1. Introduction
nCrypt Malaysia ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services or visit our website.
This policy complies with Malaysia's Personal Data Protection Act 2010 (Act 709) and incorporates the requirements of the 2025 PDPA amendments that came into force in April 2025.
2. Data Protection Officer (DPO)
nCrypt Malaysia has appointed a Data Protection Officer as required under the 2025 PDPA amendments for data users processing personal data on a significant scale. The DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection law.
Name: Chandra Rau, Chief Information Security Officer & DPO
Email: [email protected]
Phone: +60 12 770 7421
Address: Subang Jaya, Selangor, Malaysia
All data protection queries, access requests, and breach notifications should be directed to the DPO at the contact details above.
3. 2025 PDPA Amendments — Compliance Statement
The Personal Data Protection (Amendment) Act, which took effect in April 2025, introduced material changes to Malaysia's data protection framework. nCrypt Malaysia has implemented procedures to address each requirement:
- 72-hour breach notification: In the event of a personal data breach, we will notify the Personal Data Protection Commissioner and affected data subjects within 72 hours of becoming aware of the breach, as required under the 2025 PDPA amendments.
- Biometric data as sensitive personal data: Biometric data (including fingerprints, facial recognition data, and voice patterns) is now classified as sensitive personal data under the amendments. We treat such data with heightened protection and will not process it without explicit consent unless otherwise permitted by law.
- Mandatory DPO appointment: We have appointed a named DPO (see Section 2) in satisfaction of the mandatory DPO requirement for data users processing personal data at scale.
- Expanded data subject rights: In addition to existing rights under Act 709, you now have an explicit right to request correction of inaccurate personal data and, in defined circumstances, to request deletion of your personal data. See Section 9 for how to exercise these rights.
4. Information We Collect
Personal Information
- Name and contact information (email, phone number, address)
- Company name and job title
- Payment and billing information
- Communication preferences
Technical Information
- IP address and browser type
- Device information and operating system
- Website usage data and analytics
- Cookies and similar tracking technologies
Service-Related Information
- Security assessment findings (for clients only)
- System and network information provided for assessments
- Incident response data when applicable
5. How We Use Your Information
- To provide and improve our cybersecurity services
- To communicate with you about our services
- To process payments and manage accounts
- To send marketing communications (with your consent)
- To comply with legal obligations under Act 709 and the 2025 amendments
- To protect our rights and prevent fraud
6. Third-Party Processors and Cross-Border Transfers
Under section 129 of the Personal Data Protection Act 2010, personal data may only be transferred outside Malaysia to jurisdictions that provide an adequate level of protection, or where appropriate safeguards (including data processing agreements) are in place. We engage the following third-party processors, each of which involves cross-border data transfers:
- Resend (United States) — transactional and marketing email delivery
- Google Cloud Storage (United States / Singapore) — file and document storage
- Stripe (United States) — payment processing and billing
- Anthropic (United States) — AI-assisted tooling and analysis
- Railway (United States) — application hosting infrastructure
- Cloudflare (United States / global edge) — content delivery network and DDoS protection
- Sentry (United States) — application error monitoring
We have entered into data processing agreements with these processors where required, and we require each processor to maintain appropriate technical and organisational measures to protect personal data. We do not sell your personal data to third parties.
7. Data Security
As a cybersecurity company, we implement industry-leading security measures to protect your data:
- Encryption of data in transit and at rest
- Access controls and authentication
- Regular security assessments and audits
- Employee security awareness training
- Incident response procedures aligned with the 72-hour breach notification requirement
- ISMS aligned to ISO/IEC 27001:2022 (certification audit in progress)
8. Cookies
We use cookies and similar technologies to enhance your experience on our website. You can control cookie preferences through your browser settings. Essential cookies required for website functionality cannot be disabled.
9. Your Rights and How to Exercise Them
Under the Personal Data Protection Act 2010 (Act 709) and the 2025 amendments, you have the right to:
- Access your personal data held by us
- Correct inaccurate or incomplete personal data
- Request deletion of your personal data (subject to legal and contractual retention obligations)
- Withdraw consent for data processing at any time
- Object to processing for direct marketing purposes
Submit access, correction, or deletion requests via [email protected] or our online form at /data-rights (response within 21 days).
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by law. Client engagement data is retained for a minimum of 7 years for legal and compliance purposes.
11. Updates to This Policy
We may update this Privacy Policy periodically to reflect changes in law or our practices. Changes will be posted on this page with an updated revision date. We encourage you to review this policy regularly.