ds .lp-head em{color:var(--r);font-weight:600}\n.oth-ds .lp-items{margin:0;padding:0;list-style:none;position:relative;z-index:2;display:grid;gap:8px}\n.oth-ds .lp-item{padding:13px 16px;background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);transition:all .3s var(--ease);display:grid;grid-template-columns:auto 1fr;gap:14px;align-items:center}\n.oth-ds .lp-item:hover{border-left-width:5px;transform:translateX(4px);background:var(--k2)}\n.oth-ds .lp-item.gold{border-left-color:var(--gold)}\n.oth-ds .lp-k{font-family:var(--m);font-size:9.5px;letter-spacing:.10em;color:var(--r);font-weight:700;background:rgba(237,64,54,.10);padding:4px 8px;border-radius:2px;line-height:1;white-space:nowrap;text-transform:uppercase}\n.oth-ds .lp-item.gold .lp-k{color:var(--gold);background:rgba(237,64,54,.10)}\n.oth-ds .lp-v{font-family:var(--s);font-size:12.5px;font-weight:600;color:var(--w);letter-spacing:-.005em;line-height:1.3}\n.oth-ds .lp-v b{color:var(--r);font-weight:700}\n.oth-ds .lp-item.gold .lp-v b{color:var(--gold)}\n\n@media (max-width:1024px){\n  .oth-ds .hero-grid{grid-template-columns:1fr;gap:40px}\n  .oth-ds .hs-grid{grid-template-columns:repeat(2,1fr)}\n}\n@media (max-width:600px){\n  .oth-ds .wrap{padding:0 22px}\n  .oth-ds .hero{padding:48px 0 64px}\n  .oth-ds .section{padding:64px 0}\n  .oth-ds .hero h1{font-size:32px}\n  .oth-ds .hctas{flex-direction:column}\n  .oth-ds .btn{justify-content:center;width:100%}\n  .oth-ds .hs .v{font-size:32px}\n}\n@media (prefers-reduced-motion:reduce){\n  .oth-ds *,.oth-ds *::before,.oth-ds *::after{animation-duration:.01ms !important;transition-duration:.01ms !important}\n  .oth-ds [data-reveal],.oth-ds [data-reveal-stagger] > *{opacity:1 !important;transform:none !important}\n}\n\/* ============ THE ATA CREDENTIAL MODEL ============ *\/\n.oth-ds .pm-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-ds .pm-sec::before{content:\"\";position:absolute;top:-100px;left:50%;width:1200px;height:600px;background:radial-gradient(ellipse,rgba(237,64,54,.06),transparent 70%);transform:translateX(-50%);pointer-events:none}\n.oth-ds .pm-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:18px;position:relative;z-index:2}\n.oth-ds .pm-card{background:linear-gradient(135deg,var(--k2) 0%,var(--k3) 100%);border:1px solid var(--line);padding:36px 32px;position:relative;overflow:hidden;transition:all .5s var(--ease);display:flex;flex-direction:column}\n.oth-ds .pm-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n.oth-ds .pm-card:hover::before{width:6px}\n.oth-ds .pm-card::after{content:\"\";position:absolute;top:0;right:0;width:240px;height:240px;background:radial-gradient(circle at 100% 0%,rgba(237,64,54,.14),transparent 70%);opacity:0;transition:opacity .5s var(--ease);pointer-events:none}\n.oth-ds .pm-card:hover::after{opacity:1}\n.oth-ds .pm-card:hover{background:var(--k3);border-color:rgba(237,64,54,.4);transform:translateY(-5px);box-shadow:0 20px 50px rgba(0,0,0,.5)}\n.oth-ds .pm-num{font-family:var(--m);font-size:10px;letter-spacing:.14em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:14px;position:relative;z-index:2;padding:5px 12px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:2px;display:inline-block;width:fit-content}\n.oth-ds .pm-card h3{font-family:var(--d);font-style:italic;font-size:22px;font-weight:600;color:var(--w);margin:0 0 14px;line-height:1.2;letter-spacing:-.005em;position:relative;z-index:2}\n.oth-ds .pm-card h3 em{color:var(--r);font-style:italic;font-weight:600}\n.oth-ds .pm-card p{font-size:13.5px;line-height:1.7;color:var(--w1);margin:0 0 14px;position:relative;z-index:2}\n.oth-ds .pm-card p strong{color:var(--w);font-weight:600}\n.oth-ds .pm-card p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .pm-spec{margin-top:auto;padding-top:14px;border-top:1px dashed var(--line);position:relative;z-index:2;display:grid;gap:6px}\n.oth-ds .pm-spec-row{display:flex;justify-content:space-between;gap:10px;font-family:var(--m);font-size:11px;align-items:baseline}\n.oth-ds .pm-spec-k{color:var(--w3);letter-spacing:.08em;text-transform:uppercase;font-size:9px;font-weight:600}\n.oth-ds .pm-spec-v{color:var(--w);font-weight:600;font-size:11px;text-align:right;letter-spacing:.02em}\n.oth-ds .pm-spec-v b{color:var(--r);font-weight:700}\n@media (max-width:1024px){.oth-ds .pm-grid{grid-template-columns:1fr;gap:14px}}\n@media (max-width:600px){.oth-ds .pm-card{padding:28px 24px}}\n\/* ============ \u00a702 \u2014 BENCH PRACTITIONER CREDENTIALS ============ *\/\n.oth-ds .bp-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-ds .bp-sec::before{content:\"\";position:absolute;top:20%;right:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.06),transparent 70%);border-radius:50%;pointer-events:none}\n.oth-ds .bp-domain{margin-bottom:48px;position:relative;z-index:2}\n.oth-ds .bp-domain:last-child{margin-bottom:0}\n.oth-ds .bp-domain-head{display:flex;align-items:baseline;justify-content:space-between;gap:18px;flex-wrap:wrap;padding-bottom:16px;margin-bottom:20px;border-bottom:1px solid var(--line)}\n.oth-ds .bp-dh-l{display:flex;align-items:baseline;gap:14px}\n.oth-ds .bp-dnum{font-family:var(--m);font-size:11px;font-weight:700;letter-spacing:.10em;color:var(--r);background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:3px;padding:5px 11px;white-space:nowrap}\n.oth-ds .bp-dh-l h3{font-family:var(--d);font-style:italic;font-size:clamp(22px,2.6vw,30px);font-weight:600;color:var(--w);letter-spacing:-.01em;line-height:1.15;margin:0}\n.oth-ds .bp-dh-l h3 em{color:var(--r);font-style:italic;font-weight:600}\n.oth-ds .bp-anchor{font-family:var(--m);font-size:10.5px;letter-spacing:.10em;text-transform:uppercase;color:var(--w3);text-align:right}\n.oth-ds .bp-anchor b{color:var(--w);font-weight:600}\n.oth-ds .bp-grid{display:grid;grid-template-columns:repeat(2,1fr);gap:12px}\n.oth-ds .bp-grid.c3{grid-template-columns:repeat(3,1fr)}\n.oth-ds .bpc{background:var(--k2);border:1px solid var(--line);border-left:3px solid var(--r);padding:18px 20px 16px;transition:all .3s var(--ease);display:grid;grid-template-columns:auto 1fr;gap:14px;align-items:start}\n.oth-ds .bpc:hover{background:var(--k3);border-left-width:5px;transform:translateX(4px);box-shadow:0 8px 20px rgba(0,0,0,.3)}\n.oth-ds .bpc-tag{font-family:var(--m);font-size:9.5px;font-weight:700;letter-spacing:.10em;color:var(--r);background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.25);border-radius:2px;padding:5px 9px;line-height:1;white-space:nowrap;align-self:start;text-transform:uppercase;margin-top:3px}\n.oth-ds .bpc-body{font-size:12.5px;line-height:1.55;color:var(--w1)}\n.oth-ds .bpc-name{font-family:var(--d);font-style:italic;font-size:15.5px;font-weight:600;color:var(--w);display:block;margin-bottom:4px;letter-spacing:-.005em}\n.oth-ds .bpc-issuer{font-family:var(--m);font-size:10.5px;color:var(--w3);letter-spacing:.04em;margin-bottom:5px;font-weight:500}\n.oth-ds .bpc-issuer b{color:var(--r);font-weight:600}\n.oth-ds .bpc-body p{font-size:12px;line-height:1.6;color:var(--w2);margin:0}\n.oth-ds .bpc-body p strong{color:var(--w);font-weight:600}\n@media (max-width:900px){.oth-ds .bp-grid,.oth-ds .bp-grid.c3{grid-template-columns:1fr}}\n\/* ============ COVERAGE (32 PAIRS) ============ *\/\n.oth-ds .cov-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-ds .cov-sec::before{content:\"\";position:absolute;top:-100px;left:50%;width:1200px;height:600px;background:radial-gradient(ellipse,rgba(237,64,54,.06),transparent 70%);transform:translateX(-50%);pointer-events:none}\n.oth-ds .cov-grid{display:grid;grid-template-columns:1fr 1fr;gap:18px;position:relative;z-index:2}\n.oth-ds .cov-col{background:var(--k2);border:1px solid var(--line);padding:32px 30px;position:relative;overflow:hidden;transition:all .4s var(--ease)}\n.oth-ds .cov-col::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:var(--r);transition:width .35s var(--ease)}\n.oth-ds .cov-col:hover::before{width:6px}\n.oth-ds .cov-col:hover{background:var(--k3);border-color:rgba(237,64,54,.3)}\n.oth-ds .cov-head{display:flex;align-items:baseline;justify-content:space-between;gap:12px;padding-bottom:16px;margin-bottom:18px;border-bottom:1px solid var(--line)}\n.oth-ds .cov-dir{font-family:var(--d);font-style:italic;font-size:26px;font-weight:600;color:var(--w);letter-spacing:-.01em}\n.oth-ds .cov-dir span{color:var(--r);font-style:normal;margin:0 4px}\n.oth-ds .cov-count{font-family:var(--m);font-size:10px;letter-spacing:.12em;text-transform:uppercase;color:var(--w3);font-weight:600;white-space:nowrap}\n.oth-ds .cov-list{list-style:none;margin:0;padding:0;columns:2;column-gap:24px}\n.oth-ds .cov-list li{font-family:var(--s);font-size:14px;font-weight:500;color:var(--w1);padding:7px 0 7px 22px;position:relative;break-inside:avoid;border-bottom:1px dotted var(--line)}\n.oth-ds .cov-list li::before{content:\"\u2713\";position:absolute;left:0;top:7px;color:var(--r);font-size:12px;font-weight:700}\n.oth-ds .cov-foot{font-family:var(--m);font-size:10.5px;line-height:1.7;color:var(--w3);letter-spacing:.02em;margin:24px 0 0;padding:16px 20px;background:var(--k);border:1px solid var(--line);position:relative;z-index:2}\n.oth-ds .cov-foot b{color:var(--r);font-weight:700}\n@media (max-width:900px){.oth-ds .cov-grid{grid-template-columns:1fr;gap:14px}}\n@media (max-width:600px){.oth-ds .cov-list{columns:1}.oth-ds .cov-col{padding:26px 22px}}\n\n\/* ============ QUALITY DISCIPLINE \/ WORKFLOW + THAI GAP ============ *\/\n.oth-ds .qd-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-ds .qd-sec.alt{background:var(--k1)}\n.oth-ds .qd-sec::before{content:\"\";position:absolute;top:30%;right:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.05),transparent 70%);border-radius:50%;pointer-events:none}\n.oth-ds .qd-block{background:linear-gradient(135deg,rgba(237,64,54,.08) 0%,var(--k3) 100%);border:1px solid rgba(237,64,54,.30);padding:48px 44px;position:relative;overflow:hidden;transition:all .5s var(--ease)}\n.oth-ds .qd-block::before{content:\"\";position:absolute;top:0;left:0;width:6px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n.oth-ds .qd-block:hover::before{width:8px}\n.oth-ds .qd-block.wf::after{content:\"QA\";position:absolute;top:-30px;right:-15px;font-family:var(--d);font-style:italic;font-size:clamp(100px,13vw,220px);line-height:1;color:var(--r);opacity:.06;font-weight:600;pointer-events:none;letter-spacing:-.03em}\n.oth-ds .qd-block.thai::after{content:\"TH\";position:absolute;top:-30px;right:-15px;font-family:var(--d);font-style:italic;font-size:clamp(100px,13vw,220px);line-height:1;color:var(--r);opacity:.06;font-weight:600;pointer-events:none;letter-spacing:-.03em}\n.oth-ds .qd-block:hover{transform:translateY(-3px);box-shadow:0 24px 60px rgba(0,0,0,.5),0 0 40px rgba(237,64,54,.12);border-color:rgba(237,64,54,.5)}\n.oth-ds .qd-eye{font-family:var(--m);font-size:10.5px;letter-spacing:.16em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:14px;position:relative;z-index:2;display:flex;align-items:center;gap:8px}\n.oth-ds .qd-eye::before{content:\"\u25cf\";color:var(--r);animation:ds-pulse 2s ease-in-out infinite}\n.oth-ds .qd-block h3{font-family:var(--d);font-style:italic;font-size:clamp(26px,3.4vw,32px);font-weight:500;color:var(--w);margin:0 0 18px;line-height:1.2;letter-spacing:-.01em;position:relative;z-index:2;max-width:36ch}\n.oth-ds .qd-block h3 em{color:var(--r);font-style:italic;font-weight:600}\n.oth-ds .qd-block > p{font-size:14.5px;line-height:1.7;color:var(--w1);margin:0 0 14px;position:relative;z-index:2;max-width:82ch}\n.oth-ds .qd-block > p strong{color:var(--w);font-weight:600}\n.oth-ds .qd-block > p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .qd-block > p a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n.oth-ds .qd-steps{display:grid;grid-template-columns:repeat(2,1fr);gap:10px;margin-top:24px;padding-top:24px;border-top:1px solid rgba(237,64,54,.20);position:relative;z-index:2}\n.oth-ds .qd-step{background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);padding:16px 20px;transition:all .3s var(--ease);display:grid;grid-template-columns:64px 1fr;gap:14px;align-items:start}\n.oth-ds .qd-step:hover{background:var(--k2);transform:translateX(4px);border-left-width:5px}\n.oth-ds .qd-step .qs-num{font-family:var(--m);font-size:9px;color:var(--r);font-weight:700;letter-spacing:.10em;padding:5px 8px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.25);border-radius:2px;text-align:center;line-height:1.2;white-space:nowrap;align-self:start;text-transform:uppercase}\n.oth-ds .qd-step .qs-body{font-size:12.5px;line-height:1.65;color:var(--w1)}\n.oth-ds .qd-step .qs-title{font-family:var(--d);font-style:italic;font-size:14.5px;font-weight:600;color:var(--w);display:block;margin-bottom:4px;letter-spacing:-.005em}\n.oth-ds .qd-step .qs-body strong{color:var(--w);font-weight:600}\n.oth-ds .qd-step .qs-body em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n@media (max-width:1024px){.oth-ds .qd-steps{grid-template-columns:1fr;gap:8px}}\n@media (max-width:600px){.oth-ds .qd-block{padding:32px 28px}.oth-ds .qd-block h3{font-size:22px}.oth-ds .qd-step{grid-template-columns:1fr;gap:8px;padding:14px 16px}}\n\/* ============ ADJACENT SERVICES ============ *\/\n.oth-ds .as-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-ds .as-sec::before{content:\"\";position:absolute;top:30%;right:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.05),transparent 70%);border-radius:50%;pointer-events:none}\n.oth-ds .as-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:18px;position:relative;z-index:2}\n.oth-ds .as-card{background:var(--k2);border:1px solid var(--line);padding:32px 30px;text-decoration:none;color:inherit;position:relative;overflow:hidden;transition:all .4s var(--ease);display:flex;flex-direction:column}\n.oth-ds .as-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:var(--r);transition:width .35s var(--ease)}\n.oth-ds .as-card:hover::before{width:6px}\n.oth-ds .as-card.gold::before{background:linear-gradient(180deg,var(--gold) 0%,var(--r) 100%)}\n.oth-ds .as-card.gold{background:linear-gradient(135deg,rgba(237,64,54,.06) 0%,var(--k3) 100%);border-color:rgba(237,64,54,.30)}\n.oth-ds .as-card.gold:hover{border-color:rgba(237,64,54,.5);box-shadow:0 20px 50px rgba(0,0,0,.4),0 0 30px rgba(237,64,54,.12)}\n.oth-ds .as-card:not(.gold):hover{background:var(--k3);border-color:rgba(237,64,54,.4);transform:translateY(-3px);box-shadow:0 20px 50px rgba(0,0,0,.4)}\n.oth-ds .as-card.gold:hover{transform:translateY(-3px)}\n.oth-ds .as-icon{width:48px;height:48px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:8px;display:flex;align-items:center;justify-content:center;margin-bottom:18px;transition:all .35s var(--ease)}\n.oth-ds .as-card.gold .as-icon{background:rgba(237,64,54,.10);border-color:rgba(237,64,54,.30)}\n.oth-ds .as-card:hover .as-icon{transform:scale(1.1) rotate(-5deg);background:rgba(237,64,54,.18);border-color:rgba(237,64,54,.5)}\n.oth-ds .as-card.gold:hover .as-icon{background:rgba(237,64,54,.18);border-color:rgba(237,64,54,.5)}\n.oth-ds .as-icon svg{width:24px;height:24px;stroke:var(--r);fill:none;stroke-width:1.8;stroke-linecap:round;stroke-linejoin:round}\n.oth-ds .as-card.gold .as-icon svg{stroke:var(--gold)}\n.oth-ds .as-tag{font-family:var(--m);font-size:9.5px;letter-spacing:.12em;color:var(--r);font-weight:700;margin-bottom:8px;text-transform:uppercase}\n.oth-ds .as-card.gold .as-tag{color:var(--gold)}\n.oth-ds .as-card h3{font-family:var(--d);font-style:italic;font-size:22px;font-weight:600;color:var(--w);margin:0 0 12px;line-height:1.2;letter-spacing:-.005em}\n.oth-ds .as-card p{font-size:13px;line-height:1.65;color:var(--w1);margin:0 0 18px;flex:1}\n.oth-ds .as-card p strong{color:var(--w);font-weight:600}\n.oth-ds .as-card p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .as-card.gold p em{color:var(--gold)}\n.oth-ds .as-arrow{font-family:var(--m);font-size:11px;letter-spacing:.10em;color:var(--r);font-weight:700;text-transform:uppercase;display:inline-flex;align-items:center;gap:8px;transition:gap .3s var(--ease)}\n.oth-ds .as-card.gold .as-arrow{color:var(--gold)}\n.oth-ds .as-arrow::after{content:\"\u2192\";font-family:var(--d);font-style:italic;font-size:16px;transition:transform .3s var(--ease)}\n.oth-ds .as-card:hover .as-arrow::after{transform:translateX(5px)}\n@media (max-width:1024px){.oth-ds .as-grid{grid-template-columns:1fr;gap:14px}}\n@media (max-width:600px){.oth-ds .as-card{padding:24px 22px}}\n\n\/* ============ FAQ ============ *\/\n.oth-ds .faq-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n.oth-ds .faq-sec::before{content:\"\";position:absolute;top:-100px;left:50%;width:1200px;height:600px;background:radial-gradient(ellipse,rgba(237,64,54,.06),transparent 70%);transform:translateX(-50%);pointer-events:none}\n.oth-ds .faq-grid{display:grid;gap:14px;max-width:980px;margin:0 auto}\n.oth-ds .faq{background:var(--k2);border:1px solid var(--line);transition:all .35s var(--ease);overflow:hidden;position:relative}\n.oth-ds .faq[open]{background:var(--k3);border-color:rgba(237,64,54,.30);box-shadow:0 16px 40px rgba(0,0,0,.4)}\n.oth-ds .faq:hover{border-color:rgba(237,64,54,.20)}\n.oth-ds .faq summary{padding:22px 28px;cursor:pointer;list-style:none;display:grid;grid-template-columns:auto 1fr auto;align-items:center;gap:18px;font-family:var(--s);font-size:15.5px;font-weight:600;color:var(--w);line-height:1.35;transition:background .25s}\n.oth-ds .faq summary::-webkit-details-marker{display:none}\n.oth-ds .faq summary:hover{background:var(--k1)}\n.oth-ds .faq-num{font-family:var(--m);font-size:10.5px;font-weight:700;letter-spacing:.10em;color:var(--r);padding:5px 10px;background:rgba(237,64,54,.10);border:1px solid rgba(237,64,54,.30);border-radius:2px;white-space:nowrap}\n.oth-ds .faq-ic{width:32px;height:32px;border-radius:50%;background:var(--k);border:1px solid var(--line);display:flex;align-items:center;justify-content:center;font-size:18px;font-weight:300;color:var(--r);transition:all .3s var(--ease)}\n.oth-ds .faq[open] .faq-ic{transform:rotate(45deg);background:var(--r);color:var(--w);border-color:var(--r)}\n.oth-ds .faq-body{padding:0 28px 26px;border-top:1px solid var(--line)}\n.oth-ds .faq-body p{font-size:14px;line-height:1.7;color:var(--w1);margin:18px 0 0;max-width:84ch}\n.oth-ds .faq-body p:first-child{margin-top:18px}\n.oth-ds .faq-body p strong{color:var(--w);font-weight:600}\n.oth-ds .faq-body p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .faq-body p a{color:var(--r);text-decoration:none;border-bottom:1px solid rgba(237,64,54,.4)}\n@media (max-width:600px){.oth-ds .faq summary{padding:18px 20px;gap:12px;font-size:14px}.oth-ds .faq-body{padding:0 20px 22px}}\n\n\/* ============ FINAL CTA ============ *\/\n.oth-ds .cta-sec{background:radial-gradient(ellipse 1000px 700px at 50% 0%,rgba(237,64,54,.22),transparent 60%),radial-gradient(ellipse 800px 500px at 50% 100%,rgba(237,64,54,.10),transparent 60%),var(--k);padding:130px 0;text-align:center;position:relative;overflow:hidden;border-top:1px solid var(--line)}\n.oth-ds .cta-sec::before{content:\"\";position:absolute;inset:0;background-image:linear-gradient(rgba(255,255,255,.025) 1px,transparent 1px),linear-gradient(90deg,rgba(255,255,255,.025) 1px,transparent 1px);background-size:64px 64px;pointer-events:none;mask-image:radial-gradient(ellipse 1200px 700px at 50% 50%,black,transparent 75%);-webkit-mask-image:radial-gradient(ellipse 1200px 700px at 50% 50%,black,transparent 75%)}\n.oth-ds .cta-content{position:relative;z-index:2;max-width:920px;margin:0 auto;padding:0 32px}\n.oth-ds .cta-content h2{font-size:clamp(34px,5.2vw,64px);line-height:1.04;font-weight:700;letter-spacing:-.03em;color:var(--w);margin:0 auto 24px;max-width:26ch}\n.oth-ds .cta-content h2 em{font-family:var(--d);font-style:italic;font-weight:500;color:var(--r);background:linear-gradient(90deg,var(--r) 0%,var(--r1) 30%,var(--gold) 50%,var(--r1) 70%,var(--r) 100%);background-size:200% 100%;-webkit-background-clip:text;background-clip:text;-webkit-text-fill-color:transparent;animation:ds-shimmer 6s linear infinite}\n.oth-ds .cta-content p{font-size:16.5px;line-height:1.7;color:var(--w1);max-width:74ch;margin:0 auto 44px}\n.oth-ds .cta-content p strong{color:var(--w);font-weight:600}\n.oth-ds .cta-content p em{font-family:var(--d);font-style:italic;color:var(--r);font-weight:500}\n.oth-ds .cta-buttons{display:flex;gap:14px;justify-content:center;flex-wrap:wrap}\n.oth-ds .cta-note{margin-top:36px;font-family:var(--m);font-size:11px;letter-spacing:.14em;text-transform:uppercase;color:var(--w2);line-height:1.8}\n.oth-ds .cta-note b{color:var(--r);font-weight:700}\n.oth-ds .cta-note a{color:inherit;text-decoration:none;transition:color .2s}\n.oth-ds .cta-note a:hover{color:var(--w)}\n.oth-ds .cta-note .sep{color:var(--r)}\n.oth-ds .endline{padding:32px 0;text-align:center;font-family:var(--m);font-size:11px;font-weight:500;letter-spacing:.16em;text-transform:uppercase;color:var(--w2);background:var(--k);border-top:1px solid var(--line)}\n.oth-ds .endline .r{color:var(--r)}\n@media (max-width:600px){.oth-ds .cta-sec{padding:72px 0}}\n\n\/* === \u00a701 + \u00a702 consolidated === *\/\n\/* \u00a701 pillars \u2014 foundation+flow, scoped to .oth-ds *\/\n    .oth-ds .pl-sec{padding:110px 0;background:var(--k1);border-top:1px solid var(--line);position:relative;overflow:hidden}\n    .oth-ds .pl-sec::before{content:\"\";position:absolute;top:20%;right:-15%;width:700px;height:700px;background:radial-gradient(circle,rgba(237,64,54,.06),transparent 65%);border-radius:50%;pointer-events:none}\n    .oth-ds .pl-frame{position:relative;z-index:2;display:grid;grid-template-columns:1.05fr 1fr;gap:24px;align-items:stretch}\n\n    \/* LEFT: Encryption foundation *\/\n    .oth-ds .pl-foundation{background:linear-gradient(135deg,rgba(237,64,54,.10) 0%,var(--k3) 60%);border:1px solid rgba(237,64,54,.30);padding:42px 40px;position:relative;overflow:hidden;transition:all .5s var(--ease);display:flex;flex-direction:column}\n    .oth-ds .pl-foundation:hover{transform:translateY(-3px);border-color:rgba(237,64,54,.5);box-shadow:0 24px 60px rgba(0,0,0,.5),0 0 40px rgba(237,64,54,.10)}\n    .oth-ds .pl-foundation::before{content:\"\";position:absolute;top:0;left:0;width:6px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%)}\n    .oth-ds .pl-foundation::after{content:\"AES\";position:absolute;top:-26px;right:-12px;font-family:var(--d);font-style:italic;font-weight:600;font-size:clamp(110px,16vw,220px);line-height:1;color:var(--r);opacity:.06;pointer-events:none;letter-spacing:-.04em}\n    .oth-ds .pl-eyebrow{font-family:var(--m);font-size:10.5px;letter-spacing:.16em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:14px;display:inline-flex;align-items:center;gap:10px;position:relative;z-index:2}\n    .oth-ds .pl-eyebrow .pulse{width:8px;height:8px;border-radius:50%;background:var(--r);animation:ds-pulse 2s ease-in-out infinite}\n    .oth-ds .pl-foundation h3{font-family:var(--d);font-style:italic;font-size:clamp(28px,3.8vw,42px);font-weight:600;color:var(--w);margin:0 0 6px;line-height:1.05;letter-spacing:-.02em;position:relative;z-index:2}\n    .oth-ds .pl-foundation h3 em{color:var(--r);font-style:italic}\n    .oth-ds .pl-foundation .pl-sub{font-family:var(--s);font-size:14px;font-weight:500;color:var(--r1);margin-bottom:22px;letter-spacing:.01em;position:relative;z-index:2}\n    .oth-ds .pl-foundation .pl-body{font-size:14.5px;line-height:1.7;color:var(--w1);margin:0 0 22px;position:relative;z-index:2;max-width:50ch}\n    .oth-ds .pl-foundation .pl-body strong{color:var(--w);font-weight:600}\n    .oth-ds .pl-foundation .pl-body em{font-family:var(--d);font-style:italic;color:var(--r1);font-weight:500}\n    .oth-ds .pl-test{margin-top:auto;padding-top:18px;border-top:1px dashed rgba(237,64,54,.25);position:relative;z-index:2}\n    .oth-ds .pl-test-label{font-family:var(--m);font-size:9.5px;letter-spacing:.14em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:8px}\n    .oth-ds .pl-test-list{margin:0;padding:0;list-style:none;display:grid;gap:5px}\n    .oth-ds .pl-test-list li{font-family:var(--s);font-size:13px;line-height:1.5;color:var(--w1);padding-left:18px;position:relative;font-weight:500}\n    .oth-ds .pl-test-list li::before{content:\"\";position:absolute;left:0;top:8px;width:8px;height:1px;background:var(--r)}\n\n    \/* RIGHT: 3 stacked pillar blocks *\/\n    .oth-ds .pl-flow{display:grid;grid-template-rows:1fr 1fr 1fr;gap:10px}\n    .oth-ds .pl-block{background:var(--k2);border:1px solid var(--line);padding:20px 24px;position:relative;overflow:hidden;transition:all .3s var(--ease);display:flex;flex-direction:column}\n    .oth-ds .pl-block::before{content:\"\";position:absolute;top:0;left:0;width:3px;height:100%;background:var(--r);transition:width .3s var(--ease)}\n    .oth-ds .pl-block:hover::before{width:5px}\n    .oth-ds .pl-block:hover{background:var(--k3);border-color:rgba(237,64,54,.30);transform:translateY(-3px);box-shadow:0 14px 30px rgba(0,0,0,.35)}\n    .oth-ds .pl-block::after{content:attr(data-num);position:absolute;top:-10px;right:-6px;font-family:var(--d);font-style:italic;font-weight:600;font-size:clamp(54px,8vw,88px);line-height:1;color:var(--r);opacity:.06;pointer-events:none;letter-spacing:-.04em}\n    .oth-ds .pl-block .pl-tag{font-family:var(--m);font-size:9.5px;letter-spacing:.14em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:6px;position:relative;z-index:2}\n    .oth-ds .pl-block h4{font-family:var(--d);font-style:italic;font-size:18px;font-weight:600;color:var(--w);margin:0 0 4px;line-height:1.15;letter-spacing:-.005em;position:relative;z-index:2}\n    .oth-ds .pl-block h4 em{color:var(--r);font-style:italic}\n    .oth-ds .pl-block .pl-block-sub{font-family:var(--s);font-size:11.5px;font-weight:500;color:var(--r1);margin-bottom:8px;letter-spacing:.005em;position:relative;z-index:2}\n    .oth-ds .pl-block p{font-size:11.5px;line-height:1.55;color:var(--w1);margin:0;position:relative;z-index:2;flex:1}\n    .oth-ds .pl-block p strong{color:var(--w);font-weight:600}\n    .oth-ds .pl-block p em{font-family:var(--d);font-style:italic;color:var(--r1);font-weight:500}\n\n    .oth-ds .pl-foot{font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:96ch;padding:18px 22px;background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2}\n    .oth-ds .pl-foot b{color:var(--w);font-weight:600}\n    .oth-ds .pl-foot em{color:var(--r);font-family:var(--d);font-style:italic}\n\n    @media (max-width:1024px){\n      .oth-ds .pl-frame{grid-template-columns:1fr;gap:18px}\n      .oth-ds .pl-foundation{padding:32px 28px}\n      .oth-ds .pl-flow{grid-template-rows:auto auto auto}\n    }\n    @media (max-width:600px){\n      .oth-ds .pl-foundation{padding:28px 22px}\n      .oth-ds .pl-block{padding:18px 18px}\n    }\n\n    \/* ============ \u00a702 \u2014 DATA LIFECYCLE (6 stages 3x2 grid) ============ *\/\n    .oth-ds .lc-sec{padding:110px 0;background:var(--k);border-top:1px solid var(--line);position:relative;overflow:hidden}\n    .oth-ds .lc-sec::before{content:\"\";position:absolute;top:30%;left:-15%;width:600px;height:600px;background:radial-gradient(circle,rgba(237,64,54,.05),transparent 70%);border-radius:50%;pointer-events:none}\n    .oth-ds .lc-grid{display:grid;grid-template-columns:repeat(3,1fr);gap:16px;position:relative;z-index:2}\n    .oth-ds .lc-card{background:var(--k2);border:1px solid var(--line);padding:26px 26px;position:relative;overflow:hidden;transition:all .4s var(--ease);display:flex;flex-direction:column}\n    .oth-ds .lc-card::before{content:\"\";position:absolute;top:0;left:0;width:4px;height:100%;background:linear-gradient(180deg,var(--r) 0%,var(--gold) 100%);transition:width .35s var(--ease)}\n    .oth-ds .lc-card:hover::before{width:6px}\n    .oth-ds .lc-card:hover{background:var(--k3);border-color:rgba(237,64,54,.30);transform:translateY(-4px);box-shadow:0 18px 40px rgba(0,0,0,.4)}\n    .oth-ds .lc-head{display:flex;align-items:flex-start;gap:14px;margin-bottom:12px}\n    .oth-ds .lc-num{font-family:var(--d);font-style:italic;font-weight:600;font-size:42px;line-height:1;color:var(--r);letter-spacing:-.025em;background:linear-gradient(135deg,var(--r) 0%,var(--gold) 100%);-webkit-background-clip:text;background-clip:text;-webkit-text-fill-color:transparent;flex-shrink:0;min-width:58px}\n    .oth-ds .lc-titles{flex:1;min-width:0}\n    .oth-ds .lc-tag{font-family:var(--m);font-size:9.5px;letter-spacing:.14em;text-transform:uppercase;color:var(--r);font-weight:700;margin-bottom:4px}\n    .oth-ds .lc-titles h4{font-family:var(--d);font-style:italic;font-size:20px;font-weight:600;color:var(--w);margin:0;line-height:1.15;letter-spacing:-.005em}\n    .oth-ds .lc-titles h4 em{color:var(--r);font-style:italic}\n    .oth-ds .lc-card p{font-size:12.5px;line-height:1.6;color:var(--w1);margin:0 0 12px;flex:1}\n    .oth-ds .lc-card p strong{color:var(--w);font-weight:600}\n    .oth-ds .lc-card p em{font-family:var(--d);font-style:italic;color:var(--r1);font-weight:500}\n    .oth-ds .lc-controls{padding-top:10px;border-top:1px dashed var(--line)}\n    .oth-ds .lc-controls-label{font-family:var(--m);font-size:9px;letter-spacing:.14em;text-transform:uppercase;color:var(--w3);font-weight:700;margin-bottom:6px}\n    .oth-ds .lc-controls-list{margin:0;padding:0;list-style:none;display:grid;gap:4px}\n    .oth-ds .lc-controls-list li{font-family:var(--s);font-size:11px;line-height:1.45;color:var(--w1);padding-left:14px;position:relative;font-weight:500}\n    .oth-ds .lc-controls-list li::before{content:\"\";position:absolute;left:0;top:7px;width:6px;height:1px;background:var(--r)}\n    .oth-ds .lc-controls-list li b{color:var(--w);font-weight:600}\n    @media (max-width:1024px){.oth-ds .lc-grid{grid-template-columns:1fr 1fr;gap:14px}}\n    @media (max-width:600px){.oth-ds .lc-grid{grid-template-columns:1fr}.oth-ds .lc-num{font-size:34px;min-width:46px}}\n<\/style>\n\n<noscript><style>\n.oth-ds [data-reveal], .oth-ds [data-reveal-stagger] > *{opacity:1!important;transform:none!important}\n<\/style><\/noscript>\n\n<div class=\"oth-ds\" id=\"oth-ds-top\">\n\n<!-- STATUS STRIP -->\n<div class=\"strip\">\n  <div class=\"wrap\"><div class=\"strip-row\">\n    <div class=\"l\"><span class=\"strip-dot\"><\/span>DATA SECURITY POSTURE \u00b7 GDPR + PDPA BACKBONE \u00b7 NDA FROM FIRST EMAIL \u00b7 BANGKOK-MANAGED \u00b7 NO OUTSOURCING \u00b7 AUDIT-TRAIL DISCIPLINE<\/div>\n    <div class=\"r\">Operational controls behind <b>every engagement<\/b> <span style=\"color:var(--r)\">\u00b7<\/span> AES-256 at rest &amp; TLS 1.3 in transit \u00b7 72-hour breach window<\/div>\n  <\/div><\/div>\n<\/div>\n\n<!-- BREADCRUMB -->\n<div class=\"crumb\">\n  <div class=\"wrap\">\n    <a href=\"\/\">Othello<\/a>\n    <span class=\"sep\">\/<\/span>\n    <span class=\"here\">Data Security<\/span>\n  <\/div>\n<\/div>\n\n<!-- ============ HERO ============ -->\n<section class=\"hero\">\n  <div class=\"wrap\"><div class=\"hero-inner\">\n    <div class=\"hero-tag\" data-reveal><span class=\"dot\"><\/span>\u2605 DATA SECURITY \u00b7 OPERATIONAL CONTROLS \u00b7 NDA-FROM-FIRST-EMAIL \u00b7 GDPR + PDPA REGULATORY BACKBONE \u00b7 FAR-GRADE AUDIT DISCIPLINE<\/div>\n    <h1 data-reveal>Client data <em>protected by design.<\/em> Not as an afterthought.<\/h1>\n    <div class=\"hero-grid\">\n      <div class=\"hero-left\">\n        <p data-reveal><strong>Othello International was founded in 2020 on US Government bilingual contracts<\/strong> &mdash; US CDC, US State Department, UN Women, UK PACT &mdash; under <em>FAR-grade contractor verification<\/em>, the procurement standard the US Government applies to entities handling sensitive material. The firm&#8217;s data-security posture inherits from that origin: <strong>NDA-from-first-email, no outsourcing, Bangkok-managed throughout, with audit-trail discipline applied to every engagement regardless of size or sector<\/strong>. The technical backbone is the firm&#8217;s two data-protection credentials: <em>GDPR (EU regulation operating in Thailand via extraterritorial reach), PDPA (Thai national framework under PDPC supervision)<\/em> &mdash; both held at firm level and verifiable independently. <strong>Operational controls applied to all client data<\/strong>: encryption (AES-256 at rest, TLS 1.3 in transit), access controls (least-privilege, named user, no shared credentials), retention (default deletion at engagement close + 90 days plus statutorily required holds), breach notification (72-hour PDPA window aligned with GDPR), vendor management (data processing agreements with all sub-processors), and the procurement-grade audit-trail that documents every data touch. <em>This page documents the operational controls themselves &mdash; the regulatory regimes that govern them are covered separately on the GDPR, PDPA, and Compliance Center pages<\/em>. For corporate counsel, security teams, vendor risk officers, and procurement reviewers vetting Othello, this page is the operational posture statement that pairs with the firm&#8217;s NDA Standard, Privacy Policy, and Terms of Service to form a complete vendor-vetting documentation set.<\/p>\n        <div class=\"hs-grid\" data-reveal-stagger>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><rect x=\"3\" y=\"11\" width=\"18\" height=\"11\" rx=\"2\" ry=\"2\"\/><path d=\"M7 11V7a5 5 0 0 1 10 0v4\"\/><\/svg><\/div>\n            <div class=\"lb\">Encryption Standard<\/div>\n            <div class=\"v\" style=\"font-family:var(--d);font-size:30px\">AES-256<\/div>\n            <div class=\"sb\">At rest &middot; TLS 1.3 in transit<\/div>\n          <\/div>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"\/><polyline points=\"12 6 12 12 16 14\"\/><\/svg><\/div>\n            <div class=\"lb\">Breach Notification<\/div>\n            <div class=\"v\"><span class=\"num\" data-count-to=\"72\">72<\/span><span class=\"sm\">h<\/span><\/div>\n            <div class=\"sb\">PDPA aligned with GDPR<\/div>\n          <\/div>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><path d=\"M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z\"\/><\/svg><\/div>\n            <div class=\"lb\">Data Residency<\/div>\n            <div class=\"v\" style=\"font-family:var(--d);font-size:30px\">Bangkok<\/div>\n            <div class=\"sb\">Managed throughout &middot; no offshoring<\/div>\n          <\/div>\n          <div class=\"hs\">\n            <div class=\"ic\"><svg viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><polyline points=\"3 6 5 6 21 6\"\/><path d=\"M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6m3 0V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2\"\/><\/svg><\/div>\n            <div class=\"lb\">Default Retention<\/div>\n            <div class=\"v\"><span class=\"num\" data-count-to=\"90\">90<\/span><span class=\"sm\">d<\/span><\/div>\n            <div class=\"sb\">Post-engagement + statutory holds<\/div>\n          <\/div>\n        <\/div>\n        <div class=\"hctas\" data-reveal>\n          <a href=\"#pillars\" class=\"btn btn-primary\">The Seven Security Pillars<\/a>\n          <a href=\"\/certifications\/\" class=\"btn btn-outline\">All 20 Credentials<\/a>\n        <\/div>\n      <\/div>\n\n      <div data-reveal>\n        <div class=\"lp-card\">\n          <div class=\"lp-lb\">&starf; DATA SECURITY POSTURE &middot; OPERATIONALLY DOCUMENTED<\/div>\n          <div class=\"lp-head\">Procurement-grade. <em>Audit-trail discipline.<\/em><\/div>\n          <ul class=\"lp-items\">\n            <li class=\"lp-item gold\"><span class=\"lp-k\">Regulatory backbone<\/span><span class=\"lp-v\"><b>GDPR + PDPA<\/b><\/span><\/li>\n            <li class=\"lp-item gold\"><span class=\"lp-k\">Origin discipline<\/span><span class=\"lp-v\"><b>FAR-grade<\/b> &middot; 2020 USG contracts<\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">NDA timing<\/span><span class=\"lp-v\"><b>From first email<\/b><\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Outsourcing<\/span><span class=\"lp-v\"><b>None<\/b> &middot; Bangkok-managed<\/span><\/li>\n            <li class=\"lp-item gold\"><span class=\"lp-k\">Encryption<\/span><span class=\"lp-v\"><b>AES-256 + TLS 1.3<\/b><\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Breach window<\/span><span class=\"lp-v\"><b>72-hour<\/b> &middot; PDPA = GDPR<\/span><\/li>\n            <li class=\"lp-item\"><span class=\"lp-k\">Pairs with<\/span><span class=\"lp-v\"><b>NDA &middot; Privacy &middot; Terms<\/b><\/span><\/li>\n          <\/ul>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div><\/div>\n<\/section>\n  <!-- ============ \u00a701 \u2014 SEVEN SECURITY PILLARS (foundation+flow) ============ -->\n\n  <section class=\"pl-sec\" id=\"pillars\">\n    <div class=\"wrap\">\n      <div class=\"section-head\" data-reveal>\n        <div class=\"eyebrow\">\u2605 \u00a701 \u00b7 The Seven Security Pillars \u00b7 Encryption Foundation + Six Operational Controls<\/div>\n        <h2 class=\"title\">Seven pillars. <em>Encryption foundational.<\/em> Six operational controls applied throughout.<\/h2>\n        <p class=\"lead\">Othello&#8217;s data-security posture is structured around <strong>seven operational pillars<\/strong>: encryption, access controls, retention, breach response, vendor management, audit trail, and human factors. <em>Encryption is the foundational pillar &mdash; AES-256 at rest, TLS 1.3 in transit, applied to every byte of client data without exception<\/em>. The other six pillars are operational controls applied throughout the data lifecycle. <strong>Each pillar is operationally documented in the firm&#8217;s internal Information Security Policy<\/strong>, supplied under NDA to procurement reviewers requesting full documentation as part of vendor onboarding.<\/p>\n      <\/div>\n\n      <div class=\"pl-frame\">\n\n        <div class=\"pl-foundation\" data-reveal>\n          <div class=\"pl-eyebrow\"><span class=\"pulse\"><\/span>PILLAR 01 &middot; FOUNDATIONAL<\/div>\n          <h3>Encryption. <em>Every byte.<\/em><\/h3>\n          <div class=\"pl-sub\">AES-256 at rest &middot; TLS 1.3 in transit &middot; no exceptions.<\/div>\n          <p class=\"pl-body\"><strong>Every byte of client data Othello holds is encrypted at rest with AES-256<\/strong> &mdash; the symmetric encryption standard adopted by the US Government for protecting classified information at the SECRET level and below. <em>Data in transit between the firm and clients uses TLS 1.3<\/em>, the current version of Transport Layer Security with forward secrecy and authenticated encryption. <strong>There are no exceptions<\/strong>: encryption is applied to engagement files, working documents, email attachments, archive storage, backup media, and the engagement ledger itself. Encryption keys are managed via the cloud provider&#8217;s key management service with rotation policies, audit logging, and access restricted to named technical leads under the firm&#8217;s information security policy. <em>For high-sensitivity engagements &mdash; legal, healthcare PHI, capital markets material non-public information &mdash; client-managed encryption keys (BYOK) are available under the engagement letter<\/em>.<\/p>\n          <div class=\"pl-test\">\n            <div class=\"pl-test-label\">Encryption-in-place across the stack<\/div>\n            <ul class=\"pl-test-list\">\n              <li>Engagement files &middot; AES-256 at rest<\/li>\n              <li>Email + attachments &middot; TLS 1.3 + S\/MIME on request<\/li>\n              <li>Working documents &middot; cloud-encrypted (BYOK available)<\/li>\n              <li>Archive storage &middot; AES-256, separate key, audit-logged<\/li>\n              <li>Backup media &middot; encrypted, offline-cycled<\/li>\n              <li>Engagement ledger &middot; encrypted, named-user audit log<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n        <div class=\"pl-flow\">\n\n          <div class=\"pl-block\" data-num=\"02\" data-reveal>\n            <div class=\"pl-tag\">PILLAR 02 &middot; ACCESS<\/div>\n            <h4>Least-privilege <em>access controls.<\/em><\/h4>\n            <div class=\"pl-block-sub\">Named user &middot; no shared credentials &middot; MFA mandatory.<\/div>\n            <p><strong>Access to client data is granted on a least-privilege basis<\/strong>: only bench members materially assigned to an engagement have access. <em>Multi-factor authentication is mandatory for all firm accounts<\/em>; no shared credentials exist; access is logged at named-user granularity. <strong>Access is revoked within one business day of bench-member departure or engagement closure<\/strong>, whichever comes first.