TRUST CENTER
Security & Compliance
An honest, plain-English account of the controls that protect your data. We tell you what we have, what we don't, and what we're working on.
What we have today In place
- Encryption in transit: TLS 1.3 on all connections to slipmatch.my.
- Encryption at rest: AES-256 on the Supabase Postgres database and file storage.
- Row-Level Security (RLS): every database row is gated by Postgres policies — users can only read and write their own data.
- Authentication: Supabase Auth with email/password and Google OAuth. Passwords are hashed (bcrypt). Sessions use JWT with short expiry.
- Audit trail: immutable append-only log of matches, overrides, period closes, and data exports. 7-year retention to meet Companies Act s.245 and Income Tax Act s.82.
- API protection: rate limiting on OCR (20/min) and Drive (30/min) endpoints. Webhook signatures verified with SHA-512 timing-safe comparison.
- File handling: uploads capped at 10 MB with MIME-type validation. Temporary files auto-deleted after 7 days via scheduled cron.
- Backups: Supabase automated daily backups with point-in-time recovery.
- Data residency: our database is hosted in AWS Tokyo (ap-northeast-1). Japan operates the APPI personal data regime and sits within jurisdictions recognised as offering adequate protection for PDPA-covered transfers. We are evaluating a Singapore region move for customers with contractual SG-residency requirements.
Privacy & PDPA In place
- Personal Data Protection Act 2010 (Malaysia): our collection, processing, and storage practices are aligned with PDPA principles. Privacy notice available in English (Bahasa Malaysia version in progress).
- Data subject rights: you can request export or deletion of your personal data by emailing support@slipmatch.my.
- Third parties: we use Supabase (database, auth, storage), OpenAI / Anthropic / Google (OCR), Vercel (hosting), PayEx (billing). Each is bound by standard data-processing terms. We do not sell your data.
- Cookies: essential cookies for authentication only. No third-party tracking or ad cookies.
- 2024 PDPA amendments: we are tracking the phased roll-in of the mandatory Data Protection Officer and 72-hour breach notification rules and will comply on or before the effective dates.
Malaysian tax & e-Invoice Supported
- MyInvois (LHDN e-Invoice): SlipMatch parses the official LHDN UBL 2.1 JSON/XML format. We are not a PEPPOL-accredited service provider — we do not issue invoices on your behalf; we read and reconcile them.
- SST: our matching engine accounts for Service Tax at both the 6% (pre-1 March 2024) and 8% (current) rates when reconciling amounts.
What we do not have yet Roadmap
We believe in transparency. These are controls we do not hold today — pursuing them as the business scales:
- ISO 27001: not certified. Target: Q4 2026, contingent on revenue.
- SOC 2 Type II: not certified. Target: 2027 if we serve SOC-2-required enterprise buyers.
- Penetration test: first independent pen-test scheduled for Q3 2026; summary will be posted here.
- Bahasa Malaysia privacy notice: in translation.
What we are not Clarification
Some vendors display badges we do not think we have earned. To be clear:
- We are not approved, endorsed, or certified by Bank Negara Malaysia (BNM). BNM does not run a software approval programme for reconciliation tools.
- We are not on the LHDN list of accredited e-Invoice service providers (that list is for PEPPOL middleware; SlipMatch is a reconciliation tool that reads MyInvois files).
- We are not certified by the Malaysian Institute of Accountants (MIA). MIA accredits practitioners and CPE providers, not software.
- We do not hold ISO 27001, SOC 2, or equivalent independent security certification at this time.
Sub-processors
- Supabase Inc. — database, authentication, storage (AWS ap-northeast-1, Tokyo)
- Vercel Inc. — application hosting and edge delivery
- OpenAI / Anthropic / Google Cloud — OCR and document understanding
- PayEx — payment processing for Malaysian subscriptions
- Google LLC — Drive integration (user-authorised OAuth only)
- Meta Platforms (WhatsApp Business Cloud API) — inbound slip ingestion when a customer enables WhatsApp forwarding
- Xero Limited — accounting integration when a customer connects their Xero account
- Lembaga Hasil Dalam Negeri (LHDN) — MyInvois lookup when a customer configures e-Invoice integration
Incident response
If you suspect a security issue, email security@slipmatch.my. We commit to acknowledging reports within 24 hours and — if confirmed — notifying affected customers within 72 hours, ahead of the PDPA 2024 requirement.
Contact
General trust & compliance questions: support@slipmatch.my
Data subject access requests: privacy@slipmatch.my
Security disclosures: security@slipmatch.my
Last updated: 14 April 2026 · This page is updated whenever our controls change.