Security & Compliance

Built for businesses that take governance seriously.

Security architecture, Malaysia statutory workflow readiness, and buyer-facing Trust Center evidence - written plainly for IT and finance review.

Open Trust CenterBook a compliance-focused demo
LHDN readinessSOC 2 planned, not certified99.9% target, contract-definedRegional hosting

Architecture

Security at every layer.

Multi-tenant isolation, strong authentication, tenant-scoped audit trails, and deployment encryption controls — documented for security review.

Row-level tenant isolation

Tenant-scoped records are designed around tenant_id filters, with PostgreSQL row-level security evidence for defense in depth.

Authentication & SSO

JWT access tokens with 15-minute expiry and refresh token rotation. TOTP-based two-factor authentication (RFC 6238) with backup codes. Enterprise SSO should be confirmed per deployment.

Full audit trail

Security-sensitive and business-critical actions are logged where wired, with user identity, timestamp, and affected record context available for review.

Encryption & access control

Encrypted deployment controls and TLS settings are confirmed per environment. Role-based access control is enforced across core modules with granular permission sets.

Compliance Matrix

Malaysian statutory workflow readiness.

Buyer-facing pages separate implemented workflows from validations that still require customer credentials, authority setup, or legal review.

Statutory Compliance

  • LHDN readinessMyInvois UBL 2.1 workflow; validation required
  • EPF Borang AMonthly & annual filing
  • SOCSO Form 8AEmployer & employee contributions
  • EIS Form 3Employment Insurance System
  • CP39 PCBMonthly tax deduction
  • SST-026% service / 8% sales tax

Security Controls

  • Row-level tenant isolationTenant-scoped records plus RLS evidence
  • 2FA with TOTPTime-based one-time passwords + backup codes
  • SSO (SAML2 / OIDC)Confirm per deployment
  • Full audit loggingSensitive actions recorded with review context
  • RBAC permissionsRole-based access control across all modules
  • Data encryptionConfirmed per deployment environment

Data Sovereignty

Data residency is confirmed per deployment.

Application and database infrastructure is designed for Southeast Asia hosting, with final region and sub-processors confirmed during implementation. Tenant isolation is backed by database-level RLS evidence.

ap-southeast-1 hostingDaily backups (30-day retention)PDPA-aware practices

Reliability

Reliability evidence you can review.

  • 99.9% uptime target

    Enterprise service-level terms should be confirmed in the customer agreement and deployment plan.

  • Incident response

    Real-time health monitoring with automated alerting. Critical incident response within 4 hours during business hours.

  • ap-southeast-1 hosting

    Application and database infrastructure hosted in ap-southeast-1. Automated daily backups with 30-day retention.

Certification Roadmap

Where we're headed.

We are building toward industry-standard certifications. This roadmap reflects current plans, not completed certifications.

  • SOC 2 Type II

    On roadmap

    Formal evaluation planned as part of our enterprise compliance program.

  • ISO 27001

    Planned

    Information security management certification targeted for future implementation.

  • Penetration testing

    Planned annually

    Third-party penetration testing to be conducted on an annual cycle.

Need more detail?

We're happy to walk through our security architecture, Trust Center evidence, and infrastructure with your IT or procurement team.

Book a compliance demoEmail our team