Skip to main content
Bijak·Cloud

Trust Center

Sovereign by construction

Every control that protects your data — and the data-residency guarantees behind those controls — is documented below. This document is the source of truth for Bijak Cloud's security posture.

Compliance — Aligned with:

  • PDPA 2010
  • ISO 27001
  • SOC 2 Type II
  • POCA-aligned

Data Residency

Every byte that enters Bijak Cloud — prompts, embeddings, model weights, audit logs, telemetry, backups — stays inside Malaysian data centres. The platform runs in Cyberjaya and Iskandar Puteri, both operated under Malaysian jurisdiction.

There is no public-internet failover path, no out-of-region replication, and no exception path. Contractual terms reinforce this: data residency is a platform property, not a configuration option.

Encryption

Data is encrypted at rest using AES-256 with sovereign-managed keys, and in transit using TLS 1.3 with modern cipher suites only. Cross-region replication inside Malaysia preserves the same encryption envelope.

  • AES-256-GCM at rest
  • TLS 1.3 in transit (no legacy fallbacks)
  • Per-tenant key isolation
  • HSM-backed key custody available on Sovereign tier

Key Management

The Sovereign tier ships with customer-managed keys held in dedicated hardware security modules. Key rotation, revocation, and destruction are auditable events surfaced through the audit log.

Identity

Single sign-on via SAML 2.0 and OIDC, with SCIM 2.0 for user provisioning. Bring your own IdP — Okta, Azure AD, Google Workspace — or use Bijak Cloud native identities with hardware-key MFA enforcement.

Audit Logs

Every platform action — compute provisioning, storage access, inference invocation, key operation — produces an immutable audit record. Records are retained for seven years and exportable on request for compliance review.

Compliance

Bijak Cloud is aligned with PDPA 2010, POCA-aligned controls, ISO 27001, and SOC 2 Type II. Annual third-party audits produce public-facing reports available under NDA on request.

Pen Testing

Independent third-party penetration tests run at least annually. Critical findings are remediated within SLA-bound windows; summaries of the latest test are available on request.

Vulnerability Disclosure

A coordinated vulnerability disclosure programme accepts reports at security@bijakcloud.example. Researchers can expect an acknowledgement within 24 hours and a remediation timeline within five business days.

Subprocessor List

We maintain a current list of subprocessors with the data category, location, and purpose for each. Material changes trigger 30-day customer notice.

  • Compute hardware: Malaysia (Cyberjaya, Iskandar Puteri)
  • Network transit: Malaysian tier-1 carriers
  • Identity broker: customer-supplied IdP or sovereign-managed
  • Payment processing: PCI-DSS Level 1 processor (no card data on platform)

Talk to compliance

Need the latest audit reports, a subprocessor list, or a custom data processing agreement? Our compliance team will respond within one business day.

Contact compliance