PDPA SG · MAS TRM · HCSA 2020 · NEHR · MOH

Compliance

MOVO-X Singapore is built ground-up for Singapore's regulatory environment. Every data store, API, and access control maps to a specific regulatory obligation.

3 days

PDPC breach notification window

7 years

Clinical audit log retention

ap-southeast-1

Singapore-only data residency, no PHI cross-border

DPO on record

dpo.sg@movo-x.com · Registered with PDPC

Regulatory Frameworks

PDPA SG 2012

Personal Data Protection Act 2012 (PDPC Singapore)

Compliant
  • Data Protection Officer (DPO) appointed and registered with PDPC
  • Consent management built into patient check-in and registration flows
  • Purpose limitation: health data used only for direct care and facility administration
  • Data portability: patients can request records in HL7 FHIR R4 format
  • Mandatory breach notification to PDPC within 3 calendar days of discovery
  • Retention schedule: 7 years clinical records, 3 years administrative logs

HCSA 2020

Healthcare Services Act 2020 (HCSA)

Compliant
  • The Healthcare Services Act 2020 (HCSA) governs all licensed healthcare institutions in Singapore — public and private hospitals, specialist outpatient clinics, primary care clinics, and community hospitals. MOVO-X operates as a technology vendor to HCSA-licensed institutions and supports their data governance obligations under the Act.
  • Patient consent for NEHR data sharing captured at point of registration
  • NEHR data governance aligned with MOH Electronic Health Records Act 2011
  • Discharge summaries, medication records, and allergy lists formatted for NEHR submission via MOH-approved channels
  • Access logs retained per MOH audit requirements for licensed institution deployments

MAS TRM

Monetary Authority of Singapore Technology Risk Management Guidelines

Compliant
  • Applicable to payment processing components (PayNow, NETS, card)
  • End-to-end encryption for all payment flows; PCI DSS scope minimised
  • Disaster recovery RTO < 4 hours; RPO < 1 hour for payment systems
  • Change management process aligned with MAS TRM Section 4
  • Third-party payment processor due diligence documented annually
  • Audit logs: 5-year retention per MAS TRM + PDPA requirements

MOH Cybersecurity Guidelines

MOH Health Sector Cybersecurity Framework

Compliant
  • Network segmentation: clinical systems isolated on dedicated VLANs
  • Multi-factor authentication enforced for all clinical staff accounts
  • Vulnerability scanning on monthly cycle; penetration testing annually
  • Incident response plan tested biannually with tabletop exercises
  • Vendor risk assessments completed for all third-party integrations
  • Pre-commit secret blocker + OWASP ZAP CI scanning in pipeline

NEHR Act

National Electronic Health Records — MOH Electronic Health Records Act 2011

Active Participant
  • Aligned with MOH Electronic Health Records Act 2011
  • NEHR read-only access, patient consent required per MOH NEHR policy
  • HL7 FHIR R4 APIs used for all NEHR interactions
  • Patient identity verified via NRIC / FIN before any NEHR query
  • Audit trail of all NEHR reads retained for 7 years
  • Break-glass access protocol for emergency override with mandatory post-hoc review

ISO 27001

Information Security Management System

In Progress
  • Gap assessment completed Q1 2026
  • ISMS documentation drafted and under internal review
  • Stage 1 audit scheduled Q3 2026
  • Stage 2 certification audit targeted Q4 2026
  • Scope: Singapore data centre operations and Singapore-based development team

Data Residency & Security

Primary regionSingapore (ap-southeast-1)
DatabaseSupabase Singapore with PrivateLink isolation
Edge / CDNVercel Singapore (sin1)
Encryption at restAES-256 envelope encryption, KMS-managed keys
Encryption in transitTLS 1.3 minimum
Backup regionSingapore only — no cross-border replication of PHI
Key managementCustomer-managed keys available on Enterprise tier

Compliance FAQ

Is MOVO-X PDPA SG compliant?+

Yes. MOVO-X Singapore is fully compliant with PDPA Singapore 2012. We have a registered DPO with PDPC, consent management built into every patient check-in flow, and mandatory breach notification capability within 3 calendar days.

Is NEHR integration available?+

Yes. NEHR integration is available on the Enterprise tier. All NEHR access is read-only, requires patient consent per MOH NEHR policy, and is logged in a 7-year audit trail.

Does MOVO-X comply with MAS TRM?+

Yes. MAS TRM guidelines apply to our payment-bearing components (PayNow, NETS, card). We maintain audit logs, access controls, and disaster recovery per MAS TRM requirements.

Data Protection Enquiries

Contact our Data Protection Officer for access requests, correction requests, or breach notifications.