humanit managed services

Legal

MSA Overview

Legal

MSA Overview
SLA & DPA Summary

Managed Services Support Policy

Master Policy

1. Purpose

This policy defines the general terms, scope, service boundaries, and responsibilities applicable to all Managed Endpoint Service tiers provided by human it co.,ltd and human digital solutions co.,ltd.

Tier-specific inclusions, service levels, and limitations are defined in the appendices to this document.

2. Service Overview

Managed Endpoint Services are provided on a per-endpoint, per-month basis and are designed to deliver predictable costs, improved security, and operational stability.

Services are grouped into the following tiers:

  • Bronze – Essential Endpoint Protection
  • Gold – Business-Grade Security
  • Platinum – Supply-Chain & Critical Operations Continuity

3. General Inclusions (All Tiers)

Unless otherwise stated in a tier appendix, all services include:

  • Managed endpoint security tooling
  • Centralised monitoring and reporting
  • Patch management for supported operating systems
  • Access to the service desk via approved channels
  • Documented service levels per tier
  • Change tracking for managed systems

4. General Exclusions (All Tiers)

Unless explicitly included in a tier appendix, the following are excluded:

  • Software development or application customisation
  • Major infrastructure redesign or migrations
  • OT / ICS system modification
  • Non-endpoint hardware replacement
  • Unsupported operating systems or devices

5. Service Levels & Prioritisation

Incidents and requests are prioritised based on business impact, not technical severity.

Response times and coverage vary by tier and are defined in the relevant appendix.

6. Change Management

  • All non-emergency changes follow a documented change process
  • Emergency changes may be applied to mitigate security or continuity risks
  • Significant changes are reported post-implementation

7. Client Responsibilities

Clients are responsible for:

  • Maintaining supported hardware and operating systems
  • Providing required access for service delivery
  • Notifying of staffing, operational, or supplier changes
  • Assigning a primary point of contact

8. Fair Use Policy

Services are provided within reasonable operational limits consistent with the subscribed tier.

Excessive usage, non-standard requests, or operational risk beyond tier design may require:

  • a tier upgrade, or
  • a separate agreement for additional services

9. Review & Updates

This policy and its appendices are reviewed periodically and may be updated to reflect:

  • service improvements
  • regulatory changes
  • evolving security threats

10. LIMITATION OF LIABILITY

  1. 10.1 No Guarantee of Absolute Security

The Client acknowledges that no security solution or managed service can guarantee the prevention of all security incidents, data loss, or service interruptions.

The Provider does not warrant that the Services will be uninterrupted, error-free, or immune from cyber threats.

  1. 10.2 Limitation of Liability

To the maximum extent permitted by applicable law:

  1. a) The Provider’s total aggregate liability arising out of or in connection with the Services, this Policy, or the Agreement (whether in contract, tort, negligence, or otherwise) shall be limited to the fees paid or payable by the Client to the Provider for the affected Services during the twelve (12) months preceding the event giving rise to the claim.

  2. b) The Provider shall not be liable for:
    • indirect, incidental, special, or consequential damages;
    • loss of profits, revenue, business, contracts, or goodwill;
    • loss of data not caused by Provider’s wilful misconduct;
    • third-party claims arising from Client’s systems, suppliers, or customers.
  1. 10.3 Excluded Liability

Nothing in this Policy limits or excludes liability that cannot be excluded by law, including liability for:

  • fraud or wilful misconduct;
  • death or personal injury caused by negligence (where applicable law applies).
  1. 10.4 Third-Party Systems & Dependencies

The Provider shall not be liable for failures or incidents caused by:

  • third-party software, hardware, or cloud providers;
  • telecommunications or internet service outages;
  • Client-managed systems or configurations outside the scope of Services;
  • supplier, contractor, or customer systems interconnected with Client environments.

11. SERVICE LEVEL AGREEMENT (SLA) CREDITS

  1. 11.1 SLA Measurement

Service levels are measured based on:

  • response time to acknowledge and commence investigation; and
  • availability of Provider support services where applicable.

