Compliance & Security

Our compliance pillars

Patient Data Protection

PDPA 2010 aligned data collection with purpose limitation, data minimization, and support for access, correction, and erasure rights.

Security by Design

Role-based access, least privilege, audit logging, encryption, and network isolation built into the platform from the ground up.

Reliability & Continuity

Redundant infrastructure, multiple backup tiers, and tested disaster recovery procedures to minimize downtime and data loss.

Transparency

Clear subprocessors, documented data flows, and proactive incident communication — no surprises for you or your patients.

Regulatory alignment (Malaysia)

PDPA 2010 (Malaysia)

Lawful basis: Contract performance and legitimate interest for healthcare operations
Individual rights: Access, correction, withdrawal of consent via legal@relify.com.my
Retention: Clinical data retained per MOH guidance; non-clinical data per our retention policy
Data export: Machine-readable formats available on request

Ministry of Health (MOH) Context

Designed for clinical environments supporting medical record access controls, traceability, and auditability across EMR, pharmacy, laboratory, and billing modules.

e-Invoice (LHDN)

Environment: Production ready
Features: TIN validation helper, SST fields, QR on PDF, fail-safe fallback & reconciliation queues
Evidence logs: Request/response logs stored for 7 years

Security controls

Encryption

In transit: TLS 1.2+
At rest: AES-256 (DB, object storage, backups)
Key management: AWS KMS with restricted access

Access Control

RBAC: Roles for admin/doctor/nurse/pharmacist/finance
MFA: Available for privileged roles
Session security: Short-lived tokens + secure cookies
IP allowlisting: Available on request

Application Security

Secure SDLC: Code reviews and dependency scanning
Vulnerability management: CVE triage within 7 days
Penetration testing: Annual summary available under NDA
Secrets management: AWS Secrets Manager with rotation

Audit & Logging

Immutable audit trails: PHI access, edits, logins, prescribing, dispensing
Tamper-evident storage: 7-year retention for critical logs
Real-time alerts: Security event monitoring

Data Isolation

Logical tenant isolation: By branch ID
Separate environments: Dev/staging/production with distinct credentials

Reliability & DR

Backups: Daily snapshots with point-in-time recovery
Retention: 30 days online, 12 months archive
Restore tests: Monthly — RTO 4 hours / RPO 15 minutes
Monitoring: Health checks, metrics, alerting, synthetic probes

Data residency & transfers

Primary Region: Malaysia on AWS
Optional Residency: Singapore available on request for enterprise
Cross-border transfers: Limited to subprocessors listed below under DPAs with appropriate safeguards

Subprocessors

We use carefully vetted vendors to deliver the service. We sign DPAs and limit scope to necessity.

Vendor	Purpose	Data Types	Location	Notes
AWS S3	File/object storage	Uploaded clinical docs, invoices	Malaysia	AES-256 at rest
AWS RDS	Primary database	EMR metadata, billing data	Malaysia	Daily backups
AWS EC2	App runtime	Runtime processing	Malaysia	Isolated environments
SendGrid	Transactional email	Names, email addresses, receipts	Singapore	SPF/DKIM/DMARC
WhatsApp Cloud API	Patient notifications (opt-in)	Phone numbers, template content	Singapore	Opt-in, templates only

Data retention

Clinical records: Retained per legal/clinical retention rules (7+ years)
Access logs: 7 years
Backups: 30 days online + 12 months archive
Account data: While active + 7 years for tax compliance
Deletion: Secure delete upon verified request and end of retention period

Customer responsibilities

Configure RBAC and MFA for staff
Maintain accurate clinic identity (TIN, address, SST registration)
Obtain patient consent for notifications (WhatsApp) where required
Keep endpoints and browsers up to date
Report security incidents promptly to security@relify.com.my

Certification Status

We implement enterprise-grade security controls equivalent to international standards. While we do not claim HIPAA/ISO certification unless expressly stated, we follow many equivalent security practices and are working towards formal certifications.

Last Updated: January 15, 2025

This compliance documentation is reviewed quarterly and updated to reflect current practices.

Enterprise security.