Try for free
Home/Security & Data Protection

Security & Data Protection · Keamanan & Perlindungan Data (Bilingual)

Applies to / Berlaku untuk: Sumrize (SaaS, AI-powered WhatsApp summarization, image generation, AI assistant)
Effective / Berlaku: 9 August 2025
Jurisdiction / Yurisdiksi: Indonesia (UU PDP)
Hosting: Singapore Region
Integrity Commitment / Komitmen Integritas: We operate with uncompromising integrity to safeguard confidentiality, integrity, and availability of user data. / Kami beroperasi dengan integritas tanpa kompromi untuk menjaga kerahasiaan, integritas, dan ketersediaan data pengguna.
English
Indonesian

1) Governance & Principles

  • Security by Design and Privacy by Design across the product lifecycle.
  • CIA Triad: confidentiality, integrity, availability as core objectives.
  • Compliance: Indonesian PDP Law; alignment with international best practices.

2) Data Classification & Handling

  • Classes: Public · Internal · Confidential · Restricted (e.g., chat content, summaries, identifiers).
  • Restricted data encrypted; access tightly controlled and audited.

3) Encryption & Key Management

  • At rest: industry-standard AES-256.
  • In transit: TLS 1.2+ (prefer TLS 1.3), HSTS, Perfect Forward Secrecy where supported.
  • Keys: centrally managed, periodically rotated, stored in a secure vault.

4) Access Control

  • Least privilege & need-to-know across all systems.
  • Production data access: limited to designated personnel; MFA enforced; device compliance required.
  • Strong authentication, session controls, and periodic access reviews.

5) Logging, Monitoring & Detection

  • Centralized, tamper-evident logging with time-synced servers.
  • Continuous monitoring for anomalies, brute force, and exfiltration patterns.
  • Alerting with on-call rotations and documented runbooks.

6) Network & Infrastructure Security

  • Segmentation, firewall policies, private subnets, and strict security groups.
  • WAF and abuse rate-limiting to mitigate bot/DDoS-like traffic.
  • Regular OS patching, hardened images, and baseline configuration standards.

7) Application Security

  • Secure SDLC with code reviews; dependency scanning; SAST/DAST on critical services.
  • Secrets kept out of code; rotated and scoped via vault.
  • Input validation, output encoding, and parameterized queries to mitigate OWASP Top 10.

8) Vulnerability & Patch Management

  • Routine vulnerability scans; remediation prioritized by severity (SLA targets).
  • Emergency patch path for actively exploited issues.

9) Data Loss Prevention (DLP)

  • Outbound monitoring for restricted data patterns and unusual transfer volumes.
  • Clipboard/download controls for admin consoles; watermarking for exports where feasible.

10) Backup & Disaster Recovery

  • Encrypted backups with tested restores.
  • Documented RPO/RTO for critical data; periodic DR drills.
  • Deletion requests also propagate to backups at the end of the backup retention window where technically feasible.

11) Incident Response

  • Defined IR plan: detect → triage → contain → eradicate → recover → post-mortem.
  • Notification: Written notice to affected data subjects and the competent authority **no later than 3×24 hours** after becoming aware of a personal-data breach, including (i) data involved, (ii) when/how it occurred, (iii) mitigation & recovery actions, per Indonesian PDP Law.

12) Third-Party Risk Management

  • Service providers assessed for security posture and bound by data-processing terms.
  • Data shared on a minimum-necessary basis; no sale of personal data.

13) Employee & Operational Security

  • Confidentiality agreements; ongoing security and role-based training.
  • Joiner-Mover-Leaver with prompt access revocation.

14) Data Subject Requests & Retention

  • Retention: up to 90 days for conversation content and summaries unless law requires longer.
  • Verified deletion on request by the group/Connector owner or authorized representative, including reasonable deletion of derived/identifiable artifacts.

15) Cross-Border Transfers

  • Given Singapore hosting, cross-border processing follows applicable PDP transfer bases (e.g., consent and/or contractual safeguards ensuring equivalent protection).

16) Physical & Cloud Security

  • Hosted in certified data centers with 24/7 security, access controls, and environmental safeguards.
  • Shared-responsibility model: we leverage the cloud provider’s compliance programs while maintaining our controls.

17) Business Continuity & Risk Management

  • Risk assessments drive controls; risk registers maintained and periodically reviewed.
  • Continuity plans ensure essential services under adverse conditions.

18) Contact

Email: [email protected] · Phone/WhatsApp: +628991900000

1) Tata Kelola & Prinsip

  • Security by Design dan Privacy by Design di seluruh siklus produk.
  • Triad CIA: kerahasiaan, integritas, ketersediaan sebagai sasaran inti.
  • Kepatuhan: UU PDP Indonesia; selaras praktik terbaik internasional.

2) Klasifikasi & Penanganan Data

  • Kelas: Publik · Internal · Rahasia · Terbatas (mis. konten chat, ringkasan, pengenal).
  • Data Terbatas dienkripsi; akses dikendalikan ketat dan diaudit.

