Overview
Xedar processes financial and personal data on behalf of Malaysian individuals and businesses. This page describes the technical and organisational measures protecting that data. This is a living document.
Compliance posture
| PDPA 2024 (Malaysia) | Compliant DPO appointed, breach notification SOP in place, sub-processor register published. |
|---|---|
| AIGE 7 Principles (MOSTI, Sept 2024) | Aligned AI used under transparency and accountability principles. |
| PCI DSS | Inherited from our PCI DSS Level 1 payment processor Xedar never stores card numbers or CVVs. |
| MOSTI MySTI | In progress Application pending. |
| SOC 2 Type II | Roadmap Targeted post-revenue threshold. |
| ISO/IEC 27001 | Roadmap Targeted for enterprise readiness, 2027+. |
Data protection
| Encryption in transit | TLS 1.2 or higher on every connection. HTTPS-only. |
|---|---|
| Password storage | bcrypt with per-user salt. Passwords never recoverable. |
| Session management | Encrypted cookies; HTTPS-only flag; idle timeout configured. |
| Two-factor authentication | TOTP-based 2FA available; enable from account settings. |
| Backups | Daily automated backups of production database. |
Field-level encryption at rest on sensitive PII (IC number, tax file number, bank account, phone) is on the Roadmap.
Access control
| Multi-tenant isolation | Business entity data is scoped per entity; users see only entities they belong to. |
|---|---|
| Role-based access control | Hardcoded permission matrix; 6 platform roles + 5 entity roles. |
| Administrative access | Audited via append-only audit log; impersonation requires dual-actor approval. |
| Principle of least privilege | Operator access to user data only on documented support need. |
Monitoring and incident response
| Audit logging | Append-only audit log. Captures actor, IP, user agent, action, timestamp. |
|---|---|
| Breach detection | Application alerts on anomalous login patterns; sub-processor incident notifications routed to DPO. |
| Breach notification | Personal Data Protection Commissioner notified within 72 hours; affected users within 7 days where significant harm is likely (PDPA 2024 Section 12B). |
| Incident runbook | Documented internally; reviewed annually. |
Data residency and retention
| Primary hosting | Malaysia. |
|---|---|
| Cross-border processing | Google Gemini API (US / Singapore); payment processor (Singapore). |
| Tax records | 7 years per LHDN ITA 1967 Section 82. |
| Account data | Until account deletion + 30-day grace period. |
| Backup retention | 90-day rolling window. |
| Data subject rights | Per PDPA 2024 Section 43A — exercise via dpo@xedar.my. |
Sub-processors
The current sub-processor register is maintained here and in the Privacy Policy:
| Google LLC (Gemini API) | AI receipt OCR — US / Singapore SCC + no-training under paid-API terms. |
|---|---|
| Payment processor | Subscription billing — Singapore DPA + PCI DSS Level 1. |
| Application hosting + database | Infrastructure — Malaysia DPA + MY-domiciled. |
| Transactional email | Notifications — vendor TBD DPA pending before launch. |
Material sub-processor changes trigger 30-day user notification.
AI processing
Xedar uses Google's Gemini API for receipt OCR and tax-relief matching.
- Data sent. Receipt images and extracted line items. No income figures, transaction history, or personally identifying information beyond what appears on the receipt itself.
- Training. Google's commercial Gemini API terms contractually prohibit training on customer data. Xedar does not opt into any training programme.
- Output handling. AI-generated tax categorisations and relief matches are presented as draft suggestions. No AI output enters your permanent record without your review and confirmation.
Vulnerability reporting
Security researchers may report vulnerabilities to security@xedar.my.
We commit to:
- Acknowledging reports within 2 business days
- Investigating in good faith
- Publicly crediting researchers (with permission)
- Not pursuing legal action against good-faith researchers
We ask researchers to allow 90 days from first contact before public disclosure, avoid accessing data that isn't their own, and avoid impairing service availability.
A formal bug bounty programme is not currently offered.
Customer security checklist
- Use a strong, unique password
- Enable 2FA from your account settings
- Verify the URL is xedar.my / app.xedar.my before signing in
- Treat unexpected emails claiming to be from Xedar with caution — forward to security@xedar.my
- Sign out of shared or public devices
Roadmap
These items are not in place today and are not claimed as current state. They are committed targets:
- Disclaimer-first onboarding screen disclosing AI processing (Sprint 2)
- "AI-suggested" labels on all AI-generated outputs in the UI (Sprint 2)
- Field-level encryption at rest on sensitive PII (Sprint 2)
- Customer-facing audit log (post-launch)
- Data export endpoint at /account/export (post-launch within 30 days)
- Right-to-be-forgotten flow at /account/delete (post-launch within 30 days)
- MOSTI MySTI certification (2026)
- Third-party penetration test (first enterprise customer)
- SOC 2 Type II (2027)
- ISO 27001 (2027+)
- Formal bug bounty programme (post product-market fit)
Contact
Security questions: security@xedar.my.
Data protection / DPO: dpo@xedar.my.
General: hello@xedar.my.