<\/p>\n          <\/div>\n\n          <div class=\"pl-block\" data-num=\"03\" data-reveal>\n            <div class=\"pl-tag\">PILLAR 03 &middot; RETENTION<\/div>\n            <h4>Retention <em>and destruction.<\/em><\/h4>\n            <div class=\"pl-block-sub\">90-day default \u00b7 longer for statutory holds \u00b7 certified destruction.<\/div>\n            <p><strong>Default retention is 90 days after engagement closure<\/strong>, then certified destruction. <em>Longer retention applies where statutory hold requirements exist<\/em> (Thai legal retention, healthcare records, financial advisory file requirements). <strong>Destruction follows NIST 800-88 Clear\/Purge guidelines<\/strong> with documented destruction certificate available on client request.<\/p>\n          <\/div>\n\n          <div class=\"pl-block\" data-num=\"04\" data-reveal>\n            <div class=\"pl-tag\">PILLAR 04 &middot; BREACH<\/div>\n            <h4>Breach response <em>+ notification.<\/em><\/h4>\n            <div class=\"pl-block-sub\">72-hour PDPA-aligned + GDPR-aligned window.<\/div>\n            <p><strong>In the event of a personal-data breach, Othello notifies the affected client within 72 hours of becoming aware<\/strong> &mdash; aligning with both the PDPA Thai breach notification window and the GDPR Article 33 controller notification window. <em>Breach response runs to a documented internal procedure<\/em>: containment, assessment, notification, remediation, post-incident review. Where regulator notification is required, the firm supports the client&#8217;s filing.<\/p>\n          <\/div>\n\n        <\/div>\n      <\/div>\n\n      <p class=\"pl-foot\" data-reveal>&starf; <b style=\"color:var(--r)\">THREE FURTHER PILLARS APPLY ACROSS THE LIFECYCLE<\/b> &middot; <b>The four pillars above cover the encryption foundation and the three highest-friction operational controls. Three further pillars apply across the data lifecycle:<\/b> <em>(5) Vendor management<\/em> &mdash; data processing agreements with all sub-processors, documented sub-processor list, due-diligence on substantive vendors; <em>(6) Audit trail<\/em> &mdash; engagement-by-engagement documentation chain that pairs with the firm&#8217;s procurement-grade audit-trail standard inherited from US Government contracts; <em>(7) Human factors<\/em> &mdash; bench training on data handling, NDA-from-first-email discipline, no-outsourcing rule, Bangkok-managed throughout. <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">These three are operationalised through the bench discipline itself<\/em> &mdash; not bolt-on controls but built-in working practice.<\/p>\n    <\/div>\n  <\/section>\n\n  <!-- ============ \u00a702 \u2014 DATA LIFECYCLE (6 stages) ============ -->\n  <section class=\"lc-sec\" id=\"lifecycle\">\n    <div class=\"wrap\">\n      <div class=\"section-head\" data-reveal>\n        <div class=\"eyebrow\">\u2605 \u00a702 \u00b7 The Data Lifecycle \u00b7 Six Stages From Intake To Destruction<\/div>\n        <h2 class=\"title\">Six stages. <em>One audit trail.<\/em> Every engagement runs the same lifecycle.<\/h2>\n        <p class=\"lead\">Client data moves through <strong>six lifecycle stages<\/strong> from intake to destruction. <em>Specific operational controls apply at each stage<\/em>, with the audit-trail documentation continuous across stages. The lifecycle is the same for a five-day technical translation engagement and a twelve-month ESG advisory engagement &mdash; <strong>the scale of work varies, the discipline does not<\/strong>. The lifecycle is operationally documented and supplied to procurement reviewers under NDA on request.<\/p>\n      <\/div>\n\n      <div class=\"lc-grid\" data-reveal-stagger>\n\n        <div class=\"lc-card\">\n          <div class=\"lc-head\">\n            <div class=\"lc-num\">01<\/div>\n            <div class=\"lc-titles\">\n              <div class=\"lc-tag\">STAGE \u00b7 INTAKE<\/div>\n              <h4>Data <em>intake.<\/em><\/h4>\n            <\/div>\n          <\/div>\n          <p><strong>Client data enters Othello&#8217;s environment through encrypted channels only<\/strong> &mdash; encrypted email attachments, client-portal upload, or secure-share link. <em>NDA is in place from first email<\/em>; data is logged into the engagement ledger at receipt; assigned to the engagement folder with access controlled per Pillar 02. No client data is accepted via unencrypted channels.<\/p>\n          <div class=\"lc-controls\">\n            <div class=\"lc-controls-label\">Controls applied<\/div>\n            <ul class=\"lc-controls-list\">\n              <li><b>NDA from first email<\/b> &middot; pre-intake<\/li>\n              <li>Encrypted channels only<\/li>\n              <li>Engagement ledger entry &middot; audit log<\/li>\n              <li>Access control assignment &middot; named users<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n        <div class=\"lc-card\">\n          <div class=\"lc-head\">\n            <div class=\"lc-num\">02<\/div>\n            <div class=\"lc-titles\">\n              <div class=\"lc-tag\">STAGE \u00b7 STORAGE<\/div>\n              <h4><em>Storage.<\/em><\/h4>\n            <\/div>\n          <\/div>\n          <p><strong>Data is stored AES-256 encrypted at rest<\/strong> in the firm&#8217;s primary cloud environment, with logical separation per engagement. <em>Backups are encrypted with separate keys<\/em>; archive storage is segregated from working storage; encryption keys are managed via cloud key management service with rotation policies. <strong>No client data is stored on bench-member personal devices<\/strong>; all working is in the firm-managed environment.<\/p>\n          <div class=\"lc-controls\">\n            <div class=\"lc-controls-label\">Controls applied<\/div>\n            <ul class=\"lc-controls-list\">\n              <li><b>AES-256 at rest<\/b> &middot; no exceptions<\/li>\n              <li>Logical separation per engagement<\/li>\n              <li>Separate keys for backup vs active<\/li>\n              <li>No personal-device storage<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n        <div class=\"lc-card\">\n          <div class=\"lc-head\">\n            <div class=\"lc-num\">03<\/div>\n            <div class=\"lc-titles\">\n              <div class=\"lc-tag\">STAGE \u00b7 PROCESSING<\/div>\n              <h4><em>Processing.<\/em><\/h4>\n            <\/div>\n          <\/div>\n          <p><strong>Substantive work on client data is performed by named bench members under access controls<\/strong>. <em>Working documents are kept in the firm-managed cloud environment<\/em>; offline working on local devices is permitted only with full-disk encryption and within the firm-managed device fleet. <strong>No client data is processed through public AI tools, free translation engines, or unmanaged third-party services<\/strong> &mdash; the no-outsourcing rule extends to algorithmic services.<\/p>\n          <div class=\"lc-controls\">\n            <div class=\"lc-controls-label\">Controls applied<\/div>\n            <ul class=\"lc-controls-list\">\n              <li>Named bench access only<\/li>\n              <li>Firm-managed cloud workspace<\/li>\n              <li><b>No public AI tools<\/b> &middot; no free translation<\/li>\n              <li>Audit log per access event<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n        <div class=\"lc-card\">\n          <div class=\"lc-head\">\n            <div class=\"lc-num\">04<\/div>\n            <div class=\"lc-titles\">\n              <div class=\"lc-tag\">STAGE \u00b7 TRANSMISSION<\/div>\n              <h4><em>Transmission.<\/em><\/h4>\n            <\/div>\n          <\/div>\n          <p><strong>Data in transit &mdash; including to the client at delivery &mdash; uses TLS 1.3 with authenticated encryption<\/strong>. <em>S\/MIME-encrypted email is available on request<\/em>; secure-share-link delivery is preferred for substantial files; raw email attachments to public mailboxes are discouraged for personal-data-bearing content. <strong>Transfers to client-side jurisdictions outside Thailand follow GDPR-aligned transfer mechanisms<\/strong> (SCCs where applicable, adequacy decisions where applicable, derogations only with explicit client authorisation).<\/p>\n          <div class=\"lc-controls\">\n            <div class=\"lc-controls-label\">Controls applied<\/div>\n            <ul class=\"lc-controls-list\">\n              <li><b>TLS 1.3 in transit<\/b><\/li>\n              <li>S\/MIME available on request<\/li>\n              <li>Secure-share preferred over email<\/li>\n              <li>GDPR transfer mechanisms aligned<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n        <div class=\"lc-card\">\n          <div class=\"lc-head\">\n            <div class=\"lc-num\">05<\/div>\n            <div class=\"lc-titles\">\n              <div class=\"lc-tag\">STAGE \u00b7 RETENTION<\/div>\n              <h4><em>Retention.<\/em><\/h4>\n            <\/div>\n          <\/div>\n          <p><strong>Default retention is 90 days after engagement closure<\/strong>; engagement-specific retention extensions apply for statutory or regulatory holds (Thai legal retention rules, healthcare records, financial advisory work-paper requirements). <em>Retention is documented per-engagement in the engagement ledger<\/em>; access during retention period remains restricted to named bench members under Pillar 02. <strong>Engagement-specific shorter retention available on client request<\/strong> in the engagement letter.<\/p>\n          <div class=\"lc-controls\">\n            <div class=\"lc-controls-label\">Controls applied<\/div>\n            <ul class=\"lc-controls-list\">\n              <li><b>90-day default<\/b> &middot; per-engagement extension<\/li>\n              <li>Statutory holds documented<\/li>\n              <li>Retention listed in engagement ledger<\/li>\n              <li>Shorter retention available on request<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n        <div class=\"lc-card\">\n          <div class=\"lc-head\">\n            <div class=\"lc-num\">06<\/div>\n            <div class=\"lc-titles\">\n              <div class=\"lc-tag\">STAGE \u00b7 DESTRUCTION<\/div>\n              <h4><em>Destruction.<\/em><\/h4>\n            <\/div>\n          <\/div>\n          <p><strong>At end of retention, data is destroyed following NIST 800-88 Clear\/Purge guidelines<\/strong>: cryptographic erasure for encrypted storage, overwrite for non-encrypted, physical destruction for failed media. <em>Destruction is logged in the engagement ledger<\/em>; destruction certificate available on client request. <strong>Backup-cycle data is destroyed on rolling schedule per Pillar 03<\/strong>; no client data persists beyond the documented retention window plus a defined backup-cycle clearing period.<\/p>\n          <div class=\"lc-controls\">\n            <div class=\"lc-controls-label\">Controls applied<\/div>\n            <ul class=\"lc-controls-list\">\n              <li><b>NIST 800-88<\/b> Clear\/Purge guidelines<\/li>\n              <li>Cryptographic erasure default<\/li>\n              <li>Destruction certificate on request<\/li>\n              <li>Backup cycle clearing on rolling basis<\/li>\n            <\/ul>\n          <\/div>\n        <\/div>\n\n      <\/div>\n\n      <p style=\"font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:96ch;padding:18px 22px;background:var(--k1);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2\" data-reveal>&starf; <b style=\"color:var(--r)\">ONE AUDIT TRAIL ACROSS SIX STAGES<\/b> &middot; <b style=\"color:var(--w)\">The engagement ledger documents every client-data event across the six lifecycle stages<\/b> &mdash; intake timestamp, named-user accesses, working document revisions, transmission events, retention status, destruction certificate. <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">This is the procurement-grade audit-trail discipline inherited from the firm&#8217;s 2020 US Government contract origin<\/em> &mdash; not a marketing claim, an operationally documented practice. <strong>The engagement ledger is available to client procurement reviewers under NDA<\/strong> as part of vendor onboarding or post-incident review.<\/p>\n    <\/div>\n  <\/section>\n\n\n  <!-- ============ \u00a703 \u2014 VENDOR & SUBCONTRACTOR MANAGEMENT ============ -->\n  <section class=\"qd-sec\" id=\"vendor\">\n    <div class=\"wrap\">\n      <div class=\"section-head\" data-reveal>\n        <div class=\"eyebrow\">\u2605 \u00a703 \u00b7 Vendor &amp; Subcontractor Management \u00b7 Six Operational Stages<\/div>\n        <h2 class=\"title\">Six stages. <em>Every sub-processor documented.<\/em> Every vendor under DPA.<\/h2>\n        <p class=\"lead\">Othello operates a <strong>strict no-outsourcing rule for substantive bench work<\/strong> &mdash; translation, ESG advisory, research, drafting are all performed by named bench members in Bangkok. <em>But the firm uses technical sub-processors (cloud infrastructure, productivity tools, communication services, security tools) like every modern business<\/em>; those sub-processors are managed under documented vendor controls. <strong>The vendor management workflow runs in six stages<\/strong> from screening through off-boarding, with documented evidence at each stage. The current sub-processor list is available to procurement reviewers under NDA on request; substantive changes to the sub-processor list are notified to active-engagement clients with reasonable advance notice.