Skip to content
BukuCloud
Legal

Legal templates,
written plainly.

Everything we're obliged to publish under Malaysia's Personal Data Protection Act 2010 (PDPA) and a few things we're not, but think you deserve to read in plain English. Each document has a one-paragraph summary at the top.

Last updated 9 June 2026Version 1.0
Controller of record
BukuCloud Sdn Bhd
202401234567 (1234567-X)
Wisma KFC, Jln Sultan Ismail, 50250 Kuala Lumpur, Malaysia
DPO dpo@bukucloud.comLegal legal@bukucloud.com
01PDPA

Privacy Policy

What personal data we collect, how we use it, and your rights under Malaysia's Personal Data Protection Act 2010 (PDPA) and its 2024 amendments.

Last updated 9 June 2026Read →
02Customer

Terms of Service

The agreement between you and BukuCloud when you sign up, subscribe to a plan, or use the platform — what we do, what you do, and what happens if either side stops.

Last updated 9 June 2026Read →
03B2B

Data Processing Agreement

For SMEs and accounting firms — how we process your customers' personal data on your behalf as a data processor under PDPA.

Last updated 9 June 2026Read →
04Cookies

Cookie Policy

Which cookies and similar technologies BukuCloud uses, why we use them, and how to manage them in your browser.

Last updated 9 June 2026Read →
What we ship

The PDPA controls behind these documents.

Our policies aren't marketing copy — every claim is wired into the product. Each item below is shipped, in code, today.

Per-tenant database

Each company gets its own MySQL database (Stancl Tenancy). Cross-tenant leaks are physically impossible.

Encryption at rest

AES-256 on every tenant DB, TLS 1.2+ in transit. Daily encrypted backups for 30 days.

Right of access

Settings → Data export gives you a full archive (24-hour rate limit, audit-logged).

Right to erasure

Settings → Delete account triggers a 30-day cooling-off then a hard delete with PII redacted.

Two-factor auth

TOTP on every plan with recovery codes. Tenant admins can require 2FA for all staff.

Audit log

Per-tenant audit log of every action. Sensitive reads (admin views, exports) are double-logged.

Receipt safety

Private S3 with tenant-prefixed paths, short-lived signed URLs, EXIF/GPS stripped on upload.

Log scrubbing

Passwords, API keys, payment data redacted from application logs by a Monolog scrubber.

Breach response

Documented runbook, 72-hour PDPC notification, customer notification template (EN + BM).

Need a signed copy?

Counter-signed DPAs and procurement questionnaires welcome.

Most customers are covered by these click-through documents. For Enterprise procurement (signed DPA, security questionnaire, SOC summary, source-code escrow on Enterprise contracts) reach out to legal@bukucloud.com.