PDPA 2010 · AES-256 · TLS 1.3 · Audit logs 7 years

Security built for Malaysian healthcare.

PDPA 2010 compliance, AES-256 encryption, 4-tier tenancy isolation, and ISO 27001 pathway. Patient NRIC data is hashed — never stored in plain text.

Encryption
Data at rest

AES-256 — all patient records, queue data, NRIC hashes encrypted in Supabase Postgres (ap-southeast-1)

Data in transit

TLS 1.3 enforced on all connections — kiosk to API, browser to server, DB replication

Key management

Envelope encryption with KMS keys stored in Supabase ap-southeast-5 (separate from data region)

NRIC handling

Raw IC number is NEVER stored — only a SHA-256 hash used for deduplication. Irreversible.

Authentication & Authorisation
Token type

JWT (HS256), stored in httpOnly cookie — never localStorage

Cookie attributes

sameSite=lax, secure, httpOnly — CSRF-safe by design

Role hierarchy

GROUP_ADMIN → HOSPITAL_ADMIN → DEPT_HEAD → DOCTOR → RECEPTIONIST

Deny-all baseline

Supabase RLS deny-all on anon and authenticated roles — access granted by explicit policy only

Data Residency
Primary database

Supabase Singapore (ap-southeast-1) — low latency for Malaysian users, ASEAN-resident data

KMS region

Supabase KL (ap-southeast-5) — encryption keys never co-located with data

Edge compute

Vercel sin1 (Singapore) edge — static assets and middleware at ASEAN PoP

Database access

No public Supabase DB access — Supabase PrivateLink enforced, credentials never in client bundles

Network & Infrastructure
Edge layer

Vercel sin1 — DDoS protection, WAF, automatic HTTPS, no direct origin exposure

DB connectivity

Supabase PrivateLink — all DB connections over private network, no public internet traversal

API authentication

Kiosk API: x-kiosk-api-key header required for all /api/kiosk/* endpoints

Secret management

Pre-commit secret blocker (gitleaks) on all pushes — credential leak prevention at source

4-Tier Tenancy Isolation

Every data row is scoped to its tier. A department receptionist cannot read data from another hospital. A hospital admin cannot read data from another group. Enforced at the Postgres RLS layer — not just application code.

1
Country
Malaysia country node — top-level jurisdiction, regulatory settings, DPO contact
2
Healthcare Group
KPJ, IHH, Sunway, Columbia Asia — group-level branding, billing, admin console
3
Hospital
Individual hospital facility — department config, KCIS integration, local SLA
4
Department
OPD, Pharmacy, Specialist — queue routing rules, staff access, counter config
Compliance Status
Compliant
PDPA 2010 (Malaysia)
Data User registration filed. Consent management, data subject rights, breach notification < 72h to PDPC Malaysia.
Compliant
PHFSA 1998
Private Healthcare Facilities and Services Act — clinical data handling follows KKM requirements for MOH-licensed facilities.
In Progress
ISO 27001:2022
Gap assessment completed May 2026. Target certification Q4 2026 on enterprise tier. 114-control mapping documented.
Roadmap
SOC 2 Type II
Planned for H1 2027. Security, Availability, Confidentiality, Processing Integrity, Privacy principles.
Active
OWASP ZAP
Automated OWASP ZAP security scanning on every CI push. Critical/high findings block deployment.
Compliant
MOH Digital Health
Follows KKM Digital Health Framework guidelines for healthcare IT systems.
Audit Logs — 7-Year Retention

All data access events are logged immutably: who accessed what, from which IP, at what time. Logs are retained for 7 years per PDPA 2010 requirements — suitable for regulatory audit, clinical incident investigation, and forensic review. Logs are write-once and cannot be modified by application-level users.

Need our security documentation?

We provide full security architecture docs, pen test summaries, ISO 27001 SoA, and DPA templates for enterprise procurement.

Request security pack