Casemix Solutions Sdn Bhd's formal declaration of compliance with Malaysia's Personal Data Protection Act 2010 (Act 709), issued for Relify — our clinic management platform.
Issued by Casemix Solutions Sdn Bhd — Valid for the Relify Platform (relify.com.my)
Casemix Solutions Sdn Bhd ("the Company"), registered in Malaysia and operating the Relify clinic management platform, hereby formally declares that its data collection, processing, storage, and handling practices are conducted in compliance with the Personal Data Protection Act 2010 (Malaysia) (Act 709) and its associated regulations.
This statement applies to all personal data processed through the Relify platform including personal data of healthcare providers, clinic staff, and patient data processed on behalf of licensed healthcare facilities subscribing to our service. The Company operates as a data processor for patient health data, under the instruction and authority of healthcare providers who act as data controllers.
The Company has implemented and maintains technical, administrative, and organisational measures proportionate to the sensitivity of health-related personal data to ensure the ongoing confidentiality, integrity, and availability of all data in its custody.
The PDPA 2010 establishes seven core data protection principles. Below is Casemix Solutions' formal statement of adherence to each principle in the operation of Relify.
Personal data is only processed with the consent of the data subject or a clear lawful basis — including contract performance for healthcare service delivery and legal obligations under Malaysian healthcare law.
CompliantData subjects are informed of the purposes of data collection via our Privacy Policy (relify.com.my/privacy). Consent is obtained before collection of non-essential personal data.
CompliantPersonal data is only disclosed to authorised parties as stated at the point of collection. We do not sell personal data to third parties. All subprocessors are listed and operate under Data Processing Agreements.
CompliantAES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, MFA for privileged users, immutable audit logs, and 24/7 security monitoring are implemented as standard controls.
CompliantData is retained only as long as necessary for the stated purpose or as required by Malaysian healthcare and tax regulations. Clinical records are retained per MOH guidance (7+ years); other data per our published retention schedule.
CompliantWe take reasonable steps to ensure personal data is accurate, complete, and up to date. Users may update their data via the platform. Healthcare providers are responsible for the accuracy of patient records under their control.
CompliantData subjects may request access to, correction of, or deletion of their personal data by contacting legal@relify.com.my. Requests are processed within 21 days in accordance with the PDPA.
CompliantThe following table outlines the categories of personal data processed through the Relify platform, the lawful basis for processing, and the relevant data controller.
| Data Category | Examples | Controller | Lawful Basis |
|---|---|---|---|
| Clinic Account Data | Name, email, phone, role, TIN, SST number | Casemix Solutions | Contract performance |
| Patient Demographics | Name, IC number, date of birth, address, phone | Healthcare Provider (Clinic) | Consent / Healthcare services |
| Clinical Health Data | Diagnoses, prescriptions, lab results, clinical notes | Healthcare Provider (Clinic) | Vital interest / Legal obligation (MOH) |
| Billing & Financial Data | Invoice records, payment details, SST, LHDN e-invoice data | Shared | Legal obligation (LHDN / Tax) |
| Communication Data | WhatsApp notifications (opt-in), email receipts, appointment reminders | Healthcare Provider (Clinic) | Consent (explicit opt-in) |
| Platform Usage Data | Login timestamps, audit logs, feature usage (anonymised) | Casemix Solutions | Legitimate interest (security, improvement) |
Patient health data constitutes sensitive personal data under the PDPA. We apply heightened security controls to all health-related records including encryption at rest (AES-256), strict role-based access, and immutable audit trails retained for 7 years.
In compliance with Section 9 of the PDPA 2010, we maintain the following security safeguards:
| Control Area | Measure Implemented |
|---|---|
| Encryption (In Transit) | TLS 1.2+ enforced for all data transmission between users and servers |
| Encryption (At Rest) | AES-256 applied to databases, file storage (AWS S3), and backup archives |
| Key Management | AWS Key Management Service (KMS) with restricted access and rotation policies |
| Access Control | Role-Based Access Control (RBAC) — Admin, Doctor, Nurse, Pharmacist, Finance roles |
| Authentication | Multi-Factor Authentication (MFA) available for all privileged accounts |
| Session Management | Short-lived JWT tokens with secure HttpOnly cookies and automatic session expiry |
| Audit Logging | Immutable audit trails for all PHI access, edits, logins, prescribing, and dispensing events — 7-year retention |
| Tenant Isolation | Logical data isolation by branch ID; no cross-clinic data access |
| Backups | Daily automated snapshots with point-in-time recovery; 30 days online, 12 months archive |
| Infrastructure | AWS Malaysia region; isolated development, staging, and production environments |
| Vulnerability Management | CVE triage within 7 days; annual penetration testing (summary available under NDA) |
| Incident Response | Documented breach response plan; notification to authorities within 72 hours if required |
We engage the following subprocessors under written Data Processing Agreements. Data shared is limited to what is strictly necessary for service delivery.
| Vendor | Purpose | Data Shared | Region | Safeguard |
|---|---|---|---|---|
| AWS S3 | File & object storage | Clinical documents, invoices | Malaysia (ap-southeast-1) | AES-256, DPA in place |
| AWS RDS | Primary database | EMR metadata, billing records | Malaysia (ap-southeast-1) | Encrypted, daily backups |
| AWS EC2 | Application runtime | Runtime processing only | Malaysia (ap-southeast-1) | Isolated environments |
| SendGrid | Transactional email | Name, email address, receipt | Singapore | SPF/DKIM/DMARC, DPA |
| WhatsApp Cloud API | Patient notifications | Phone number, template content | Singapore | Explicit opt-in only, DPA |
| LHDN (MyInvois) | e-Invoice submission | TIN, invoice data, SST details | Malaysia | Legal obligation; 7-year log retention |
Casemix Solutions does not sell, rent, or trade personal data to any third party for commercial or marketing purposes. Data is shared only as described above and strictly for service delivery.
Under PDPA 2010, individuals have the following rights regarding their personal data processed by Casemix Solutions. All requests are responded to within 21 days.
Request a copy of personal data we hold about you
Request correction of inaccurate or incomplete personal data
Withdraw consent to processing where consent is the lawful basis
Request restriction of processing that causes damage or distress
Receive your data in a machine-readable format upon request
Request deletion of data subject to applicable retention obligations
Submit a written request to legal@relify.com.my with your full name, contact details, and the specific right you wish to exercise. We will acknowledge receipt within 3 business days and respond fully within 21 days. For patient data, requests may need to be directed through your healthcare provider as the data controller.
In the event of a personal data breach, Casemix Solutions will:
This statement should be read together with the following documents, all accessible on our website:
| Document | Purpose | URL |
|---|---|---|
| Privacy Policy | Full details on data collection, use, and rights | relify.com.my/privacy-policy |
| Terms of Service | Legal terms, data controller acknowledgement, DPA clauses | relify.com.my/terms |
| Security & Compliance | Technical security controls, subprocessors, certifications | relify.com.my/compliance |
For all PDPA-related enquiries, data subject requests, or concerns regarding our data handling practices, please contact us through the following channels:
Statement Date: January 15, 2025 |
Review Cycle: Quarterly |
Governing Law: Personal Data Protection Act 2010 (Malaysia) (Act 709)
This document is reviewed and updated quarterly to reflect current practices and regulatory developments.