PDPA 2010 · PHFSA 1998 · ISO 27001 pathway

Trust Centre — MOVO-X Malaysia.

How MOVO-X handles patient data, what laws we comply with, who our subprocessors are, and how Malaysian patients can exercise their rights under PDPA 2010.

Compliance Status
PDPA 2010 (Personal Data Protection Act)

Data User registration filed. Consent management, data subject access, breach notification < 72h to PDPC Malaysia.

Compliant
PHFSA 1998 (Private Healthcare Facilities and Services Act)

Clinical data handling follows KKM requirements for MOH-licensed private hospitals.

Compliant
MOH Healthcare IT Guidelines

Architecture follows KKM Digital Health Framework for healthcare IT systems.

Compliant
ISO 27001:2022

Gap assessment completed May 2026. Target certification Q4 2026 on enterprise tier.

In Progress
📋
SOC 2 Type II

Planned H1 2027. Security, Availability, Confidentiality, Processing Integrity, Privacy.

Roadmap
Data Handling
Data TypeRetention
Clinic administrator name/emailActive account + 7 years post-termination
Patient NRIC (SHA-256 hash only)Active account + 7 years (hash, not raw IC)
Queue/appointment timestampsActive account + 7 years
Kiosk usage logs7 years (immutable audit log)
Clinical recordsNOT stored — queue/appointment metadata only
Raw IC numberNEVER stored — hash only
Subprocessors
Supabase (AWS Singapore)
Primary database and authentication
ap-southeast-1 (Singapore) · SOC 2 Type II, ISO 27001
Supabase (AWS Kuala Lumpur)
KMS key management
ap-southeast-5 (KL region) · SOC 2 Type II, ISO 27001
Vercel (Singapore edge)
Application hosting and edge compute
sin1 (Singapore) · SOC 2 Type II
Anthropic (Claude AI)
AI triage — zero data retention mode
US (zero retention) · SOC 2 Type II
Resend
Transactional email (admin alerts)
EU · GDPR compliant
WhatsApp Business API (Meta)
Patient queue notifications
Meta global infra · ISO 27001
Patient Rights (PDPA 2010)
Right of Access
Patient can request all data held about them. Fulfilled within 21 days per PDPA 2010.
Right of Correction
Patient can correct inaccurate data. Clinic admin can action via admin portal.
Withdrawal of Consent
Patient can withdraw PDPA consent. Data anonymised within 30 days of valid request.
Breach Notification
PDPC Malaysia notified within 72 hours of confirmed breach. Affected patients notified within 7 days.
To exercise rights: privacy@movo-x.com
Data Protection Officer

MOVO-X Malaysia has a named Data Protection Officer on file per PDPA 2010 requirements. The DPO oversees all data processing activities, PDPA 2010 compliance programme, and regulatory engagement with PDPC Malaysia.

dpo@movo-x.com →
Breach Response

In the event of a confirmed personal data breach: PDPC Malaysia notified within 72 hours. Affected patients notified within 7 days. Full incident report provided to enterprise customers within 14 days. Audit logs preserved for investigation.