Resolution times are not guaranteed unless expressly stated.

  1. 11.2 SLA Credits as Sole Remedy

SLA credits, if applicable, constitute the Client’s sole and exclusive remedy for Provider’s failure to meet the stated service levels.

SLA credits do not apply where failure results from:

  • Client breach of responsibilities;
  • force majeure events;
  • third-party service failures;
  • emergency security actions reasonably taken by Provider.
  1. 11.3 SLA Credit Structure
TierSLA BreachCredit
BronzeMissed response timeNo credits (best-effort)
GoldRepeated SLA breach in a billing monthUp to 5% of affected monthly fees
PlatinumCritical SLA breachUp to 10% of affected monthly fees

SLA credits shall not exceed one (1) month of fees for the affected endpoints.

  1. 11.4 Claim Process

To receive SLA credits, the Client must:
a) Submit a written request within 30 days of the alleged breach;
b) Include sufficient detail to allow verification;
c) Allow Provider reasonable time to investigate.

Credits, if approved, are applied to future invoices and are not refundable.

12. ISO/IEC 27001:2022 ALIGNMENT

  1. 12.1 Information Security Management Framework

The Provider maintains an information security management framework aligned with ISO/IEC 27001:2022, incorporating risk-based controls, continuous improvement, and management oversight.

  1. 12.2 Control Alignment

The Services are designed to support Client compliance objectives through controls aligned to ISO/IEC 27001:2022, including but not limited to:

  • Risk management (Clause 6)
  • Operational security controls (Annex A)
  • Access control and identity management
  • Incident management and response
  • Backup, recovery, and continuity planning
  • Monitoring, logging, and audit evidence
  1. 12.3 Shared Responsibility Model

The Client acknowledges that ISO/IEC 27001:2022 compliance operates under a shared responsibility model, whereby:

  • The Provider is responsible for controls within the scope of the Services; and
  • The Client remains responsible for organisational, legal, HR, physical, and business process controls not expressly included.
  1. 12.4 Audit & Evidence Support

Where included in the subscribed tier (Gold limited / Platinum full), the Provider shall provide reasonable assistance with:

  • audit evidence related to managed services;
  • security reporting aligned to ISO control objectives;
  • customer or supplier due-diligence requests.

The Provider does not guarantee Client certification or audit outcomes.

  1. 12.5 Continuous Improvement

The Provider commits to continual improvement of security controls in accordance with ISO/IEC 27001:2022 principles, including:

  • periodic risk assessments;
  • control effectiveness review;
  • incident-driven improvements.

13. DATA PROTECTION & PRIVACY (THAILAND – PDPA)

  1. 13.1 Compliance with Applicable Data Protection Laws

Each party shall comply with all applicable data protection and privacy laws, including the Personal Data Protection Act B.E. 2562 (2019) of Thailand (“PDPA”), as amended from time to time.

Nothing in this Policy is intended to prevent either party from complying with its legal obligations under applicable data protection laws.

  1. 13.2 Roles of the Parties

For the purposes of the PDPA:

a) The Client is the Data Controller in respect of Personal Data processed within the Client environment; and
b) The Provider acts as a Data Processor when processing Personal Data on behalf of the Client in the course of providing the Services.

The Provider does not determine the purposes or means of processing Personal Data beyond what is necessary to deliver the Services.

  1. 13.3 Scope of Personal Data Processing

The Provider may process Personal Data solely to the extent necessary to:

  • deliver the Services;
  • perform monitoring, support, security, and recovery activities;
  • comply with legal or regulatory obligations.

Personal Data processed may include, but is not limited to:

  • user identifiers (e.g. usernames, email addresses);
  • device identifiers;
  • system logs and security telemetry.

The Provider shall not use Personal Data for its own marketing or unrelated purposes.

  1. 13.4 Security Measures

The Provider shall implement appropriate technical and organisational security measures designed to protect Personal Data against:

  • unauthorised access;
  • loss;
  • misuse;
  • alteration; or
  • disclosure,

taking into account the nature of the Services, the risks involved, and ISO/IEC 27001:2022-aligned controls.

