Public data × private deployment
The law is public — we maintain it. Contracts and enterprise data are private — they stay on your servers. A secure connector bridges the two so you get the scale of Thai law and 2M+ enterprises without a single contract leaving your control.
Three layers — each owned, each trusted
SDS public law base
Law is a public resource. We index, version and update centrally.
All customers share the same source of truth.
- · 216 Thai statutes (full text), clause granularity
- · Case-law base + all 491 BOI activities
- · ZH / EN / TH trilingual RAG index
- · General LLM gateway + prompt templates
- · Baseline data on 2M+ Thai enterprises
TLS 1.3 secure channel
Not data shuttling — controlled RPC.
Each call carries only the minimum slice needed; destroyed afterward.
- · mTLS mutual certificate authentication
- · Per-call JWT + time-bound signature
- · Full audit logs (export to CSV / SIEM)
- · Rate limits + anomaly alerts
- · One-click credential revocation
Your private data server
Sensitive data never leaves your data center.
We provide Docker images, a local LLM gateway and a minimum-viable runbook.
- · Contract docx / PDF / scans
- · Enterprise KB / client files
- · Employee KYC / UBO records
- · Review outputs (redlined docx / reports)
- · Local LLM gateway (qwen / claude / your choice)
Note: under Mode A (fully public), L2 reduces to object storage with contract text encrypted in a Thailand-resident bucket. Under Mode C (fully private), L0 is also deployed to the customer DC; the connector is used only to ship law-pack updates.
How data flows in a single contract-review request
Example: Mode B (hybrid, default recommendation). Each step labels where the data sits — contract text is never uploaded to L0.
- Step 01
User asks
In the app, select a contract docx + prompt 'review from buyer's stance, focus on payment milestones'.
Where is the dataL2 · Customer browser / private server - Step 02
Extract clauses
On the private side, the contract is split into clauses + NER locally; only structured IDs and types are emitted.
Where is the dataL2 · Customer private server - Step 03
Query law
Via the L1 connector, reverse-lookup public statutes + cases by clause type; returns statute IDs + summaries.
Where is the dataL1 → L0 · only query keys transmitted - Step 04
LLM inference
On the private side, the LLM gateway assembles the full prompt (clause text + statute summary) and generates redlines.
Where is the dataL2 · Customer-chosen LLM - Step 05
Output lands
Redlined docx + risk-report PDF write back to customer private storage; audit metadata (no body) returns to L0.
Where is the dataL2 · Customer private storage
- · Contract text entering the L0 public index
- · Customer data used to train generic models
- · Cross-border out of Thai jurisdiction
- · Statute IDs + clause numbers pass to L2
- · Prompt templates + stance config pass to L2
- · Audit metadata (no body) returns to L0
- · One-click connector revocation
- · Full audit-log export
- · Choose LLM gateway (local / third-party)
Three deployment modes for different compliance needs
Dimension | Mode A Fully public | Recommended Mode B Hybrid | Mode C Fully private |
|---|---|---|---|
| Target customer | Individuals / SMEs / trial | Thai enterprises / law firms / cross-border legal | Government / national security / strict-PDPA customers |
| Contract text residency | Encrypted object storage in TH | Customer private server | Customer DC, network-isolated |
| LLM gateway | Our gateway (qwen / claude) | Customer's choice (ours / own) | Customer LLM or open-source local model |
| Audit logs | Customer can view last 90 days | Exportable to CSV / SIEM | Full local; copies can be exported |
| Pricing model | Pay per token | Tokens + private-connector annual | Project + annual license |
| Deployment timeline | Instant sign-up | 2–4 weeks integration | 6–12 weeks delivery |
Compliance & evidence — what we have, what comes next
PDPA compliance (Thailand Personal Data Protection Act)
Data-subject rights, cross-border restrictions, 72h breach notification, DPO appointment — covered end to end. Privacy Policy + DPA template available.
In-country data residency
All L0 indices, L2 customer copies and backups reside in Thailand (AWS ap-southeast-7 Bangkok). No cross-border replication.
Audit logs exportable
Full call logs partitioned per customer; export as CSV / JSON or stream via syslog to customer SIEM.
mTLS + credential revocation
L1 connector uses mTLS mutual certs. Customers can revoke certs from the admin console in one click — disconnects immediately.
ISO 27001 information-security management
Risk assessment, controls aligned to ISO 27001:2022 Annex A; certification expected Q4 2026.
SOC 2 Type II
Extra assurance for cross-border investors and overseas law firms. Type I first, then Type II (12-month observation).
Annual penetration testing
Engaged a third party covering L1 connector, admin console and app. First report delivered with no Critical / High findings.
Local LLM gateway support
Mode C customers can opt out of external LLMs and use only customer-owned open-source models (qwen / llama / fine-tuned).