MOVO-X SingaporeHospitalsAbout

Compliance

MOVO-X Singapore is built ground-up for Singapore's regulatory environment. Every data store, every API, and every access control maps to a specific regulatory obligation.

3 days

Mandatory PDPC breach notification window

7 years

Clinical audit log retention period

ap-southeast-1

Singapore-only data residency, no PHI cross-border

DPO on record

dpo.sg@movo-x.com · Registered with PDPC

Regulatory Frameworks

PDPA SG 2012

Personal Data Protection Act 2012

Compliant
  • Data Protection Officer (DPO) appointed and registered with PDPC
  • Consent management built into patient check-in and registration flows
  • Purpose limitation: health data used only for direct care and facility administration
  • Data portability: patients can request their records in HL7 FHIR R4 format
  • Mandatory breach notification to PDPC within 3 calendar days of discovery
  • Retention schedule: 7 years for clinical records, 3 years for administrative logs

HBRA

Health and Biomedical Research Act

Compliant
  • NEHR facility codes issued per HBRA registration requirements
  • Patient consent for NEHR data sharing captured at point of registration
  • Bi-directional NEHR API integration via MOH-approved channels
  • Discharge summaries, medication records, and allergy lists synced to NEHR
  • Access logs retained per HBRA audit requirements

MOH Cybersecurity Guidelines

MOH Health Sector Cybersecurity Framework

Compliant
  • Network segmentation: clinical systems isolated on dedicated VLANs
  • Multi-factor authentication enforced for all clinical staff accounts
  • Vulnerability scanning on a monthly cycle; penetration testing annually
  • Incident response plan tested biannually with tabletop exercises
  • Vendor risk assessments completed for all third-party integrations
  • Security awareness training mandatory for all staff with system access

MAS TRM

Monetary Authority of Singapore Technology Risk Management Guidelines

Compliant
  • Applicable to payment processing components (PayNow, NETS, card)
  • End-to-end encryption for all payment flows; PCI DSS scope minimised
  • Disaster recovery RTO < 4 hours; RPO < 1 hour for payment systems
  • Change management process aligned with MAS TRM Section 4
  • Third-party payment processor due diligence documented annually

NEHR Participation

National Electronic Health Record

Active Participant
  • Facility code provisioned under MOH HBRA framework
  • HL7 FHIR R4 APIs used for all NEHR interactions
  • Patient identity verified via NRIC / FIN before any NEHR query
  • Audit trail of all NEHR reads and writes retained for 7 years
  • Break-glass access protocol for emergency override with mandatory post-hoc review

ISO 27001

Information Security Management System

In Progress
  • Gap assessment completed Q1 2026
  • ISMS documentation drafted and under internal review
  • Stage 1 audit scheduled Q3 2026
  • Stage 2 certification audit targeted Q4 2026
  • Scope: Singapore data centre operations and Singapore-based development team

Data Residency & Security

Primary regionSingapore (ap-southeast-1)
DatabaseSupabase Singapore with PrivateLink isolation
Encryption at restAES-256 envelope encryption, KMS-managed keys
Encryption in transitTLS 1.3 minimum
Backup regionSingapore only — no cross-border replication of PHI
Key managementCustomer-managed keys available on Enterprise tier

Data Protection Enquiries

Patients and facility administrators can contact our Data Protection Officer for access requests, correction requests, or breach notifications.

Contact DPO — dpo.sg@movo-x.com