PDPA 2010 compliance, AES-256 encryption, 4-tier tenancy isolation, and ISO 27001 pathway. Patient NRIC data is hashed — never stored in plain text.
AES-256 — all patient records, queue data, NRIC hashes encrypted in Supabase Postgres (ap-southeast-1)
TLS 1.3 enforced on all connections — kiosk to API, browser to server, DB replication
Envelope encryption with KMS keys stored in Supabase ap-southeast-5 (separate from data region)
Raw IC number is NEVER stored — only a SHA-256 hash used for deduplication. Irreversible.
JWT (HS256), stored in httpOnly cookie — never localStorage
sameSite=lax, secure, httpOnly — CSRF-safe by design
GROUP_ADMIN → HOSPITAL_ADMIN → DEPT_HEAD → DOCTOR → RECEPTIONIST
Supabase RLS deny-all on anon and authenticated roles — access granted by explicit policy only
Supabase Singapore (ap-southeast-1) — low latency for Malaysian users, ASEAN-resident data
Supabase KL (ap-southeast-5) — encryption keys never co-located with data
Vercel sin1 (Singapore) edge — static assets and middleware at ASEAN PoP
No public Supabase DB access — Supabase PrivateLink enforced, credentials never in client bundles
Vercel sin1 — DDoS protection, WAF, automatic HTTPS, no direct origin exposure
Supabase PrivateLink — all DB connections over private network, no public internet traversal
Kiosk API: x-kiosk-api-key header required for all /api/kiosk/* endpoints
Pre-commit secret blocker (gitleaks) on all pushes — credential leak prevention at source
Every data row is scoped to its tier. A department receptionist cannot read data from another hospital. A hospital admin cannot read data from another group. Enforced at the Postgres RLS layer — not just application code.
All data access events are logged immutably: who accessed what, from which IP, at what time. Logs are retained for 7 years per PDPA 2010 requirements — suitable for regulatory audit, clinical incident investigation, and forensic review. Logs are write-once and cannot be modified by application-level users.
We provide full security architecture docs, pen test summaries, ISO 27001 SoA, and DPA templates for enterprise procurement.
Request security pack