Features Product Pricing FAQ Contact
Official Compliance Statement

PDPA Compliance Statement

Casemix Solutions Sdn Bhd's formal declaration of compliance with Malaysia's Personal Data Protection Act 2010 (Act 709), issued for Relify — our clinic management platform.

Personal Data Protection Act 2010 (PDPA) Compliance Statement

Issued by Casemix Solutions Sdn Bhd — Valid for the Relify Platform (relify.com.my)

Casemix Solutions Sdn Bhd ("the Company"), registered in Malaysia and operating the Relify clinic management platform, hereby formally declares that its data collection, processing, storage, and handling practices are conducted in compliance with the Personal Data Protection Act 2010 (Malaysia) (Act 709) and its associated regulations.

This statement applies to all personal data processed through the Relify platform including personal data of healthcare providers, clinic staff, and patient data processed on behalf of licensed healthcare facilities subscribing to our service. The Company operates as a data processor for patient health data, under the instruction and authority of healthcare providers who act as data controllers.

The Company has implemented and maintains technical, administrative, and organisational measures proportionate to the sensitivity of health-related personal data to ensure the ongoing confidentiality, integrity, and availability of all data in its custody.

Issuing Entity Casemix Solutions Sdn Bhd
Platform Relify (relify.com.my)
Governing Law PDPA 2010 (Act 709), Malaysia
Statement Date January 15, 2025
Review Cycle Quarterly
Contact legal@relify.com.my

Compliance with the 7 PDPA Principles

The PDPA 2010 establishes seven core data protection principles. Below is Casemix Solutions' formal statement of adherence to each principle in the operation of Relify.

Principle 1
General Principle

Personal data is only processed with the consent of the data subject or a clear lawful basis — including contract performance for healthcare service delivery and legal obligations under Malaysian healthcare law.

Compliant
Principle 2
Notice & Choice

Data subjects are informed of the purposes of data collection via our Privacy Policy (relify.com.my/privacy). Consent is obtained before collection of non-essential personal data.

Compliant
Principle 3
Disclosure

Personal data is only disclosed to authorised parties as stated at the point of collection. We do not sell personal data to third parties. All subprocessors operate under Data Processing Agreements.

Compliant
Principle 4
Security

AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, MFA for privileged users, immutable audit logs, and 24/7 security monitoring are implemented as standard controls.

Compliant
Principle 5
Retention

Data is retained only as long as necessary for the stated purpose or as required by Malaysian healthcare and tax regulations. Clinical records are retained per MOH guidance (7+ years); other data per our published retention schedule.

Compliant
Principle 6
Data Integrity

We take reasonable steps to ensure personal data is accurate, complete, and up to date. Users may update their data via the platform. Healthcare providers are responsible for the accuracy of patient records under their control.

Compliant
Principle 7
Access

Data subjects may request access to, correction of, or deletion of their personal data by contacting legal@relify.com.my. Requests are processed within 21 days in accordance with the PDPA.

Compliant

Personal Data Processed

The following table outlines the categories of personal data processed through the Relify platform, the lawful basis for processing, and the relevant data controller.

Data Category Examples Controller Lawful Basis
Clinic Account Data Name, email, phone, role, TIN, SST number Casemix Solutions Contract performance
Patient Demographics Name, IC number, date of birth, address, phone Healthcare Provider (Clinic) Consent / Healthcare services
Clinical Health Data Diagnoses, prescriptions, lab results, clinical notes Healthcare Provider (Clinic) Vital interest / Legal obligation (MOH)
Billing & Financial Data Invoice records, payment details, SST, LHDN e-invoice data Shared Legal obligation (LHDN / Tax)
Communication Data WhatsApp notifications (opt-in), email receipts, appointment reminders Healthcare Provider (Clinic) Consent (explicit opt-in)
Platform Usage Data Login timestamps, audit logs, feature usage (anonymised) Casemix Solutions Legitimate interest (security, improvement)

Sensitive Personal Data

Patient health data constitutes sensitive personal data under the PDPA. We apply heightened security controls to all health-related records including encryption at rest (AES-256), strict role-based access, and immutable audit trails retained for 7 years.