<\/p>\n      <\/div>\n\n      <div class=\"qd-block wf\" data-reveal>\n        <div class=\"qd-eye\">\u2605 NO OUTSOURCING OF SUBSTANTIVE WORK &middot; TECHNICAL SUB-PROCESSORS DOCUMENTED &middot; DPA-FIRST<\/div>\n        <h3>From vendor screening to off-boarding. <em>One workflow.<\/em><\/h3>\n        <p>How Othello&#8217;s vendor management discipline operates: every technical sub-processor is screened, contracted, monitored, and off-boarded under documented controls. <strong>The output is a documented sub-processor list with active DPA evidence, supplied to procurement reviewers under NDA<\/strong>. See <a href=\"\/compliance\/\">Compliance Center<\/a> for the regulatory regime backbone, and <a href=\"\/our-process\/\">Our Process<\/a> for the broader bench discipline.<\/p>\n\n        <div class=\"qd-steps\" data-reveal-stagger>\n          <div class=\"qd-step\">\n            <div class=\"qs-num\">STAGE 01<\/div>\n            <div class=\"qs-body\"><span class=\"qs-title\">Vendor screening &middot; substantive due-diligence.<\/span><strong>Before any vendor processes Othello client data, the vendor undergoes documented screening<\/strong>. <em>Substantive criteria<\/em>: jurisdictional data residency (preference for GDPR-adequate or jurisdictions with adequacy decisions), public security posture (SOC 2 Type II, ISO 27001, or equivalent), public breach history (recent material breaches trigger heightened scrutiny), and contractual willingness to execute Othello&#8217;s standard DPA. <strong>Where a vendor&#8217;s security posture is below the firm&#8217;s threshold, the vendor is rejected and an alternative is selected<\/strong>; client data does not enter the vendor environment.<\/div>\n          <\/div>\n          <div class=\"qd-step\">\n            <div class=\"qs-num\">STAGE 02<\/div>\n            <div class=\"qs-body\"><span class=\"qs-title\">Data classification &middot; what touches the vendor.<\/span><strong>Each approved vendor is mapped to specific data categories it processes<\/strong>. <em>Categories<\/em>: client identity data (contact details, billing), engagement metadata (project names, scheduling), substantive content (the actual translation source\/target, ESG report draft, advisory deliverable), and authentication credentials. <strong>The mapping determines applicable controls<\/strong>: substantive-content vendors are held to the strictest controls; metadata-only vendors face proportionate but lighter requirements. <em>Sensitive engagements (legal, healthcare, capital markets) may have client-specific restrictions on which vendors may touch substantive content<\/em>.<\/div>\n          <\/div>\n          <div class=\"qd-step\">\n            <div class=\"qs-num\">STAGE 03<\/div>\n            <div class=\"qs-body\"><span class=\"qs-title\">Data processing agreement &middot; contractual backbone.<\/span><strong>Every vendor that processes Othello client data operates under a Data Processing Agreement (DPA)<\/strong>. <em>DPA terms align with GDPR Article 28 and PDPA Section 40<\/em>: documented processing purpose, security obligations (encryption, access controls, incident response), sub-processing chain disclosure, audit rights, breach notification timelines (typically 24-48 hours vendor-to-Othello so Othello can meet the 72-hour client-notification window), data-return-or-destruction at contract end. <strong>Where a vendor refuses Othello&#8217;s standard DPA terms, the vendor is not engaged<\/strong>; the substantive standard is non-negotiable.<\/div>\n          <\/div>\n          <div class=\"qd-step\">\n            <div class=\"qs-num\">STAGE 04<\/div>\n            <div class=\"qs-body\"><span class=\"qs-title\">Sub-processor list &middot; documented + disclosed.<\/span><strong>Othello maintains a documented sub-processor list with vendor name, processing purpose, data category, and jurisdiction<\/strong>. <em>The list is supplied to procurement reviewers under NDA<\/em> at vendor-onboarding diligence, and to active-engagement clients on request. <strong>Substantive changes to the list (new substantive-content sub-processors) are notified to active-engagement clients with reasonable advance notice<\/strong>, allowing the client to raise objection within the engagement letter terms. <em>The disclosure discipline is GDPR Article 28(2)\/PDPA Section 40-aligned<\/em> &mdash; the regulatory regime that motivates the operational practice.<\/div>\n          <\/div>\n          <div class=\"qd-step\">\n            <div class=\"qs-num\">STAGE 05<\/div>\n            <div class=\"qs-body\"><span class=\"qs-title\">Ongoing monitoring &middot; annual review + incident response.<\/span><strong>Each substantive-content sub-processor is subject to annual review<\/strong>: confirmation of security posture, certification renewal, jurisdiction continuity, no material breach history, DPA continuing in force. <em>Where a vendor&#8217;s security posture degrades or a material breach is disclosed<\/em>, the firm assesses whether continued engagement is appropriate and notifies active-engagement clients if a sub-processor change is required. <strong>Vendor incident-response runs through the firm&#8217;s breach response procedure (Pillar 04)<\/strong>: vendor notifies Othello within DPA-specified window, Othello assesses materiality to active engagements, Othello notifies affected clients within the 72-hour client-facing window.<\/div>\n          <\/div>\n          <div class=\"qd-step\">\n            <div class=\"qs-num\">STAGE 06<\/div>\n            <div class=\"qs-body\"><span class=\"qs-title\">Off-boarding &middot; data return or certified destruction.<\/span><strong>At end of vendor engagement, Othello directs the vendor to return or destroy all Othello client data held by the vendor<\/strong>. <em>Where the vendor&#8217;s standard practice supports certified destruction (cryptographic erasure for encrypted storage, NIST 800-88-aligned), Othello relies on the destruction certificate<\/em>; where the vendor&#8217;s standard practice requires data return for Othello-side destruction, the data returns through encrypted channel and is destroyed per Pillar 03. <strong>Off-boarded vendors are removed from the sub-processor list within 30 days of effective off-boarding<\/strong>; the list is updated and re-distributed to clients with active disclosure obligations.<\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <p style=\"font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:88ch;padding:18px 22px;background:var(--k1);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2\" data-reveal>&starf; <b style=\"color:var(--r)\">THE NO-OUTSOURCING RULE IS THE FOUNDATIONAL DISCIPLINE<\/b> &middot; <b style=\"color:var(--w)\">Substantive bench work (translation, advisory, drafting, research) is performed in-house by named Bangkok-managed bench members &mdash; never outsourced to freelance pools, offshored to lower-cost jurisdictions, or routed through marketplace platforms.<\/b> <em>Technical sub-processors (cloud infrastructure, productivity tools, secure communications) are used like every modern business uses them &mdash; but documented, contracted, monitored, and disclosed<\/em>. <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">The substantive work stays Bangkok; the documentation stays auditable<\/em>. The combination is what makes the procurement-grade vendor-vetting picture coherent.<\/p>\n    <\/div>\n  <\/section>\n\n  <!-- ============ \u00a704 \u2014 THE REGULATORY BACKBONE ============ -->\n  <section class=\"pm-sec\" id=\"regulatory\" style=\"background:var(--k1)\">\n    <div class=\"wrap\">\n      <div class=\"section-head\" data-reveal>\n        <div class=\"eyebrow\">\u2605 \u00a704 \u00b7 The Regulatory Backbone Behind Operational Practice<\/div>\n        <h2 class=\"title\">Six anchors. <em>One regulatory backbone.<\/em><\/h2>\n        <p class=\"lead\">The data-security operational practice documented above sits on a documented regulatory backbone: <strong>two firm-level data-protection credentials (GDPR + PDPA), one foundational discipline (NDA-from-first-email), one origin standard (FAR-grade contractor verification), and two integrating documents (the firm&#8217;s 20-credential register and the Compliance Center)<\/strong>. The six anchors below are what makes the operational posture defensible under procurement scrutiny, regulator inquiry, and contractual review.<\/p>\n      <\/div>\n\n      <div class=\"pm-grid\" data-reveal-stagger>\n\n        <div class=\"pm-card\">\n          <div class=\"pm-num\">STD 01 \u00b7 EU REGULATION<\/div>\n          <h3>GDPR <em>extraterritorial.<\/em><\/h3>\n          <p><strong>The EU General Data Protection Regulation operates extraterritorially under Article 3<\/strong> &mdash; applying to Othello when handling personal data of EU data subjects or providing services to EU-established controllers. <em>Othello holds firm-level GDPR compliance posture documented at \/certifications\/gdpr\/<\/em>: lawful bases mapped, Article 28 controller-processor terms in place, Article 33 breach notification procedure operational, data subject rights procedure documented. <strong>The 72-hour breach notification window is operationally calibrated to the GDPR Article 33(1) standard<\/strong>.<\/p>\n          <div class=\"pm-spec\">\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Regulation<\/span><span class=\"pm-spec-v\"><b>GDPR (EU) 2016\/679<\/b><\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Reach<\/span><span class=\"pm-spec-v\">Article 3 extraterritorial<\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Detail<\/span><span class=\"pm-spec-v\">\/certifications\/gdpr\/<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"pm-card\">\n          <div class=\"pm-num\">STD 02 \u00b7 THAI REGULATION<\/div>\n          <h3>PDPA <em>Thai framework.<\/em><\/h3>\n          <p><strong>The Thai Personal Data Protection Act B.E. 2562 (2019) is the domestic regulatory framework<\/strong>, supervised by the Personal Data Protection Committee (PDPC) under the Ministry of Digital Economy and Society. <em>Othello holds firm-level PDPA compliance posture documented at \/certifications\/pdpa\/<\/em>: lawful bases under Section 24 mapped, controller-processor terms under Section 40 in place, breach notification under Section 37 procedure operational. <strong>The PDPA breach notification window aligns with GDPR&#8217;s 72 hours<\/strong> &mdash; Othello&#8217;s single 72-hour standard satisfies both regimes simultaneously.<\/p>\n          <div class=\"pm-spec\">\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Regulation<\/span><span class=\"pm-spec-v\"><b>PDPA B.E. 2562<\/b><\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Supervisor<\/span><span class=\"pm-spec-v\">PDPC \/ MDES<\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Detail<\/span><span class=\"pm-spec-v\">\/certifications\/pdpa\/<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"pm-card\">\n          <div class=\"pm-num\">STD 03 \u00b7 NDA STANDARD<\/div>\n          <h3>NDA from <em>first email.<\/em><\/h3>\n          <p><strong>Othello&#8217;s NDA is in place from the first email of any prospective engagement, not from contract signature<\/strong>. <em>This is the foundational confidentiality discipline inherited from US Government contract origin<\/em>: any client data, business context, or substantive information shared with the firm at any stage of engagement scoping is treated as confidential under the firm&#8217;s NDA Standard. <strong>The substantive standard is mutual<\/strong> &mdash; Othello equally protects its bench composition, methodology, pricing, and engagement structure under the same confidentiality discipline. See <em>\/nda-confidentiality\/<\/em> for the NDA Standard document.<\/p>\n          <div class=\"pm-spec\">\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Trigger<\/span><span class=\"pm-spec-v\"><b>First email<\/b><\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Direction<\/span><span class=\"pm-spec-v\">Mutual<\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Document<\/span><span class=\"pm-spec-v\">\/nda-confidentiality\/<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"pm-card\">\n          <div class=\"pm-num\">STD 04 \u00b7 FAR-GRADE ORIGIN<\/div>\n          <h3>FAR-grade <em>contractor verification.<\/em><\/h3>\n          <p><strong>Othello was founded in 2020 on US Government bilingual contracts<\/strong> &mdash; US CDC, US State Department, UN Women, UK PACT. <em>US Government contracting requires Federal Acquisition Regulation (FAR) compliance<\/em> on the contractor side: contractor verification, audit-trail discipline, conflict-of-interest screening, security clearance protocols where applicable. <strong>The firm&#8217;s procurement-grade audit-trail discipline is inherited from this origin<\/strong> &mdash; not retro-fitted commercial language but the practice the firm was founded operating under. Bench training, engagement ledger discipline, and the no-outsourcing rule all trace to FAR-grade origin.