Logo
Home Why Sumrize Sumrize AI How To Start Questions Our Plan
Login

Security & Data Protection · Keamanan & Perlindungan Data (Bilingual)

Applies to / Berlaku untuk: Sumrize (SaaS, AI-powered WhatsApp summarization, image generation, AI assistant)
Effective / Berlaku: 9 August 2025
Jurisdiction / Yurisdiksi: Indonesia (UU PDP)
Hosting: Singapore Region
Integrity Commitment / Komitmen Integritas: We operate with uncompromising integrity to safeguard confidentiality, integrity, and availability of user data. / Kami beroperasi dengan integritas tanpa kompromi untuk menjaga kerahasiaan, integritas, dan ketersediaan data pengguna.
English
Indonesian

1) Governance & Principles

  • Security by Design and Privacy by Design across the product lifecycle.
  • CIA Triad: confidentiality, integrity, availability as core objectives.
  • Compliance: Indonesian PDP Law; alignment with international best practices.

2) Data Classification & Handling

  • Classes: Public · Internal · Confidential · Restricted (e.g., chat content, summaries, identifiers).
  • Restricted data encrypted; access tightly controlled and audited.

3) Encryption & Key Management

  • At rest: industry-standard AES-256.
  • In transit: TLS 1.2+ (prefer TLS 1.3), HSTS, Perfect Forward Secrecy where supported.
  • Keys: centrally managed, periodically rotated, stored in a secure vault.

4) Access Control

  • Least privilege & need-to-know across all systems.
  • Production data access: limited to designated personnel; MFA enforced; device compliance required.
  • Strong authentication, session controls, and periodic access reviews.

5) Logging, Monitoring & Detection

  • Centralized, tamper-evident logging with time-synced servers.
  • Continuous monitoring for anomalies, brute force, and exfiltration patterns.
  • Alerting with on-call rotations and documented runbooks.

6) Network & Infrastructure Security

  • Segmentation, firewall policies, private subnets, and strict security groups.
  • WAF and abuse rate-limiting to mitigate bot/DDoS-like traffic.
  • Regular OS patching, hardened images, and baseline configuration standards.

7) Application Security

  • Secure SDLC with code reviews; dependency scanning; SAST/DAST on critical services.
  • Secrets kept out of code; rotated and scoped via vault.
  • Input validation, output encoding, and parameterized queries to mitigate OWASP Top 10.

8) Vulnerability & Patch Management

  • Routine vulnerability scans; remediation prioritized by severity (SLA targets).
  • Emergency patch path for actively exploited issues.

9) Data Loss Prevention (DLP)

  • Outbound monitoring for restricted data patterns and unusual transfer volumes.
  • Clipboard/download controls for admin consoles; watermarking for exports where feasible.

10) Backup & Disaster Recovery

  • Encrypted backups with tested restores.
  • Documented RPO/RTO for critical data; periodic DR drills.
  • Deletion requests also propagate to backups at the end of the backup retention window where technically feasible.

11) Incident Response

  • Defined IR plan: detect → triage → contain → eradicate → recover → post-mortem.
  • Notification: Written notice to affected data subjects and the competent authority **no later than 3×24 hours** after becoming aware of a personal-data breach, including (i) data involved, (ii) when/how it occurred, (iii) mitigation & recovery actions, per Indonesian PDP Law.

12) Third-Party Risk Management

  • Service providers assessed for security posture and bound by data-processing terms.
  • Data shared on a minimum-necessary basis; no sale of personal data.

13) Employee & Operational Security

  • Confidentiality agreements; ongoing security and role-based training.
  • Joiner-Mover-Leaver with prompt access revocation.

14) Data Subject Requests & Retention

  • Retention: up to 90 days for conversation content and summaries unless law requires longer.
  • Verified deletion on request by the group/Connector owner or authorized representative, including reasonable deletion of derived/identifiable artifacts.

15) Cross-Border Transfers

  • Given Singapore hosting, cross-border processing follows applicable PDP transfer bases (e.g., consent and/or contractual safeguards ensuring equivalent protection).

16) Physical & Cloud Security

  • Hosted in certified data centers with 24/7 security, access controls, and environmental safeguards.
  • Shared-responsibility model: we leverage the cloud provider’s compliance programs while maintaining our controls.

17) Business Continuity & Risk Management

  • Risk assessments drive controls; risk registers maintained and periodically reviewed.
  • Continuity plans ensure essential services under adverse conditions.

18) Contact

Email: [email protected] · Phone/WhatsApp: +628991900000

1) Tata Kelola & Prinsip

  • Security by Design dan Privacy by Design di seluruh siklus produk.
  • Triad CIA: kerahasiaan, integritas, ketersediaan sebagai sasaran inti.
  • Kepatuhan: UU PDP Indonesia; selaras praktik terbaik internasional.

2) Klasifikasi & Penanganan Data

  • Kelas: Publik · Internal · Rahasia · Terbatas (mis. konten chat, ringkasan, pengenal).
  • Data Terbatas dienkripsi; akses dikendalikan ketat dan diaudit.

