Features Product Pricing FAQ Login
Compliance & Security

Enterprise Security

PDPA 2010 compliant healthcare platform with enterprise-grade security, encryption, and regulatory alignment designed specifically for Malaysian clinics.

Data Protection
PDPA 2010 (Malaysia) aligned
Encryption
TLS 1.2+ in transit • AES-256 at rest
Backups
Daily automated • 90-day retention
Hosting Region
Singapore
Uptime (last 90d)
99.9%
e-Invoice
LHDN integration (production ready)

Our Compliance Pillars

Patient Data Protection
PDPA 2010 aligned data collection with purpose limitation, data minimization, and support for access, correction, and erasure rights.
Security by Design
Role-based access, least privilege, audit logging, encryption, and network isolation built into the platform.
Reliability & Continuity
Redundant infrastructure, multiple backups, and tested disaster recovery procedures to minimize downtime.
Transparency
Clear subprocessors, data flows, and incident communication processes — no surprises.

Regulatory Alignment (Malaysia)

PDPA 2010 (Malaysia)

  • Lawful basis: Contract performance and legitimate interest for healthcare operations
  • Individual rights: Access, correction, withdrawal of consent via legal@relify.com.my
  • Retention: Clinical data retained per MOH guidance; non-clinical data per our retention policy
  • Data export: Machine-readable formats available on request

Ministry of Health (MOH) Context

Designed for clinical environments supporting medical record access controls, traceability, and auditability across EMR, pharmacy, laboratory, and billing modules.

e-Invoice (LHDN)

  • Environment: Production ready
  • Features: TIN validation helper, SST fields, QR on PDF, fail-safe fallback & reconciliation queues
  • Evidence logs: Request/response logs stored for 7 years

Security Controls

Encryption
  • In transit: TLS 1.2+
  • At rest: AES-256 (DB, object storage, backups)
  • Key management: AWS KMS with restricted access
Access Control
  • RBAC: Roles for admin/doctor/nurse/pharmacist/finance
  • MFA: Available for privileged roles
  • Session security: Short-lived tokens + secure cookies
  • IP allowlisting: Available on request
Application Security
  • Secure SDLC: Code reviews and dependency scanning
  • Vulnerability management: CVE triage within 7 days
  • Penetration testing: Annual executive summary available under NDA
  • Secrets management: AWS Secrets Manager with rotation
Audit & Logging
  • Immutable audit trails: PHI access, edits, logins, prescribing, dispensing
  • Tamper-evident storage: 7-year retention for critical logs
  • Real-time alerts: Security event monitoring
Data Isolation
  • Logical tenant isolation: By branch ID
  • Separate environments: Dev/staging/production with distinct credentials
Reliability & DR
  • Backups: Daily snapshots with point-in-time recovery
  • Retention: 30 days online, 12 months archive
  • Restore tests: Monthly with documented RTO 4 hours / RPO 15 minutes
  • Monitoring: Health checks, metrics, alerting, synthetic probes

Data Residency & Transfers

  • Primary Region: Malaysia on AWS
  • Optional Residency: Singapore available on request for enterprise
  • Cross-border transfers: Limited to subprocessors listed below under DPAs with appropriate safeguards

Subprocessors

We use carefully vetted vendors to deliver the service. We sign DPAs and limit scope to necessity.

Vendor Purpose Data Types Location Notes
AWS S3 File/object storage Uploaded clinical docs, invoices Malaysia AES-256 at rest
AWS RDS Primary database EMR metadata, billing data Malaysia Daily backups
AWS EC2 App runtime Runtime processing Malaysia Isolated environments
SendGrid Transactional email Names, email addresses, receipts Singapore SPF/DKIM/DMARC
WhatsApp Cloud API Patient notifications (opt-in) Phone numbers, template content Singapore Opt-in, templates only

Data Retention (High Level)

  • Clinical records: Retained per legal/clinical retention rules (7+ years)
  • Access logs: 7 years
  • Backups: 30 days online + 12 months archive
  • Account data: While active + 7 years for tax compliance
  • Deletion: Secure delete upon verified request and end of retention period

Customer Responsibilities

  • Configure RBAC and MFA for staff
  • Maintain accurate clinic identity (TIN, address, SST registration)
  • Obtain patient consent for notifications (WhatsApp) where required
  • Keep endpoints and browsers up to date
  • Report security incidents promptly to security@relify.com.my

Certification Status

We implement enterprise-grade security controls equivalent to international standards. While we do not claim HIPAA/ISO certification unless expressly stated, we follow many equivalent security practices and are working towards formal certifications.

Last Updated: January 15, 2025
This compliance documentation is reviewed quarterly and updated as needed to reflect current practices.