Compliance
PDPA compliance guide - Bijak Cloud Docs
Map each PDPA 2010 principle to specific Bijak Cloud platform features and configuration steps.
Overview
This guide maps each of the seven PDPA 2010 principles to specific Bijak Cloud features. Use it as a reference when configuring your workspace, training your team, or preparing documentation for an auditor.
General Principle
PDPA requirement: Personal data must be processed lawfully and in a manner that respects privacy.
Bijak Cloud controls:
- Every workspace is configured with a documented legal basis (consent, contract, legitimate interest) recorded in the dashboard.
- Models cannot reconstruct or infer personal data outside their training scope โ see the model cards in
GET /v1/models. - Cross-border calls are blocked by default; opt-in per workspace.
Notice and Choice Principle
PDPA requirement: Data subjects must be told what is collected, why, and what choices they have.
Bijak Cloud controls:
- The dashboard exposes a public notice template generator that lists every data source, every processor, and every retention window.
- Per-user opt-out flags propagate to inference endpoints, RAG queries, and audit logs.
- Privacy notices are versioned and changes produce audit log entries.
Disclosure Principle
PDPA requirement: Personal data must not be disclosed without consent or another lawful basis.
Bijak Cloud controls:
- A published sub-processor list is available at
/legal/subprocessorsand updates produce customer notifications. - Outbound network calls are logged and reviewable in the dashboard.
- Customer-managed encryption keys (CMEK) ensure Bijak Cloud operators cannot decrypt customer data even if compelled.
Security Principle
PDPA requirement: Personal data must be protected by reasonable security safeguards.
Bijak Cloud controls:
- Encryption at rest (AES-256) and in transit (TLS 1.3) is mandatory and non-configurable.
- HSM-backed key management (FIPS 140-2 Level 3) is the default.
- Audit logs are append-only, signed, and exportable to your SIEM.
- Annual third-party penetration tests and SOC 2 Type II audits โ reports available under NDA.
Retention Principle
PDPA requirement: Personal data must be deleted once the purpose is fulfilled.
Bijak Cloud controls:
- Per-corpus retention windows for RAG documents and embeddings.
- Per-workspace retention windows for inference logs.
- Configurable deletion triggers: time-based, purpose-completion, or DSAR-driven.
- Deletion produces an audit log entry with cryptographic proof.
Data Integrity Principle
PDPA requirement: Personal data must be accurate, complete, and not misleading.
Bijak Cloud controls:
- Training datasets are version-controlled with cryptographic hashes.
- Embeddings carry provenance metadata (source document ID, version, timestamp).
- Inference calls return the prompt hash and the model version so reproducibility is verifiable.
Access Principle
PDPA requirement: Data subjects must be able to access and correct their personal data.
Bijak Cloud controls:
- DSAR tooling finds every record of a data subject across inference logs, RAG corpora, and embeddings.
- Correction workflows support versioned updates โ old data is preserved with audit trail, new data is used for inference.
- DSAR response time SLA: 14 days for standard requests, 7 days for expedited.
Audit posture
Bijak Cloudโs audit posture under PDPA is summarised in three artifacts:
- Annual PDPA report โ published by our compliance team with control mappings and exceptions.
- Continuous control monitoring โ available in the dashboard, exportable to your GRC tool.
- Customer-issued auditor letters โ request one in the dashboard; turnaround is 5 business days.
Next steps
- Read Concepts: Sovereignty for the architectural foundation.
- Review Architecture overview for the data-residency map.
- Contact us for a custom PDPA scoping session with our compliance team.