← Back to FinTag.my
Data Processing Agreement (DPA)
Effective: 28 Mei 2026 | Data Brain Sdn. Bhd. (1335252-P)
This Data Processing Agreement ("DPA") supplements the FinTag.my Terms of Service and governs the processing of Personal Data by Data Brain Sdn. Bhd. ("Processor") on behalf of the Customer ("Controller / Data User") under the Malaysian Personal Data Protection Act 2010 (Amendment 2024) ("PDPA").
Parties:
Data User (Controller): The Customer / company registered on FinTag.my
Data Processor: Data Brain Sdn. Bhd., (1335252-P), Seremban, Negeri Sembilan, Malaysia
1. Subject Matter and Duration
This DPA applies for the duration of the Customer's active account on FinTag.my and any additional retention period required by law (e.g. 7 years for tax records under LHDN regulations).
2. Nature and Purpose of Processing
The Processor processes Personal Data solely to deliver PDF-to-XBRL conversion services, including OCR, AI extraction, data validation, XBRL generation, secure storage, and audit logging.
3. Categories of Personal Data
| Data Category | Source | Sensitivity |
|---|
| Company financial statements (PDF content) | Customer upload | Confidential business data |
| Director names, NRIC, signatures (if present in PDF) | Customer upload | Personal data per PDPA S.4 |
| Customer account info (name, email, phone) | Registration | Personal data |
| Payment metadata (no card details) | Billplz | Financial |
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorised to process Personal Data are bound by confidentiality
- Implement appropriate technical and organisational measures (Section 9 PDPA), including: encryption in transit (TLS) and at rest, access controls, 2FA, audit logging, regular security testing
- Not engage sub-processors without prior general authorisation (see Section 5 below)
- Assist the Controller in fulfilling data subject rights (access, correction, erasure)
- Notify the Controller of any Personal Data breach within 48 hours of discovery (giving the Controller time to meet the 72-hour PDPA Section 12A notification window)
- Delete or return all Personal Data after termination, subject to legal retention obligations
- Make available all information necessary to demonstrate compliance with this DPA
5. Authorised Sub-Processors
The Controller grants general authorisation for the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|
| Google LLC (Gemini API) | OCR + data extraction | USA / Singapore |
| Anthropic PBC (Claude API) | Optional AI validation | USA |
| Billplz Sdn. Bhd. | Payment processing | Malaysia |
| Contabo GmbH (VPS hosting) | Server infrastructure | Germany / Singapore |
| Resend.com | Transactional email | USA |
The Processor will provide 14 days' notice via email of any new sub-processor. The Controller may object by terminating the account within the notice period (refunds prorated).
6. Cross-Border Transfer
Where Personal Data is transferred outside Malaysia, the Processor warrants that sub-processors are bound by data processing terms that meet the requirements of Section 129 PDPA 2010 (adequate level of protection).
7. Security Measures (Technical & Organisational)
- Encryption: TLS 1.2+ in transit, AES-256 at rest for PDFs and XBRL files
- Authentication: Bcrypt password hashing, optional 2FA, API key-based auth for programmatic access
- Access Control: Role-based access (super_admin, admin, user); least-privilege principle
- Audit Logging: All authentication events, file downloads, data modifications, and admin actions logged with IP + user-agent (retained 5 years)
- Monitoring: New-device login alerts via email; failed login rate-limiting (5 attempts/minute)
- Backup: Daily encrypted backups with 30-day retention
- Vulnerability Management: Composer audit on every CI run; npm audit for high-severity issues
- Testing: Automated test suite covering authentication, payment processing, file access, and data extraction
8. Data Subject Rights
The Processor provides self-service tools for data subject rights at /profile/privacy:
- Right to access (Section 30 PDPA): One-click data export as ZIP
- Right to correction (Section 34): Profile edit page
- Right to withdraw consent (Section 38): Account deletion request with 30-day cool-off
9. Breach Notification
Upon discovery of a Personal Data breach, the Processor will, within 48 hours:
- Notify the Controller (the primary contact email on file)
- Provide: nature of breach, categories and approximate volume of data affected, likely consequences, measures taken
- Cooperate with the Controller's notification to JPDP under Section 12A PDPA
10. Audits and Inspections
The Controller may request, no more than once per calendar year and on 30 days' notice, a summary of the Processor's security posture (e.g. composer audit results, CI test pass rate, activity log samples). On-site audits may be conducted by mutual agreement and at the Controller's expense.
11. Termination and Return of Data
Upon termination of the account, the Processor shall, within 30 days, either return all Personal Data to the Controller (via the export tool) or anonymise it. Audit logs containing user IDs may be retained in anonymised form for 5 years for legal compliance.
12. Liability
Liability for breaches of this DPA is governed by the limitation of liability clause in the FinTag.my Terms of Service, subject to mandatory statutory liabilities under PDPA.
13. Governing Law
This DPA is governed by Malaysian law. Disputes shall be subject to the exclusive jurisdiction of the courts in Seremban, Negeri Sembilan.
Acceptance: By using FinTag.my for business purposes, the Customer is deemed to have entered into this DPA. For a counter-signed version on company letterhead, email admin@fintag.my.