Technical & Organisational Security Measures

In compliance with Section 9 of the PDPA 2010, we maintain the following security safeguards:

Control Area Measure Implemented
Encryption (In Transit)TLS 1.2+ enforced for all data transmission between users and servers
Encryption (At Rest)AES-256 applied to databases, file storage (AWS S3), and backup archives
Key ManagementAWS Key Management Service (KMS) with restricted access and rotation policies
Access ControlRole-Based Access Control (RBAC) — Admin, Doctor, Nurse, Pharmacist, Finance roles
AuthenticationMulti-Factor Authentication (MFA) available for all privileged accounts
Session ManagementShort-lived JWT tokens with secure HttpOnly cookies and automatic session expiry
Audit LoggingImmutable audit trails for all PHI access, edits, logins, prescribing, and dispensing events — 7-year retention
Tenant IsolationLogical data isolation by branch ID; no cross-clinic data access
BackupsDaily automated snapshots with point-in-time recovery; 30 days online, 12 months archive
InfrastructureAWS Malaysia region; isolated development, staging, and production environments
Vulnerability ManagementCVE triage within 7 days; annual penetration testing (summary available under NDA)
Incident ResponseDocumented breach response plan; notification to authorities within 72 hours if required

Subprocessors & Third-Party Data Sharing

We engage the following subprocessors under written Data Processing Agreements. Data shared is limited to what is strictly necessary for service delivery.

Vendor Purpose Data Shared Region Safeguard
AWS S3File & object storageClinical documents, invoicesMalaysia (ap-southeast-1)AES-256, DPA in place
AWS RDSPrimary databaseEMR metadata, billing recordsMalaysia (ap-southeast-1)Encrypted, daily backups
AWS EC2Application runtimeRuntime processing onlyMalaysia (ap-southeast-1)Isolated environments
SendGridTransactional emailName, email address, receiptSingaporeSPF/DKIM/DMARC, DPA
WhatsApp Cloud APIPatient notificationsPhone number, template contentSingaporeExplicit opt-in only, DPA
LHDN (MyInvois)e-Invoice submissionTIN, invoice data, SST detailsMalaysiaLegal obligation; 7-year log retention

We Never Sell Personal Data

Casemix Solutions does not sell, rent, or trade personal data to any third party for commercial or marketing purposes. Data is shared only as described above and strictly for service delivery.

Data Subject Rights

Under PDPA 2010, individuals have the following rights regarding their personal data processed by Casemix Solutions. All requests are responded to within 21 days.

Right of Access

Request a copy of personal data we hold about you

Right to Correction

Request correction of inaccurate or incomplete personal data

Withdrawal of Consent

Withdraw consent to processing where consent is the lawful basis

Right to Prevent Processing

Request restriction of processing that causes damage or distress

Data Portability

Receive your data in a machine-readable format upon request

Right to Erasure

Request deletion of data subject to applicable retention obligations

How to Exercise Your Rights

Submit a written request to legal@relify.com.my with your full name, contact details, and the specific right you wish to exercise. We will acknowledge receipt within 3 business days and respond fully within 21 days. For patient data, requests may need to be directed through your healthcare provider as the data controller.

Data Breach Response

In the event of a personal data breach, Casemix Solutions will:

  • Contain the breach and initiate our documented Incident Response Plan immediately upon discovery
  • Assess the nature, scope, and likely consequences of the breach within 24 hours
  • Notify the Personal Data Protection Commissioner (PDPC) and affected parties without undue delay and within 72 hours where the breach poses a risk to data subjects' rights
  • Provide affected users with clear information about what occurred, what data was involved, and what steps we have taken
  • Implement remediation measures and conduct a post-incident review to prevent recurrence
  • Maintain a breach register for all incidents regardless of severity

Related Compliance Documents

This statement should be read together with the following documents, all accessible on our website:

Document Purpose URL
Privacy Policy Full details on data collection, use, and rights relify.com.my/privacy-policy
Terms of Service Legal terms, data controller acknowledgement, DPA clauses relify.com.my/terms
Security & Compliance Technical security controls, subprocessors, certifications relify.com.my/compliance

Data Protection Contact

For all PDPA-related enquiries, data subject requests, or concerns regarding our data handling practices, please contact us through the following channels:

Legal / Data Protection: legal@relify.com.my
General Support: support@relify.com.my
Security Incidents: security@relify.com.my
Lot 1-15, MKH Boulevard, Jalan Changkat, Bandar Kajang, 43000 Kajang, Selangor, Malaysia
Monday – Friday, 9:00 AM – 6:00 PM (MYT)  |  Emergency: 24/7

Statement Date: January 15, 2025  |  Review Cycle: Quarterly  |  Governing Law: Personal Data Protection Act 2010 (Malaysia) (Act 709)

This document is reviewed and updated quarterly to reflect current practices and regulatory developments.