Not legal advice. This page is a templated baseline aligned with Personal Data Protection Act 2010. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.
1. Definitions
"Controller", "Processor", "Personal Data", "Processing", "Data Subject" and other terms have the meanings set out in Personal Data Protection Act 2010. "Customer Personal Data" means Personal Data within Customer Data that we process on your behalf.
2. Roles and instructions
You are the Controller of Customer Personal Data. We are the Processor. We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do so by applicable law (in which case we will inform you of that legal requirement before processing, where allowed).
3. Confidentiality and personnel
We ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and have received appropriate data-protection training. We restrict access on a need-to-know basis governed by role-based access controls.
4. Security measures
We implement appropriate technical and organisational measures, including (a) encryption of data at rest and in transit; (b) regular vulnerability scanning and penetration testing; (c) network segmentation, least-privilege access, and centralised logging; (d) incident detection and response procedures; (e) background checks for personnel with production access. The current measures are documented in our Security Whitepaper, available on request.
5. Sub-processors
You authorise us to engage sub-processors to provide the service. We maintain a current list of sub-processors and inform you at least 30 days before adding or replacing one (subject to a reasonable objection right). We remain liable for our sub-processors' performance of data-protection obligations.
6. Data subject rights
We assist you in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) by providing self-service export tools and, where needed, dedicated processor support. You remain responsible for primary communication with the data subject.
7. Data breach notification
We notify you without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data, providing the information you reasonably need to comply with your notification obligations to the supervisory authority and to affected data subjects.
8. International transfers
Where we transfer Customer Personal Data outside Malaysia, we rely on adequacy decisions of the Personal Data Protection Commissioner or, where adequacy is not available, on standard contractual clauses or other lawful transfer mechanism. Specific transfer details are in our sub-processor list.
9. Audits
You may audit our compliance with this DPA, on reasonable notice and at your cost, no more than once per 12 months (or following a Personal Data Breach). We will provide our SOC 2 Type II report and ISO 27001 certificate to satisfy most audit requirements without on-site visits, where you accept these as adequate.
10. Return or deletion of data
On termination of the service, we will (at your election) return Customer Personal Data to you in a structured machine-readable format and/or delete it from our systems (subject to backup retention up to 35 days and any statutory retention requirements applicable to invoices).
11. Liability and conflicts
This DPA forms part of, and is subject to, our Terms of Service. In the event of any conflict between this DPA and the Terms, this DPA prevails on data-protection matters. Liability under this DPA is subject to the limitations in the Terms.
12. Effective date
This DPA is effective as of the date you accept the Terms of Service or sign a separate order form referencing it. We may update this DPA from time to time; material changes are notified at least 30 days in advance.