3) Enkripsi & Manajemen Kunci

  • Saat tersimpan: AES-256 standar industri.
  • Saat transmisi: TLS 1.2+ (prioritas TLS 1.3), HSTS, Perfect Forward Secrecy bila didukung.
  • Kunci: dikelola terpusat, diputar berkala, tersimpan di brankas.

4) Kontrol Akses

  • Least privilege & need-to-know di seluruh sistem.
  • Akses data produksi: dibatasi pada personel yang ditunjuk; MFA diwajibkan; kepatuhan perangkat disyaratkan.
  • Autentikasi kuat, kontrol sesi, dan tinjauan akses berkala.

5) Pencatatan, Pemantauan & Deteksi

  • Log terpusat anti-modifikasi; server tersinkron waktu.
  • Pemantauan berkelanjutan atas anomali, brute force, dan pola eksfiltrasi data.
  • Peringatan dengan jadwal on-call dan runbook terdokumentasi.

6) Keamanan Jaringan & Infrastruktur

  • Segmentasi, kebijakan firewall, subnet privat, dan aturan security group yang ketat.
  • WAF dan pembatasan laju untuk mengurangi lalu lintas bot/serupa DDoS.
  • Patch OS berkala, image diperkeras, dan standar konfigurasi dasar.

7) Keamanan Aplikasi

  • SDLC aman dengan code review; pemindaian dependensi; SAST/DAST pada layanan kritikal.
  • Rahasia (secrets) tidak disimpan di kode; diputar dan dibatasi melalui brankas.
  • Validasi input, encoding output, dan query terparameter untuk mengurangi OWASP Top 10.

8) Manajemen Kerentanan & Patch

  • Pemindaian kerentanan rutin; perbaikan diprioritaskan berdasar keparahan (target SLA).
  • Jalur patch darurat untuk isu yang aktif dieksploitasi.

9) Pencegahan Kehilangan Data (DLP)

  • Pemantauan keluar untuk pola data terbatas dan volume transfer tak lazim.
  • Kontrol clipboard/unduhan pada konsol admin; watermark ekspor bila memungkinkan.

10) Cadangan & Pemulihan Bencana

  • Cadangan terenkripsi dengan prosedur pemulihan yang diuji.
  • Target RPO/RTO terdokumentasi; uji DR berkala.
  • Permintaan penghapusan juga dipropagasikan ke backup di akhir masa retensi backup jika layak secara teknis.

11) Respons Insiden

  • Rencana IR: deteksi → triase → isolasi → pemulihan → pembelajaran pasca-insiden.
  • Pemberitahuan: Pemberitahuan tertulis kepada subjek data dan otoritas yang berwenang **paling lambat 3×24 jam** sejak diketahui terjadi pelanggaran data pribadi, memuat (i) data yang terdampak, (ii) kapan/bagaimana terjadi, (iii) langkah penanganan & pemulihan, sesuai UU PDP.

12) Manajemen Risiko Pihak Ketiga

  • Penyedia layanan dinilai postur keamanannya dan terikat perjanjian pemrosesan data.
  • Data dibagi seminimal mungkin; tidak ada penjualan data pribadi.

13) Keamanan Pegawai & Operasional

  • Perjanjian kerahasiaan; pelatihan keamanan berkelanjutan sesuai peran.
  • Proses Joiner-Mover-Leaver dengan pencabutan akses cepat.

14) Hak Subjek Data & Retensi

  • Retensi: hingga 90 hari untuk konten percakapan & ringkasan kecuali diwajibkan lebih lama.
  • Penghapusan sesuai permintaan setelah verifikasi oleh pemilik Connector/perwakilan berwenang, termasuk artefak turunan yang dapat diidentifikasi secara wajar.

15) Transfer Lintas Batas

  • Mengingat hosting di Singapura, pemrosesan lintas batas mengikuti dasar transfer PDP yang berlaku (mis. persetujuan dan/atau perlindungan kontraktual setara).

16) Keamanan Fisik & Cloud

  • Pusat data tersertifikasi dengan keamanan 24/7, kontrol akses, dan pengamanan lingkungan.
  • Model tanggung jawab bersama: kami memanfaatkan program kepatuhan penyedia cloud dan menjaga kontrol kami.

17) Keberlangsungan Bisnis & Manajemen Risiko

  • Penilaian risiko mendorong kontrol; register risiko dipelihara & ditinjau berkala.
  • Rencana keberlangsungan memastikan layanan esensial pada kondisi buruk.

18) Kontak

Email: [email protected] · Telepon/WhatsApp: +628991900000

This bilingual statement reflects our integrity-driven commitment to security and confidentiality; in case of inconsistency, the Indonesian version prevails for Indonesian jurisdiction.

Protected and Accelerated with Enterprise-grade Security & Sophistication by Cloudflare · Diproteksi dan Dipercepat dengan Keamanan & Kecanggihan Tingkat Enterprise oleh Cloudflare