Data Processing Agreement

• When you store your customers' details inside BukuCloud, you are the data controller (you decide what data goes in, why, and for how long) and BukuCloud is the data processor (we host it, keep it secure, and only do what your contract with us asks us to do).
• We follow your instructions, encrypt the data, run a per-tenant database, log access, and notify you within 72 hours of any breach affecting your tenant.
• We use the sub-processors listed in section 6. New sub-processors are notified at least 30 days before they go live so you can object.
• On termination, we keep your data read-only for 30 days, then follow the deletion rules in section 11.
• This DPA is part of the Terms of Service and applies automatically to every paying customer. Enterprise customers can request a counter-signed version.

This Data Processing Agreement (“DPA”) is between:

• BukuCloud Sdn Bhd (202401234567 (1234567-X)) (“BukuCloud”, the “Processor”); and
• The customer who has signed up for or subscribed to a BukuCloud plan (“Customer”, the “Controller”).

For the purposes of PDPA 2010, you are the “data user” (controller) and we are the “data processor”. The capitalised terms not defined here have the meaning given in PDPA 2010.

We process Customer Personal Data only on the documented instructions of the Customer, including (a) as set out in the Terms of Service and this DPA, (b) as configured in your tenant settings, and (c) as required by law. If we're required by law to process data outside your instructions, we will notify you unless that law prohibits notification.

All BukuCloud personnel with access to Customer Personal Data are bound by confidentiality obligations that survive employment or engagement. Access is granted on a least-privilege, need-to-know basis and is logged.

We implement appropriate technical and organisational measures to protect Customer Personal Data, including:

• Per-tenant database isolation — each Customer gets its own MySQL database (Stancl Tenancy).
• Encryption — TLS 1.2+ in transit, AES-256 at rest.
• Authentication — bcrypt password hashing, optional TOTP two-factor on every plan, tenant-admin toggle to require 2FA for all staff.
• Access control — role-based permissions (Spatie), per-tenant audit log of every administrative action.
• File storage — uploaded receipts on private S3 with tenant-prefixed paths and short-lived signed URLs; EXIF/GPS metadata stripped on upload.
• Logging hygiene — sensitive fields (passwords, API keys, payment data) are redacted from application logs by a Monolog scrubber.
• Backups — daily encrypted snapshots retained for 30 days.
• Vulnerability management — dependency updates, code review, and a published responsible-disclosure channel.

The Customer authorises BukuCloud to engage the sub-processors listed below. We will give the Customer at least 30 days' noticebefore adding or replacing a sub-processor (notice is published on this page and emailed to the account's billing contact). The Customer can object in writing within the notice period; if we cannot accommodate the objection, the Customer may terminate the affected subscription with a pro-rata refund.

Customers can fulfil most data-subject requests directly inside BukuCloud (export from Settings → Data export, correction by editing customer / supplier records, erasure via Settings → Delete account for the tenant or per-record where supported).

If a data subject contacts us directly with a request that relates to the Customer's tenant, we will (a) notify the Customer without undue delay, and (b) not respond on the Customer's behalf unless the Customer instructs us to. Where reasonably possible, we provide tools or assistance for the Customer to respond within statutory timeframes.

If we become aware of a personal data breach that affects the Customer's tenant, we will notify the Customer without undue delay and within 72 hours of becoming aware. The notification will include (where known): the nature of the breach, the categories and approximate volumes of data and data subjects affected, the likely consequences, and the measures taken or proposed to address it.

We will cooperate with the Customer's reasonable requirements to investigate and remediate, including providing audit logs and access histories.

On reasonable written notice (and not more than once per calendar year, unless following a breach), the Customer may request a written summary of our most recent security review, penetration-test results, and the controls described in section 5. For Enterprise customers, we will accommodate a scoped on-site or remote audit subject to confidentiality and reasonable cost-recovery for engineering time.

Some sub-processors are based outside Malaysia (see section 6). Where personal data is transferred to a country whose laws do not provide protection comparable to PDPA, we rely on the Section 129(2) PDPA exemptions and apply equivalent contractual safeguards.

On termination of the Customer's subscription:

• The tenant is moved to a read-only state for 30 days so the Customer can export their data via Settings → Data export.
• After the read-only window, the Customer can request a hard delete (right to erasure). We then drop the tenant database, delete the tenant's S3 prefix, and redact PII in any residual audit-log rows.
• Financial records are retained for 7 years to satisfy the Income Tax Act 1967, with personally-identifying fields redacted on erasure (per PDPA / tax-law balance).

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits any liability that cannot lawfully be limited.

This DPA takes effect on the Customer's first paid subscription and remains in force for as long as we process Customer Personal Data. The deletion rules in section 11 and the audit / liability obligations survive termination.

For DPA-related queries, including a counter-signed copy or a change of controller, contact our DPO at dpo@bukucloud.com.