<\/p>\n          <div class=\"pm-spec\">\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Origin<\/span><span class=\"pm-spec-v\"><b>USG contracts 2020<\/b><\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Standard<\/span><span class=\"pm-spec-v\">FAR-grade discipline<\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Clients<\/span><span class=\"pm-spec-v\">CDC, State, UN, PACT<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"pm-card\">\n          <div class=\"pm-num\">STD 05 \u00b7 20 CREDENTIALS<\/div>\n          <h3>Firm-level <em>credential register.<\/em><\/h3>\n          <p><strong>The firm holds five firm-level credentials and 15 bench practitioner credentials<\/strong>, all independently verifiable on the issuing body&#8217;s registry. <em>Firm-level credentials directly relevant to data-security posture<\/em>: ISO 17100 (translation quality management with ISO 9001 paired), ATA (American Translators Association membership), ATC (Association of Translation Companies membership), <strong>GDPR + PDPA (the data-protection backbone)<\/strong>. <em>Bench credentials add 15 further independent practitioner-level credentials<\/em> across climate &amp; carbon, ESG reporting, and EU cross-border disclosure. The complete register is at <em>\/certifications\/<\/em>.<\/p>\n          <div class=\"pm-spec\">\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Total<\/span><span class=\"pm-spec-v\"><b>20 credentials<\/b><\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Firm-level<\/span><span class=\"pm-spec-v\">5 (incl. GDPR+PDPA)<\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Register<\/span><span class=\"pm-spec-v\">\/certifications\/<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"pm-card\">\n          <div class=\"pm-num\">STD 06 \u00b7 COMPLIANCE CENTER<\/div>\n          <h3>Compliance <em>center.<\/em><\/h3>\n          <p><strong>The Compliance Center documents the regulatory regimes Othello operates within across sectors<\/strong>: capital markets (SEC Thailand &amp; SET disclosure rules), healthcare (HIPAA + Thai MoPH), legal (privilege + court rules), government (FAR + UN procurement). <em>The Data Security page covers operational controls; the Compliance Center covers the regulatory regimes those controls are calibrated to<\/em>. <strong>Together with the NDA Standard, Privacy Policy, and Terms of Service, the Compliance Center forms the firm&#8217;s complete vendor-vetting documentation set<\/strong>. Located at <em>\/compliance\/<\/em>.<\/p>\n          <div class=\"pm-spec\">\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Page<\/span><span class=\"pm-spec-v\"><b>Compliance Center<\/b><\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Scope<\/span><span class=\"pm-spec-v\">Regulatory regimes<\/span><\/div>\n            <div class=\"pm-spec-row\"><span class=\"pm-spec-k\">Location<\/span><span class=\"pm-spec-v\">\/compliance\/<\/span><\/div>\n          <\/div>\n        <\/div>\n\n      <\/div>\n\n      <p style=\"font-size:12.5px;line-height:1.7;color:var(--w2);margin:32px 0 0;font-family:var(--m);letter-spacing:.02em;max-width:88ch;padding:18px 22px;background:var(--k);border:1px solid var(--line);border-left:3px solid var(--r);position:relative;z-index:2\" data-reveal>&starf; <b style=\"color:var(--r)\">THE STACK IS WHY THE POSTURE IS DEFENSIBLE<\/b> &middot; <b style=\"color:var(--w)\">Data-security posture statements are only as credible as the regulatory backbone behind them.<\/b> <em style=\"color:var(--r);font-family:var(--d);font-style:italic\">Othello&#8217;s stack &mdash; GDPR + PDPA credentials independently verifiable, FAR-grade origin documented through 2020 US Government contracts, NDA-from-first-email as foundational discipline, 20 credentials on the register, and the Compliance Center integrating regulatory regimes &mdash; is what allows the operational claims on this page to hold up under procurement scrutiny<\/em>. <strong>For corporate counsel, security teams, and vendor risk officers vetting Othello, the documentation set is complete and the verification routes are clear<\/strong>: contact the firm under NDA for the Information Security Policy, the sub-processor list, and the engagement ledger sample.<\/p>\n    <\/div>\n  <\/section>\n\n\n  <!-- ============ ADJACENT ============ -->\n  <section class=\"as-sec\" id=\"adjacent\">\n    <div class=\"wrap\">\n      <div class=\"section-head\" data-reveal>\n        <div class=\"eyebrow\">\u2605 Adjacent \u00b7 The Vendor-Vetting Documentation Set<\/div>\n        <h2 class=\"title\">Three adjacent documents. <em>One complete set.<\/em><\/h2>\n        <p class=\"lead\">The Data Security page is one of <strong>three substantive documents<\/strong> procurement reviewers, corporate counsel, and security teams consult when vetting Othello. <em>Each document covers a distinct dimension<\/em>: this page covers operational controls; the GDPR + PDPA credential pages cover the regulatory backbone; the Compliance Center covers the regulatory regimes across sectors. <strong>Together with the NDA Standard, Privacy Policy, and Terms of Service, the four-document set is the complete vendor-vetting picture<\/strong>.<\/p>\n      <\/div>\n\n      <div class=\"as-grid\" data-reveal-stagger>\n\n        <a href=\"\/certifications\/gdpr\/\" class=\"as-card gold\">\n          <div class=\"as-icon\"><svg viewBox=\"0 0 24 24\"><rect x=\"3\" y=\"11\" width=\"18\" height=\"11\" rx=\"2\" ry=\"2\"\/><path d=\"M7 11V7a5 5 0 0 1 10 0v4\"\/><\/svg><\/div>\n          <div class=\"as-tag\">\u2605 GDPR \u00b7 EU REGULATION<\/div>\n          <h3>GDPR &middot; <em>extraterritorial regulation<\/em><\/h3>\n          <p><strong>The EU General Data Protection Regulation operates extraterritorially under Article 3<\/strong>, applying to Othello when handling EU data subject personal data or providing services to EU controllers. <em>Firm-level GDPR posture is documented at the credential page<\/em>: lawful bases mapped, Article 28 controller-processor terms in place, Article 33 breach notification procedure operational. The 72-hour breach window is GDPR-calibrated.<\/p>\n          <span class=\"as-arrow\">Open GDPR<\/span>\n        <\/a>\n\n        <a href=\"\/certifications\/pdpa\/\" class=\"as-card\">\n          <div class=\"as-icon\"><svg viewBox=\"0 0 24 24\"><path d=\"M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z\"\/><\/svg><\/div>\n          <div class=\"as-tag\">PDPA \u00b7 THAI REGULATION<\/div>\n          <h3>PDPA &middot; the Thai national framework<\/h3>\n          <p><strong>The Thai Personal Data Protection Act B.E. 2562 (2019) is the domestic regulatory framework<\/strong>, supervised by the PDPC under the Ministry of Digital Economy and Society. <em>Firm-level PDPA posture is documented at the credential page<\/em>: Section 24 lawful bases mapped, Section 40 controller-processor terms in place, Section 37 breach notification procedure operational. The PDPA breach window aligns with GDPR&#8217;s 72 hours.<\/p>\n          <span class=\"as-arrow\">Open PDPA<\/span>\n        <\/a>\n\n        <a href=\"\/compliance\/\" class=\"as-card\">\n          <div class=\"as-icon\"><svg viewBox=\"0 0 24 24\"><circle cx=\"12\" cy=\"8\" r=\"6\"\/><path d=\"M15.477 12.89 17 22l-5-3-5 3 1.523-9.11\"\/><\/svg><\/div>\n          <div class=\"as-tag\">COMPLIANCE \u00b7 REGULATORY REGIMES<\/div>\n          <h3>Compliance Center &middot; the regime overview<\/h3>\n          <p><strong>The Compliance Center documents the regulatory regimes Othello operates within across sectors<\/strong>: SEC Thailand &amp; SET (capital markets), HIPAA + Thai MoPH (healthcare), privilege + court rules (legal), FAR + UN procurement (government). <em>This Data Security page covers operational controls; the Compliance Center covers the regimes those controls are calibrated to.<\/em> Both pair with the NDA Standard, Privacy Policy, and Terms.<\/p>\n          <span class=\"as-arrow\">Open Compliance<\/span>\n        <\/a>\n\n      <\/div>\n    <\/div>\n  <\/section>\n\n  <!-- ============ FAQ ============ -->\n  <section class=\"faq-sec\" id=\"faqs\">\n    <div class=\"wrap\">\n      <div class=\"section-head center\" data-reveal>\n        <div class=\"eyebrow\">\u2605 Data Security FAQ \u00b7 Ten Procurement Questions<\/div>\n        <h2 class=\"title\">Procurement questions <em>answered up front.<\/em><\/h2>\n        <p class=\"lead\" style=\"margin:0 auto\">Substantive answers to what corporate counsel, security teams, vendor risk officers, and procurement reviewers routinely ask when vetting Othello against client information security requirements.<\/p>\n      <\/div>\n\n      <div class=\"faq-grid\" data-reveal>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.01<\/span><span>What encryption standards apply to client data?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>AES-256 at rest, TLS 1.3 in transit, applied to every byte of client data without exception<\/strong>. <em>AES-256 is the symmetric encryption standard adopted by the US Government for protecting classified information at the SECRET level and below<\/em>; TLS 1.3 is the current Transport Layer Security version with forward secrecy and authenticated encryption. Coverage includes: engagement files, working documents, email attachments, archive storage, backup media, and the engagement ledger itself. <strong>Encryption keys are managed via the cloud provider&#8217;s key management service<\/strong> with rotation policies, audit logging, and access restricted to named technical leads. <em>For high-sensitivity engagements (legal, healthcare PHI, capital markets material non-public information), client-managed encryption keys (BYOK) are available<\/em> under the engagement letter.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.02<\/span><span>What is the breach notification process and timeline?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>72-hour client notification window from becoming aware of a personal-data breach<\/strong>, aligning with both GDPR Article 33 (controller notification window) and PDPA breach notification requirements. <em>Breach response runs to a documented internal procedure<\/em>: (1) Containment &mdash; immediate technical steps to limit scope; (2) Assessment &mdash; categorisation, affected data identification, harm assessment; (3) Notification &mdash; client notification within 72 hours, regulator notification support where required by the client; (4) Remediation &mdash; technical fix, access review, vendor escalation if vendor-side breach; (5) Post-incident review &mdash; root-cause analysis, process improvement, documentation update. <strong>Vendor sub-processor incidents trigger faster vendor-to-Othello notification (typically 24-48 hours per DPA)<\/strong> so Othello can meet the 72-hour client-facing window. The breach response procedure is documented and supplied to procurement reviewers under NDA.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.03<\/span><span>Where is client data physically stored and processed?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>Substantive work is Bangkok-managed throughout<\/strong>; technical storage is in the firm&#8217;s cloud environment with documented data residency. <em>Bench-member working location is Bangkok<\/em> &mdash; the no-outsourcing rule prevents substantive work from being routed through freelance pools, offshored to lower-cost jurisdictions, or processed via marketplace platforms. <strong>For cross-border transfers to client-side jurisdictions outside Thailand<\/strong>, the firm follows GDPR-aligned transfer mechanisms: Standard Contractual Clauses (SCCs) where applicable, adequacy decisions where applicable, derogations only with explicit client authorisation in the engagement letter. <em>Cloud data residency can be configured per engagement<\/em> &mdash; clients with regulatory requirements pinning data to a specific jurisdiction (EU residency, healthcare-specific) can specify in the engagement letter; the technical configuration follows.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.04<\/span><span>How long is client data retained after the engagement closes?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>Default retention is 90 days after engagement closure, then certified destruction<\/strong>. <em>Longer retention applies where statutory hold requirements exist<\/em>: Thai legal-sector retention rules, healthcare records retention, financial advisory work-paper requirements, legal-privilege documentation, capital markets working-paper requirements. <em>Shorter retention is available on client request<\/em> in the engagement letter &mdash; some clients prefer 30-day retention with destruction certificate issued shortly after closure; the firm accommodates with engagement-letter documentation. <strong>Destruction follows NIST 800-88 Clear\/Purge guidelines<\/strong>: cryptographic erasure for encrypted storage, overwrite for non-encrypted, physical destruction for failed media. Destruction certificate available on client request as part of engagement closure. <em>Backup-cycle data is destroyed on rolling schedule per the encryption pillar<\/em>; no client data persists beyond the documented retention window plus the defined backup-cycle clearing period.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.05<\/span><span>Does Othello use AI tools to process client data?