PDPA 2010 · PHFSA 1998 · KCIS · MyHealth

Healthcare compliance Malaysia.

MOVO-X Malaysia is built to meet every regulatory requirement for Malaysian healthcare IT — PDPA 2010, PHFSA 1998, MOH digital health guidelines, KCIS integration, and ISO 27001 pathway.

Malaysian Regulatory Compliance

PDPA 2010 (Personal Data Protection Act)

PDPC Malaysia (pdp.gov.my)
Compliant

Data User registration filed. Consent management on kiosk touchscreen (first visit). Data subject rights: access, correction, withdrawal. Breach notification < 72 hours to PDPC Malaysia. Patient NRIC stored as SHA-256 hash only — raw IC never persisted.

PHFSA 1998 (Private Healthcare Facilities and Services Act)

MOH Malaysia
Compliant

Clinical data handling follows KKM requirements for MOH-licensed private hospitals and specialist centres. MOVO-X stores only queue/appointment metadata — no clinical records. Architecture reviewed against PHFSA 1998 Schedule 4 IT system requirements.

MOH / KKM Digital Health Framework

Kementerian Kesihatan Malaysia
Compliant

Platform architecture follows KKM's Digital Health Framework guidelines for healthcare IT systems. KCIS integration pathway documented and implemented per KKM API specifications.

ISO 27001:2022

BSI / SIRIM QAS
In Progress

Gap assessment completed May 2026. Target Q4 2026 certification on enterprise tier. All 114 controls mapped in Statement of Applicability. External certification body engaged.

SOC 2 Type II

AICPA-accredited auditor
Roadmap

Planned H1 2027. Security, Availability, Confidentiality, Processing Integrity, Privacy trust service criteria.

Technical Security Controls
Encryption at restAES-256 — all patient records, queue data, NRIC hashes in Supabase Postgres (ap-southeast-1)
Encryption in transitTLS 1.3 enforced on all connections — kiosk, browser, DB replication
Key managementKMS keys in Supabase ap-southeast-5 (KL region) — envelope encryption, keys never co-located with data
AuthenticationJWT (HS256), httpOnly cookie, sameSite=lax — CSRF-safe. RLS deny-all on anon/authenticated roles
NRIC handlingSHA-256 hash only — raw IC number never stored at any layer
Audit logs7-year immutable retention per PDPA 2010 requirement. Write-once, admin cannot modify
Network isolationSupabase PrivateLink — no public DB access. Vercel sin1 edge WAF
Secret managementPre-commit secret blocker (gitleaks) — credential leak prevention at commit layer
Malaysian System Integration Status
PARTNER_API_PENDING
KCIS — Klinik 1Malaysia Clinical Information System (Sistem Maklumat Klinikal)
KKM's primary care clinical information system. Patient history pre-load for returning patients at MOH-registered facilities. Integration pathway documented and implemented. Pending MOH partner API approval.
PARTNER_API_PENDING
MyHealth Portal
Ministry of Health patient records portal. Returning patient medical records for qualified facilities. API integration built, pending MOH partner approval.
Live
MyKad / MyDigital ID
ISO 14443A/B NFC reader integrated. NRIC validation via local hash table. No external government API call at kiosk — privacy-preserving.
Live
FPX (Financial Process Exchange)
Maybank2u, CIMB Clicks, RHB Now, Hong Leong Connect, AmBank. Post-consultation billing queue.
Live
DuitNow QR
PayNet DuitNow QR for corporate and patient payments.
Compliance FAQ
Is MOVO-X registered under PDPA 2010?

Yes. MOVO-X Sdn Bhd is registered as a Data User with the Department of Personal Data Protection (JPDP) Malaysia per PDPA 2010 requirements.

Does MOVO-X handle patient PHI (Protected Health Information)?

MOVO-X stores queue and appointment metadata (arrival time, department, wait time) — not clinical records. Patient NRIC is stored only as a SHA-256 hash. MOVO-X does not handle clinical diagnoses, lab results, medications, or treatment records.

What happens in the event of a data breach?

PDPC Malaysia is notified within 72 hours of confirmation. Affected patients are notified within 7 days. Enterprise customers receive a full incident report within 14 days. Audit logs are preserved for investigation.

How does MOVO-X handle MyKad data?

The MyKad NFC reader extracts the NRIC number. It is immediately hashed (SHA-256) and the raw IC number is never stored. The hash is used only for returning patient identification.

Is patient data stored in Malaysia?

Patient data is stored in Supabase Singapore (ap-southeast-1) — ASEAN-resident. Encryption keys are in Supabase KL (ap-southeast-5, Malaysia region). Data does not leave ASEAN except for AI triage (Anthropic, zero data retention mode — data not persisted after processing).

Can MOVO-X provide documentation for MOH/hospital procurement audits?

Yes. We provide: PDPA 2010 Data Processing Agreement, ISO 27001 gap assessment, security architecture document, subprocessor list, and breach notification runbook. Typically provided within 5 business days of NDA execution.

Need compliance documentation for your audit?

We provide DPA templates, ISO 27001 SoA, security architecture doc, subprocessor list, and breach notification runbook. Typically within 5 business days of NDA execution.