3) Enkripsi & Manajemen Kunci

  • Saat tersimpan: AES-256 standar industri.
  • Saat transmisi: TLS 1.2+ (prioritas TLS 1.3), HSTS, Perfect Forward Secrecy bila didukung.
  • Kunci: dikelola terpusat, diputar berkala, tersimpan di brankas.

4) Kontrol Akses

  • Least privilege & need-to-know di seluruh sistem.
  • Akses data produksi: dibatasi pada personel yang ditunjuk; MFA diwajibkan; kepatuhan perangkat disyaratkan.
  • Autentikasi kuat, kontrol sesi, dan tinjauan akses berkala.

5) Pencatatan, Pemantauan & Deteksi

  • Log terpusat anti-modifikasi; server tersinkron waktu.
  • Pemantauan berkelanjutan atas anomali, brute force, dan pola eksfiltrasi data.
  • Peringatan dengan jadwal on-call dan runbook terdokumentasi.

6) Keamanan Jaringan & Infrastruktur

  • Segmentasi, kebijakan firewall, subnet privat, dan aturan security group yang ketat.
  • WAF dan pembatasan laju untuk mengurangi lalu lintas bot/serupa DDoS.
  • Patch OS berkala, image diperkeras, dan standar konfigurasi dasar.

7) Keamanan Aplikasi

  • SDLC aman dengan code review; pemindaian dependensi; SAST/DAST pada layanan kritikal.
  • Rahasia (secrets) tidak disimpan di kode; diputar dan dibatasi melalui brankas.
  • Validasi input, encoding output, dan query terparameter untuk mengurangi OWASP Top 10.

8) Manajemen Kerentanan & Patch

  • Pemindaian kerentanan rutin; perbaikan diprioritaskan berdasar keparahan (target SLA).
  • Jalur patch darurat untuk isu yang aktif dieksploitasi.

9) Pencegahan Kehilangan Data (DLP)

  • Pemantauan keluar untuk pola data terbatas dan volume transfer tak lazim.
  • Kontrol clipboard/unduhan pada konsol admin; watermark ekspor bila memungkinkan.

10) Cadangan & Pemulihan Bencana

  • Cadangan terenkripsi dengan prosedur pemulihan yang diuji.
  • Target RPO/RTO terdokumentasi; uji DR berkala.
  • Permintaan penghapusan juga dipropagasikan ke backup di akhir masa retensi backup jika layak secara teknis.

11) Respons Insiden

  • Rencana IR: deteksi → triase → isolasi → pemulihan → pembelajaran pasca-insiden.
  • Pemberitahuan: Pemberitahuan tertulis kepada subjek data dan otoritas yang berwenang **paling lambat 3×24 jam** sejak diketahui terjadi pelanggaran data pribadi, memuat (i) data yang terdampak, (ii) kapan/bagaimana terjadi, (iii) langkah penanganan & pemulihan, sesuai UU PDP.

12) Manajemen Risiko Pihak Ketiga

  • Penyedia layanan dinilai postur keamanannya dan terikat perjanjian pemrosesan data.
  • Data dibagi seminimal mungkin; tidak ada penjualan data pribadi.

13) Keamanan Pegawai & Operasional

  • Perjanjian kerahasiaan; pelatihan keamanan berkelanjutan sesuai peran.
  • Proses Joiner-Mover-Leaver dengan pencabutan akses cepat.

14) Hak Subjek Data & Retensi

  • Retensi: hingga 90 hari untuk konten percakapan & ringkasan kecuali diwajibkan lebih lama.
  • Penghapusan sesuai permintaan setelah verifikasi oleh pemilik Connector/perwakilan berwenang, termasuk artefak turunan yang dapat diidentifikasi secara wajar.

15) Transfer Lintas Batas

  • Mengingat hosting di Singapura, pemrosesan lintas batas mengikuti dasar transfer PDP yang berlaku (mis. persetujuan dan/atau perlindungan kontraktual setara).

16) Keamanan Fisik & Cloud

  • Pusat data tersertifikasi dengan keamanan 24/7, kontrol akses, dan pengamanan lingkungan.
  • Model tanggung jawab bersama: kami memanfaatkan program kepatuhan penyedia cloud dan menjaga kontrol kami.

17) Keberlangsungan Bisnis & Manajemen Risiko

  • Penilaian risiko mendorong kontrol; register risiko dipelihara & ditinjau berkala.
  • Rencana keberlangsungan memastikan layanan esensial pada kondisi buruk.

18) Kontak

Email: [email protected] · Telepon/WhatsApp: +628991900000

This bilingual statement reflects our integrity-driven commitment to security and confidentiality; in case of inconsistency, the Indonesian version prevails for Indonesian jurisdiction.

Protected and Accelerated with Enterprise-grade Security & Sophistication by Cloudflare · Diproteksi dan Dipercepat dengan Keamanan & Kecanggihan Tingkat Enterprise oleh Cloudflare

Stop missing what matters in your work conversations.

Sumrize turns connected group conversations into automatic summaries, clear decisions, and instant answers, delivered to WhatsApp or your dashboard.

Start for Free