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>No client data is processed through public AI tools, free translation engines, or unmanaged third-party services<\/strong>. <em>The no-outsourcing rule extends to algorithmic services<\/em>: client data does not enter ChatGPT, free translation engines, public LLM APIs, or any service where the data could be used for model training or could be accessed outside the firm&#8217;s documented sub-processor list. <strong>Where AI-assisted tooling is used within bench work, it is through enterprise-grade contracts with documented data handling terms<\/strong>: no model training on client data, no retention beyond processing window, encryption in transit and at rest, full audit logging. <em>The firm&#8217;s stance on AI tooling is documented in the engagement letter<\/em>: if the client wants to restrict AI tooling entirely from their engagement, the restriction is implemented; if the client wants AI-assisted work, the specific terms are agreed. <strong>Bench credentials prioritise substantive technical and domain expertise over AI-augmentation<\/strong> &mdash; consistent with the firm&#8217;s substantive-over-performative positioning.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.06<\/span><span>What sub-processors does Othello use?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>The current sub-processor list is documented internally and supplied to procurement reviewers under NDA on request<\/strong>. <em>Typical sub-processor categories<\/em>: enterprise cloud infrastructure (compute, storage), enterprise productivity suite (collaboration, documents), enterprise email and secure messaging, security tooling (endpoint protection, access management), and engagement-specific tooling where required (specialised translation memory tools, ESG reporting platforms). <strong>All substantive-content sub-processors operate under Data Processing Agreements aligned with GDPR Article 28 and PDPA Section 40<\/strong>; the firm&#8217;s standard DPA is non-negotiable on substantive terms (encryption, access controls, breach notification timeline, sub-processing disclosure, data return-or-destruction at end). <em>Substantive changes to the sub-processor list are notified to active-engagement clients with reasonable advance notice<\/em>, allowing the client to raise objection within the engagement letter terms.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.07<\/span><span>What audit trail does Othello maintain on client data?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>Engagement-by-engagement documentation chain is maintained in the firm&#8217;s engagement ledger<\/strong>. <em>Documented events per engagement<\/em>: intake (timestamp, channel, file inventory, NDA status), access (named-user accesses, timestamps), processing (working document revisions, methodology decisions), transmission (delivery events, channels, recipients), retention (extension events, statutory hold flags), and destruction (certified destruction event, certificate identifier). <strong>The engagement ledger is the substantive procurement-grade audit-trail discipline inherited from the firm&#8217;s 2020 US Government contract origin<\/strong> &mdash; not a retrofitted commercial control but the practice the firm was founded operating under. <em>The ledger is available to client procurement reviewers under NDA as part of vendor onboarding or post-incident review<\/em>. Substantive material non-public information engagements (capital markets, healthcare PHI, legal-privilege-relevant) may have engagement-specific audit-trail enhancements documented in the engagement letter.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.08<\/span><span>Does Othello have ISO 27001 \/ SOC 2 certification?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>Othello does not currently hold ISO 27001 or SOC 2 Type II certification at firm level<\/strong>. <em>The firm&#8217;s data-security posture rests on the GDPR + PDPA credentials documented at firm level, the FAR-grade contractor verification origin from US Government contracts, and the operationally documented controls described on this page<\/em>. <strong>For clients with mandatory ISO 27001 \/ SOC 2 vendor requirements<\/strong>, the substantive sub-processors (enterprise cloud infrastructure, enterprise productivity suite) typically hold these certifications, and the firm&#8217;s DPA terms enforce the underlying controls regardless of certification status. <em>Where a client requires a substantively equivalent attestation<\/em>, the firm can provide its internal Information Security Policy under NDA, supplied with the sub-processor list and engagement ledger sample, for the client&#8217;s vendor-vetting review. <strong>The firm is open about what it holds and what it does not hold<\/strong> &mdash; honest scoping is the standing principle.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.09<\/span><span>What happens to data on bench-member departure?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p><strong>Access is revoked within one business day of bench-member departure<\/strong>, formally cycled through the firm&#8217;s access management system. <em>No client data is stored on bench-member personal devices<\/em>; all working is in the firm-managed cloud environment, so departure does not transfer any data physically off-firm. <strong>Departing bench members are subject to ongoing confidentiality obligations under the firm&#8217;s mutual NDA<\/strong> &mdash; the NDA is mutual (firm-bench), and the confidentiality obligation survives the bench engagement. <em>For engagements with elevated sensitivity (capital markets MNPI, legal privilege, healthcare PHI)<\/em>, additional engagement-specific confidentiality terms apply documented in the engagement letter; bench members assigned to such engagements have specific exit procedures including written confirmation of returned\/destroyed materials. <strong>The bench has been stable since founding 2020<\/strong>; bench turnover is low, and the documentation discipline supports a clean handover when departure does occur.<\/p>\n          <\/div>\n        <\/details>\n\n        <details class=\"faq\">\n          <summary><span class=\"faq-num\">Q.10<\/span><span>How do we complete vendor-vetting documentation for Othello?<\/span><span class=\"faq-ic\" aria-hidden=\"true\">+<\/span><\/summary>\n          <div class=\"faq-body\">\n            <p>The vendor-vetting documentation set comprises four publicly accessible documents and three NDA-protected documents. <strong>Publicly accessible<\/strong>: <em>this Data Security page<\/em> (operational controls), <em>Compliance Center at \/compliance\/<\/em> (regulatory regimes), <em>GDPR + PDPA credential pages at \/certifications\/<\/em> (regulatory backbone), <em>NDA Standard at \/nda-confidentiality\/<\/em>, <em>Privacy Policy<\/em>, <em>Terms of Service<\/em>. <strong>Available under NDA on request<\/strong>: the firm&#8217;s <em>Information Security Policy<\/em> (internal operational policy document), the current <em>sub-processor list<\/em> (substantive vendors with DPA evidence), and an <em>engagement ledger sample<\/em> redacted to remove client-identifying information (demonstrating the audit-trail discipline). <em>To initiate vendor-vetting<\/em>: contact <a href=\"mailto:info@othelloshop.com?subject=Vendor%20Vetting%20%E2%80%94%20Information%20Security%20Documentation\">info@othelloshop.com<\/a> with the procurement team&#8217;s vendor-onboarding requirements; the firm typically completes a full vendor-vetting documentation supply within 3-5 business days of NDA execution. <strong>For accelerated vetting (where the engagement scoping is time-sensitive), 1-2 business day completion is available on request<\/strong>. Founded 2020 on US Government bilingual contracts under FAR-grade contractor verification, the firm&#8217;s standing position is that procurement-grade documentation is a precondition for substantive engagement, not a friction to be minimised. Email <a href=\"mailto:info@othelloshop.com?subject=Vendor%20Vetting%20%E2%80%94%20Information%20Security%20Documentation\">info@othelloshop.com<\/a> or call <a href=\"tel:+6628592145\">+66 02-859-2145<\/a>.<\/p>\n          <\/div>\n        <\/details>\n\n      <\/div>\n    <\/div>\n  <\/section>\n\n  <!-- ============ FINAL CTA ============ -->\n  <section class=\"cta-sec\" id=\"engage\">\n    <div class=\"cta-content\">\n      <h2 data-reveal>Data security <em>operationally documented.<\/em> Twenty credentials behind the practice.<\/h2>\n      <p data-reveal>The operational data-security controls described on this page are inherited from Othello&#8217;s FAR-grade origin and operationalised through the firm&#8217;s GDPR + PDPA credentials, NDA Standard, Compliance Center, and 20-credential register &mdash; <strong>one bench, one audit trail, one engagement letter, one set of controls applied to every engagement regardless of size or sector<\/strong>. For procurement reviewers, corporate counsel, security teams, and vendor risk officers vetting Othello, the full documentation set (Information Security Policy, sub-processor list, engagement ledger sample) is available under NDA on request, typically supplied within 3-5 business days of NDA execution. \u22641 BH acknowledgement &middot; vendor-vetting scoping within 1 BD &middot; NDA from first email.<\/p>\n      <div class=\"cta-buttons\" data-reveal>\n        <a href=\"mailto:info@othelloshop.com?subject=Vendor%20Vetting%20%E2%80%94%20Information%20Security%20Documentation\" class=\"btn btn-primary\">Request Vendor-Vetting Documentation<\/a>\n        <a href=\"\/compliance\/\" class=\"btn btn-outline\">Open Compliance Center<\/a>\n      <\/div>\n      <div class=\"cta-note\" data-reveal>\n        <a href=\"tel:+6628592145\"><b>+66 02-859-2145<\/b><\/a> <span class=\"sep\">&middot;<\/span> <a href=\"mailto:info@othelloshop.com\"><b>info@othelloshop.com<\/b><\/a><br>\n        Unit 12-03, Chartered Square <span class=\"sep\">&middot;<\/span> 152 N Sathon Rd <span class=\"sep\">&middot;<\/span> Si Lom <span class=\"sep\">&middot;<\/span> Bangkok 10500\n      <\/div>\n    <\/div>\n  <\/section>\n\n  <!-- ============ ENDLINE ============ -->\n  <div class=\"endline\">\n    Data Security Posture <span class=\"r\">&middot;<\/span> AES-256 At Rest &middot; TLS 1.3 In Transit <span class=\"r\">&middot;<\/span> NDA From First Email &middot; Mutual Confidentiality <span class=\"r\">&middot;<\/span> Bangkok-Managed &middot; No Outsourcing Of Substantive Work <span class=\"r\">&middot;<\/span> GDPR + PDPA Regulatory Backbone <span class=\"r\">&middot;<\/span> 72-Hour Breach Notification &middot; PDPA = GDPR Aligned <span class=\"r\">&middot;<\/span> 90-Day Default Retention &middot; NIST 800-88 Destruction <span class=\"r\">&middot;<\/span> Least-Privilege Access Controls &middot; MFA Mandatory <span class=\"r\">&middot;<\/span> Sub-Processor List Documented &middot; DPA-First Vendor Management <span class=\"r\">&middot;<\/span> Engagement Ledger Audit Trail <span class=\"r\">&middot;<\/span> No Public AI Tools On Client Data <span class=\"r\">&middot;<\/span> FAR-Grade Origin From 2020 US Government Contracts <span class=\"r\">&middot;<\/span> 20 Credentials On The Register <span class=\"r\">&middot;<\/span> Pairs With Compliance Center &middot; NDA Standard &middot; Privacy Policy &middot; Terms Of Service <span class=\"r\">&mdash;<\/span> Othello International\n  <\/div>\n\n<\/div>\n<!-- \/.oth-ds PAGE END -->\n<script>\n(function(){\n  if (typeof window === 'undefined' || typeof document === 'undefined') return;\n  var root = document.querySelector('.oth-ds');\n  if (!root) return;\n  root.classList.add('js-on');\n  \/\/ safety net: after 4s, reveal anything still hidden\n  setTimeout(function(){ root.querySelectorAll('[data-reveal], [data-reveal-stagger]').forEach(function(el){ el.classList.add('in'); }); }, 4000);\n\n  \/\/ one-FAQ-open-at-a-time\n  var faqs = root.querySelectorAll('details.faq');\n  faqs.forEach(function(f){\n    f.addEventListener('toggle', function(){\n      if (f.open){ faqs.forEach(function(o){ if (o !