Select country
Review how this page describes privacy-law coverage for your school jurisdiction.
Last reviewed: March 2026
River SIS processes personal data for school management operations including student administration, staff records, and school activities. For Thailand coverage, this page is intended to summarise how our operational controls map to the Thai Personal Data Protection Act B.E. 2562 (PDPA), including transparency, lawful processing, security safeguards, retention controls, and support for data-subject rights such as access, correction, deletion, portability, objection, and restriction where applicable.
| Classification | Description | Examples |
|---|---|---|
| PII | Personally identifiable information | Database records, user profile images |
| Confidential | Sensitive operational data | App configuration, environment secrets |
| Audit | Access and activity records | Database audit logs, admin activity |
| Internal | Non-personal operational data | Application logs, container images |
| Data Category | Storage | Retention | Deletion |
|---|---|---|---|
| Customer images (current) | S3 | Indefinite | Manual on request |
| Customer images (superseded) | S3 | 30 days | Automatic (S3 Lifecycle) |
| Database backups | DocumentDB | 30 days | Automatic |
| Application logs | CloudWatch | 7 days | Automatic |
| Database audit logs | CloudWatch | 90 days | Automatic |
Thailand's PDPA gives data subjects a right to request access to personal data and related processing information. We support verified access requests through customer administrators, records review, and available audit history.
Thailand's PDPA includes rights to request deletion, anonymisation, or destruction in certain circumstances and to withdraw consent where consent is the lawful basis. We assess these requests against customer instructions, legal obligations, and security-retention needs.
Data subjects may request correction of inaccurate or incomplete personal data. Administrative workflows, role-based controls, and traceable updates help us support verified correction requests.
Thailand's PDPA includes a data portability right in applicable circumstances. Where technically feasible and legally appropriate, we support structured exports or customer-mediated delivery of relevant data.
Thailand's PDPA also recognises objection and restriction-related rights in certain contexts. We review such requests in light of the processing purpose, legal basis, customer role, and any overriding legal or operational obligations.
Review data classification, retention settings, access permissions, and operational changes that may affect privacy risk.
Conduct least-privilege access reviews, verify key security controls, and document material changes to processing activities or vendor arrangements.
Perform a fuller review of data inventories, test data-rights handling and deletion workflows, review incident-response readiness, and update this document.
To exercise any of your data rights or for privacy-related enquiries, please contact SchoolHero.io OÜ at info@riversis.com or by post at Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe, 74626, Estonia.