  1. 13.5 Confidentiality

The Provider shall ensure that personnel authorised to process Personal Data:

  • are bound by confidentiality obligations; and
  • process Personal Data only in accordance with this Policy and the Agreement.

14. PERSONAL DATA BREACH MANAGEMENT & NOTIFICATION

  1. 14.1 Personal Data Breach Definition

A “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed under the Services.

  1. 14.2 Breach Response

Upon becoming aware of a suspected or confirmed Personal Data Breach affecting Personal Data processed by the Provider on behalf of the Client, the Provider shall:

a) take reasonable steps to contain, mitigate, and investigate the breach;
b) preserve relevant evidence; and
c) assess the potential impact to Personal Data.

  1. 14.3 Breach Notification (PDPA-Aligned)

Where the Provider reasonably determines that a Personal Data Breach may result in a risk to the rights and freedoms of individuals, the Provider shall notify the Client without undue delay after becoming aware of the breach.

Such notification shall include, to the extent reasonably available:

  • a description of the nature of the breach;
  • categories of Personal Data affected;
  • likely consequences;
  • mitigation steps taken or proposed.

The Provider shall support the Client in meeting its obligations to notify the Personal Data Protection Committee (PDPC) and affected data subjects, where required under the PDPA.

  1. 14.4 Client Notification Responsibilities

The Client remains responsible for:

  • determining whether notification to the PDPC or data subjects is legally required; and
  • making any required regulatory or data subject notifications,

unless otherwise agreed in writing.

  1. 14.5 Exclusions

The Provider shall not be responsible for Personal Data Breaches caused by:

  • Client systems or configurations outside the scope of Services;
  • Client personnel, contractors, or suppliers;
  • third-party services not managed by the Provider;
  • failure by the Client to follow Provider security recommendations.

15. DATA LOCATION & CROSS-BORDER TRANSFERS

  1. 15.1 Data Location

Personal Data may be processed and stored in Thailand or other jurisdictions where required to deliver the Services, including cloud or security service providers.

  1. 15.2 Cross-Border Transfers

Where Personal Data is transferred outside Thailand, the Provider shall take reasonable steps to ensure such transfers are conducted in compliance with the PDPA, including the use of:

  • appropriate contractual safeguards; or
  • recognised data protection standards.

16. DATA RETENTION & DELETION

  1. 16.1 Retention

Personal Data shall be retained only for as long as necessary to:

  • provide the Services;
  • comply with legal, regulatory, or audit requirements; or
  • support security and incident investigation.
  1. 16.2 Deletion

Upon termination of the Services, the Provider shall, within a reasonable period and subject to legal obligations:

  • securely delete or anonymise Personal Data processed on behalf of the Client; or
  • return Personal Data where technically feasible and agreed.

17. PDPA & ISO SHARED RESPONSIBILITY STATEMENT

The Client acknowledges that compliance with PDPA and ISO/IEC 27001:2022 is based on a shared responsibility model, whereby:

  • The Provider is responsible for controls within the scope of the Services; and
  • The Client remains responsible for organisational, HR, legal, physical security, and business process controls.

18. GOVERNING LAW & JURISDICTION (THAILAND)

  1. 18.1 Governing Law

This Policy, the Agreement, and any non-contractual obligations arising out of or in connection with them shall be governed by and construed in accordance with the laws of the Kingdom of Thailand, without regard to its conflict of laws principles.

  1. 18.2 Jurisdiction

Subject to Clause 18.3 (Alternative Dispute Resolution), the parties irrevocably agree that the courts of the Kingdom of Thailand shall have exclusive jurisdiction to settle any dispute, claim, or controversy arising out of or in connection with this Policy or the Agreement.

  1. 18.3 Good Faith Resolution

Before commencing any formal legal proceedings, the parties shall use good faith efforts to resolve any dispute through:
a) escalation to senior management; and
b) reasonable negotiation within thirty (30) days of written notice of the dispute.

