Version: 3.3  Effective Date: November 2025
Applies To: iWoWSoft HRMS — SaaS, IaaS and On-Premises Deployments

1. Introduction

iWoWSoft Sdn. Bhd. (“iWoWSoft”, “we”, “our”, or “us”) is committed to protecting the privacy and security of all personal data processed through our Human Resource Management System (HRMS).
This statement describes how iWoWSoft complies with the Malaysian Personal Data Protection Act 2010 (PDPA) across all service models — Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and on-premises installations.

2. Scope

This statement applies to all personal data collected, processed, transmitted, or stored through iWoWSoft HRMS solutions, regardless of deployment type or client location.

3. Roles and Responsibilities

• Under SaaS, iWoWSoft acts as Data Processor.
• Under IaaS, iWoWSoft secures the infrastructure while the client manages its application layer.
• Under On-Premises, clients operate their own environment and remain responsible for PDPA compliance, except where iWoWSoft provides remote support under written agreement.

4. Employee Data as Personal Data

Employee information — including identifiers, employment records, and payroll details — constitutes personal data under the PDPA because it relates directly to an identifiable individual.
Accordingly, all employee records processed through the HRMS are protected as personal data, and iWoWSoft applies the same PDPA principles to such data as to any other personal information.

5. Legal Basis and Purpose

Personal data is processed lawfully and only for legitimate business purposes such as HR administration, payroll, leave management, statutory reporting, authentication, and system maintenance.

6. Data Hosting and Security Controls

• Hosting Environment: All production data resides in secure, professionally managed Tier-3-equivalent facilities located in Malaysia.
• Encryption: TLS 1.2 or higher for data in transit and AES-256 (or equivalent) for data at rest.
• Access Control: Role-based access, multi-factor authentication, and least-privilege principles.
• Monitoring & Logging: Continuous security monitoring and event logging.
• Backups & Business Continuity: Encrypted backups are maintained for disaster recovery readiness.
• Physical Security: Controlled facility access, CCTV, and redundant power and network systems.
• On-Premises Clients: Clients must implement equivalent controls within their own infrastructure.

7. Data Retention and Disposal

• SaaS / IaaS: Data is retained for the duration of service or as required by law and securely deleted or returned upon termination.
• On-Premises: Clients control retention and destruction; iWoWSoft may provide guidance or secure-wipe utilities on request.

8. Data Integrity and Accuracy

Clients can view and update employee records within the HRMS to ensure data remains accurate and up to date, satisfying PDPA’s Data Integrity Principle.

9. Cross-Border Data Transfer

Core processing occurs within Malaysia. Where encrypted traffic or backups traverse global infrastructure, PDPA Section 129(3) safeguards apply — end-to-end encryption, limited purpose, and equivalent protection by all providers.

10. Infrastructure and Vendor Management

iWoWSoft may change or upgrade its data-centre or technology providers to enhance performance and security. Any change will maintain equal or higher levels of PDPA compliance. Clients will be notified of material changes that affect data residency or protection.

11. Data Subject Rights

iWoWSoft supports clients in fulfilling PDPA rights — access, correction, and withdrawal of consent — via the HRMS interface or formal support requests through authorised administrators.

12. Third-Party Service Providers

Third-party service providers engaged by iWoWSoft are contractually required to implement confidentiality, security, and PDPA-equivalent controls. Vendors may change from time to time; equivalent or stronger safeguards will always apply.

12A. Confidentiality and Non-Disclosure Obligations

All iWoWSoft employees, contractors, and authorised service providers are bound by confidentiality and non-disclosure agreements (NDAs) that prohibit unauthorised access, use, or disclosure of client information.
These obligations apply to all forms of data handled through our platform, including employee and corporate records, and remain in effect during and after the engagement period.

13. Governance, Training and Review

• Annual policy reviews, access audits, and staff training on PDPA and cybersecurity.
• Ongoing risk assessments aligned to PDPA’s seven principles: General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, and Access.

14. Client Responsibilities (On-Prem & IaaS)

Clients operating their own or dedicated infrastructure must:

1. Maintain physical and logical security controls consistent with PDPA.
2. Implement user-access management, patching, and backup policies.
3. Notify iWoWSoft promptly of any incident requiring support.
4. Ensure employees are informed about how their personal data is processed.

iWoWSoft provides guidance and support but does not control client-managed systems.

14A. Statutory Data Retention Requirements

Clients are responsible for retaining employee and payroll data in accordance with applicable statutory requirements.
Examples include payroll, tax, and contribution records that must generally be kept for a minimum of seven (7) years under Malaysian employment and taxation laws.
iWoWSoft provides secure retention, backup, and deletion features within the HRMS to support compliance with these obligations; however, clients determine their own record-keeping periods.
Upon expiry of the statutory or contractual period, clients should securely delete or archive data in accordance with PDPA’s Retention Principle.

15. Contact Information

Data Protection Officer (DPO)
📧 dpo@iwowsoft.com.my
🌐 https://www.iwowsoft.com/contact-us

Our official contact page is kept up to date to ensure accuracy even if office locations change.

16. Disclaimer

This statement reflects iWoWSoft’s data-protection practices as of the effective date. Our infrastructure and processes may evolve, but we will continue to uphold PDPA and equivalent international standards. This document is for informational purposes and does not constitute a binding contract or warranty.

17. Version Control