== f && o.open) o.open = false; }); }\n    });\n  });\n\n  \/\/ smooth in-page anchors\n  root.querySelectorAll('a[href^=\"#\"]').forEach(function(a){\n    a.addEventListener('click', function(e){\n      var id = a.getAttribute('href');\n      if (id.length < 2) return;\n      var t = root.querySelector(id) || document.querySelector(id);\n      if (t){ e.preventDefault(); t.scrollIntoView({behavior:'smooth', block:'start'}); history.pushState(null,'',id); }\n    });\n  });\n\n  \/\/ reveal + counters\n  var revealEls = root.querySelectorAll('[data-reveal], [data-reveal-stagger]');\n  if ('IntersectionObserver' in window &#038;&#038; revealEls.length){\n    var io = new IntersectionObserver(function(entries){\n      entries.forEach(function(e){\n        if (e.isIntersecting){\n          e.target.classList.add('in');\n          var counters = e.target.querySelectorAll('[data-count-to]');\n          counters.forEach(function(c){\n            if (c.dataset.counted) return;\n            c.dataset.counted = '1';\n            var target = parseFloat(c.getAttribute('data-count-to')) || 0;\n            var decimals = parseInt(c.getAttribute('data-count-decimals') || '0', 10);\n            var dur = 1600;\n            var t0 = performance.now();\n            function step(now){\n              var p = Math.min((now - t0) \/ dur, 1);\n              var eased = 1 - Math.pow(1 - p, 3);\n              var val = target * eased;\n              c.textContent = decimals > 0 ? val.toFixed(decimals) : Math.round(val).toLocaleString();\n              if (p < 1) requestAnimationFrame(step);\n              else c.textContent = decimals > 0 ? target.toFixed(decimals) : Math.round(target).toLocaleString();\n            }\n            requestAnimationFrame(step);\n          });\n          io.unobserve(e.target);\n        }\n      });\n    }, { threshold: 0.12, rootMargin: '0px 0px -40px 0px' });\n    revealEls.forEach(function(el){ io.observe(el); });\n  } else {\n    revealEls.forEach(function(el){ el.classList.add('in'); });\n    root.querySelectorAll('[data-count-to]').forEach(function(c){\n      var target = parseFloat(c.getAttribute('data-count-to')) || 0;\n      c.textContent = Math.round(target).toLocaleString();\n    });\n  }\n})();\n<\/script>\n<script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@graph\": [\n    {\"@type\": \"WebPage\", \"@id\": \"https:\/\/www.othelloshop.com\/data-security\/#webpage\", \"name\": \"Data Security Posture - Operational Controls\", \"description\": \"Othello International's operational data-security posture statement, documenting AES-256 encryption at rest with TLS 1.3 in transit, least-privilege access controls, 90-day default retention with NIST 800-88 destruction, 72-hour breach notification aligned with both PDPA Thai and GDPR EU regimes, documented sub-processor management under Data Processing Agreements, Bangkok-managed no-outsourcing discipline, NDA-from-first-email confidentiality standard, and the procurement-grade engagement ledger audit trail inherited from the firm's 2020 US Government contract origin under FAR-grade contractor verification. The data-security posture sits on the firm's GDPR + PDPA regulatory backbone (independently verifiable firm-level credentials) and the 20-credential register, paired with the Compliance Center covering regulatory regimes across sectors (SEC Thailand, SET, HIPAA, Thai MoPH, legal privilege, FAR, UN procurement). For procurement reviewers, corporate counsel, security teams, and vendor risk officers vetting Othello, the publicly accessible documentation set (this Data Security page, Compliance Center, GDPR + PDPA credential pages, NDA Standard, Privacy Policy, Terms of Service) is supplemented under NDA by the firm's Information Security Policy, current sub-processor list with DPA evidence, and engagement ledger sample - typically supplied within 3-5 business days of NDA execution. Honest scoping: Othello does not currently hold ISO 27001 or SOC 2 Type II certification at firm level; the firm's data-security posture rests on the GDPR + PDPA credentials documented at firm level, the FAR-grade contractor verification origin, and operationally documented controls.\", \"url\": \"https:\/\/www.othelloshop.com\/data-security\/\", \"publisher\": {\"@type\": \"Organization\", \"name\": \"Othello International\", \"url\": \"https:\/\/www.othelloshop.com\/\", \"address\": {\"@type\": \"PostalAddress\", \"streetAddress\": \"Unit 12-03, Chartered Square, 152 North Sathon Road\", \"addressLocality\": \"Bang Rak\", \"addressRegion\": \"Bangkok\", \"postalCode\": \"10500\", \"addressCountry\": \"TH\"}, \"telephone\": \"+66-2-859-2145\", \"email\": \"info@othelloshop.com\"}, \"inLanguage\": [\"en\", \"th\"]},\n    {\"@type\": \"BreadcrumbList\", \"itemListElement\": [\n      {\"@type\": \"ListItem\", \"position\": 1, \"name\": \"Home\", \"item\": \"https:\/\/www.othelloshop.com\/\"},\n      {\"@type\": \"ListItem\", \"position\": 2, \"name\": \"Data Security\", \"item\": \"https:\/\/www.othelloshop.com\/data-security\/\"}\n    ]},\n    {\"@type\": \"FAQPage\", \"mainEntity\": [\n      {\"@type\":\"Question\",\"name\":\"What encryption standards apply to client data?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"AES-256 at rest, TLS 1.3 in transit, applied to every byte of client data without exception. AES-256 is the symmetric encryption standard adopted by the US Government for protecting classified information at the SECRET level and below; TLS 1.3 is the current Transport Layer Security version with forward secrecy and authenticated encryption. Coverage includes engagement files, working documents, email attachments, archive storage, backup media, and the engagement ledger itself. Encryption keys are managed via the cloud provider's key management service with rotation policies. For high-sensitivity engagements (legal, healthcare PHI, capital markets material non-public information), client-managed encryption keys (BYOK) are available under the engagement letter.\"}},\n      {\"@type\":\"Question\",\"name\":\"What is the breach notification process and timeline?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"72-hour client notification window from becoming aware of a personal-data breach, aligning with both GDPR Article 33 and PDPA breach notification requirements. Breach response runs to a documented procedure: containment, assessment, notification, remediation, post-incident review. Vendor sub-processor incidents trigger faster vendor-to-Othello notification (typically 24-48 hours per DPA) so Othello can meet the 72-hour client-facing window. The breach response procedure is documented and supplied to procurement reviewers under NDA.\"}},\n      {\"@type\":\"Question\",\"name\":\"Where is client data physically stored and processed?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Substantive work is Bangkok-managed throughout; technical storage is in the firm's cloud environment with documented data residency. Bench-member working location is Bangkok - the no-outsourcing rule prevents substantive work from being routed through freelance pools, offshored, or processed via marketplace platforms. For cross-border transfers, the firm follows GDPR-aligned mechanisms: Standard Contractual Clauses (SCCs), adequacy decisions, derogations only with explicit client authorisation. Cloud data residency can be configured per engagement.\"}},\n      {\"@type\":\"Question\",\"name\":\"How long is client data retained after the engagement closes?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Default retention is 90 days after engagement closure, then certified destruction. Longer retention applies where statutory hold requirements exist (Thai legal-sector retention, healthcare records, financial advisory work-paper requirements, legal-privilege documentation). Shorter retention is available on client request in the engagement letter. Destruction follows NIST 800-88 Clear\/Purge guidelines. Destruction certificate available on client request as part of engagement closure.\"}},\n      {\"@type\":\"Question\",\"name\":\"Does Othello use AI tools to process client data?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No client data is processed through public AI tools, free translation engines, or unmanaged third-party services. The no-outsourcing rule extends to algorithmic services: client data does not enter ChatGPT, free translation engines, public LLM APIs, or any service where the data could be used for model training or could be accessed outside the firm's documented sub-processor list. Where AI-assisted tooling is used within bench work, it is through enterprise-grade contracts with documented data handling terms: no model training on client data, encryption in transit and at rest, full audit logging.\"}},\n      {\"@type\":\"Question\",\"name\":\"What sub-processors does Othello use?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The current sub-processor list is documented internally and supplied to procurement reviewers under NDA on request. Typical sub-processor categories: enterprise cloud infrastructure, enterprise productivity suite, enterprise email and secure messaging, security tooling, and engagement-specific tooling where required. All substantive-content sub-processors operate under Data Processing Agreements aligned with GDPR Article 28 and PDPA Section 40. The firm's standard DPA is non-negotiable on substantive terms (encryption, access controls, breach notification timeline, sub-processing disclosure, data return-or-destruction at end).\"}},\n      {\"@type\":\"Question\",\"name\":\"What audit trail does Othello maintain on client data?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Engagement-by-engagement documentation chain is maintained in the firm's engagement ledger. Documented events per engagement: intake (timestamp, channel, file inventory, NDA status), access (named-user accesses, timestamps), processing (working document revisions, methodology decisions), transmission (delivery events, channels, recipients), retention (extension events, statutory hold flags), and destruction (certified destruction event, certificate identifier). The engagement ledger is the substantive procurement-grade audit-trail discipline inherited from the firm's 2020 US Government contract origin.\"}},\n      {\"@type\":\"Question\",\"name\":\"Does Othello have ISO 27001 SOC 2 certification?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Othello does not currently hold ISO 27001 or SOC 2 Type II certification at firm level. The firm's data-security posture rests on the GDPR + PDPA credentials documented at firm level, the FAR-grade contractor verification origin from US Government contracts, and the operationally documented controls described on this page. For clients with mandatory ISO 27001 \/ SOC 2 vendor requirements, the substantive sub-processors (enterprise cloud infrastructure, enterprise productivity suite) typically hold these certifications. The firm can provide its internal Information Security Policy under NDA, supplied with the sub-processor list and engagement ledger sample. The firm is open about what it holds and what it does not hold.\"}},\n      {\"@type\":\"Question\",\"name\":\"What happens to data on bench-member departure?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Access is revoked within one business day of bench-member departure, formally cycled through the firm's access management system. No client data is stored on bench-member personal devices; all working is in the firm-managed cloud environment. Departing bench members are subject to ongoing confidentiality obligations under the firm's mutual NDA. For engagements with elevated sensitivity (capital markets MNPI, legal privilege, healthcare PHI), additional engagement-specific confidentiality terms apply. The bench has been stable since founding 2020; bench turnover is low.\"}},\n      {\"@type\":\"Question\",\"name\":\"How do we complete vendor-vetting documentation for Othello?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The vendor-vetting documentation set comprises four publicly accessible documents and three NDA-protected documents. Publicly accessible: this Data Security page, Compliance Center, GDPR + PDPA credential pages, NDA Standard, Privacy Policy, Terms of Service. Available under NDA on request: the firm's Information Security Policy, the current sub-processor list, and an engagement ledger sample. The firm typically completes a full vendor-vetting documentation supply within 3-5 business days of NDA execution. For accelerated vetting (where engagement scoping is time-sensitive), 1-2 business day completion is available on request.\"}}\n    ]}\n  ]\n}\n<\/script>\n\n\n","protected":false},"excerpt":{"rendered":"<p>DATA SECURITY POSTURE \u00b7 GDPR + PDPA BACKBONE \u00b7 NDA FROM FIRST EMAIL \u00b7 BANGKOK-MANAGED \u00b7 NO OUTSOURCING \u00b7 AUDIT-TRAIL DISCIPLINE Operational controls behind every engagement \u00b7 AES-256 at rest &amp; TLS 1.3 in transit \u00b7 72-hour breach window Othello \/ Data Security \u2605 DATA SECURITY \u00b7 OPERATIONAL CONTROLS \u00b7 NDA-FROM-FIRST-EMAIL \u00b7 GDPR + PDPA [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":11832,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_yoast_wpseo_title":"Data Security & Confidentiality Thailand | Othello","_yoast_wpseo_metadesc":"Data Security & Confidentiality in Thailand\u2014ISO 27001 controls, PDPA-aware handling, NDA-only access, encrypted uploads, role permissions.","_yoast_wpseo_focuskw":"Data Security & Confidentiality","_yoast_wpseo_canonical":"","rank_math_title":"Data Security & Confidentiality Thailand | Othello","rank_math_description":"Data Security & Confidentiality in Thailand\u2014ISO 27001 controls, PDPA-aware handling, NDA-only access, encrypted uploads, role permissions.","rank_math_focus_keyword":"Data Security & Confidentiality","rank_math_canonical_url":"","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_opengraph-title":"Data Security & Confidentiality Thailand | Othello","_yoast_wpseo_opengraph-description":"Data Security & Confidentiality in Thailand\u2014ISO 27001 controls, PDPA-aware handling, NDA-only access, encrypted uploads, role permissions, chain-of-custody for originals.","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","footnotes":"","rank_math_robots":["index"]},"class_list":["post-13556","page","type-page","status-publish","hentry"],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/13556","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/comments?post=13556"}],"version-history":[{"count":80,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/13556\/revisions"}],"predecessor-version":[{"id":31271,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/13556\/revisions\/31271"}],"up":[{"embeddable":true,"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/pages\/11832"}],"wp:attachment":[{"href":"https:\/\/www.othellointernational.com\/th\/wp-json\/wp\/v2\/media?parent=13556"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}