  1. 18.4 Optional Mediation (Recommended for Commercial Agreements)

Where a dispute is not resolved through good faith negotiations, either party may propose mediation in Thailand through a mutually agreed mediator.

Participation in mediation shall not prevent either party from seeking urgent injunctive or equitable relief where required.

  1. 18.5 Language

This Policy and the Agreement may be executed in English.
In the event of any inconsistency between an English version and any Thai translation, the English version shall prevail, unless otherwise required by applicable Thai law.

  1. 18.6 Enforcement

Any judgment or order of a court of competent jurisdiction in Thailand may be enforced against the parties in accordance with applicable law.

Appendix A — Bronze Tier

Essential Endpoint Protection

A1. Intended Use

Bronze is designed for organisations requiring basic security and professional IT support during standard business operations.

A2. Included Services

  • Baseline endpoint protection (EDR)
  • Operating system and standard application patching
  • Endpoint health monitoring (business hours)
  • Remote support during business hours
  • Standard reporting
  • Microsoft K365 user standard features

A3. Service Levels (SLA)

PriorityDefinitionResponse Time
MediumNon-critical endpoint issueNext business day
LowGeneral requestsScheduled

Bronze does not include guaranteed response times for critical incidents.

A4. Exclusions (Bronze)

  • 24×7 monitoring
  • Incident response & forensics
  • Backup & disaster recovery
  • Compliance or audit support
  • On-site support

A5. Upgrade Guidance

Clients experiencing frequent downtime, security alerts, or compliance needs should consider Gold or Platinum.

Appendix B — Gold Tier

Business-Grade Security & Operational Support

B1. Intended Use

Gold is designed for organisations that rely on IT systems daily and require proactive monitoring, faster response, and stronger resilience.

B2. Included Services

  • Advanced endpoint protection (EDR)
  • 24×7 monitoring (SOC-lite)
  • Patch management with priority security updates
  • Integrated endpoint backup with recovery testing
  • User onboarding and offboarding
  • Policy enforcement
  • Enhanced reporting and dashboards
  • Remote support (business hours)
  • Optional extended hours support (by agreement)

B3. Service Levels (SLA)

PriorityDefinitionResponse Time
MediumNon-critical endpoint issueNext business day
LowGeneral requestsScheduled

B4. Exclusions (Gold)

Unless separately agreed:

  • Full incident response & forensics
  • Disaster recovery planning
  • Compliance audit management
  • On-site emergency support
  • OT / ICS systems

B5. Upgrade Guidance

Gold is not intended for environments where IT disruption halts production or supply chains.
Such clients should consider Platinum.

Appendix C — Platinum Tier

Supply-Chain & Critical Operations Continuity

C1. Intended Use

Platinum is designed for organisations where IT disruption impacts production, logistics, or customer commitments, including factories and export-driven operations.

C2. Included Services

  • Full 24×7 SOC monitoring & threat hunting
  • Incident response and digital forensics
  • Enterprise backup, disaster recovery, and defined RTO/RPO
  • Compliance and audit-ready reporting
  • User lifecycle management including contractors and suppliers
  • Factory-specific security policies
  • Custom incident response playbooks
  • Executive and management reporting
  • 24×7 helpdesk support
  • Priority on-site and emergency support
  • Custom / bespoke services aligned to operational needs

C3. Service Levels (SLA)

PriorityDefinitionResponse Time
CriticalProduction or supply-chain impact< 1 hour
HighMajor security or operational risk4 hours
MediumNon-critical issueNext business day
LowPlanned changesScheduled

C4. Bespoke Services Definition

Bespoke services include operational, security, and compliance services tailored to the client’s environment and are included within reasonable service boundaries.

C5. Fair Use (Platinum)

Platinum includes enhanced flexibility; however, sustained activities outside agreed scope may require review or amendment of service terms.

Last reviewed 16/01/2026

Have questions about our services or agreements?

Book a free consultation to discuss our services, pricing, or legal terms and ensure everything aligns with your business requirements.

Book a Free Consultation