PDPA SG · MAS TRM · HCSA 2020 · ap-southeast-1

Trust Centre

MOVO-X Singapore's trust commitments: compliance, data residency, subprocessors, and patient data rights.

100% SG
Data residency
< 3 days
PDPC breach notification
5 years
Audit log retention
DPO Registered
PDPC Singapore

Compliance Matrix

PDPA SG 2012 (PDPC)
DPO registered, consent management, breach notification < 3 days
Compliant
MAS TRM Guidelines
Audit logs, access controls, incident management for payment components
Compliant
HCSA 2020
Healthcare Services Act 2020 — MOVO-X supports HCSA-licensed institutions' data governance obligations
Compliant
ISO 27001
Stage 1 audit scheduled Q3 2026, Stage 2 Q4 2026
In Progress
📋
SOC 2 Type II
Target Q2 2027
Roadmap

Subprocessors

Supabase
Database & Auth · AWS ap-southeast-1 (Singapore)
Security docs →
Vercel
Edge / CDN · Singapore edge (sin1)
Security docs →
Anthropic
AI Triage (Claude) · Zero data retention policy
Security docs →
WhatsApp Business (Meta)
Patient Notifications · Singapore-compliant PDPA data handling

Patient Data Rights (PDPA SG 2012)

Right of Access
Patients and facility administrators may request a copy of personal data held by MOVO-X within 30 days of request.
Right of Correction
Inaccurate or incomplete personal data will be corrected within 10 business days of a verified request.
Withdrawal of Consent
Patients may withdraw consent for non-essential data processing at any time via the kiosk or by contacting dpo.sg@movo-x.com.
Data Portability
Personal data exportable in machine-readable format (CSV / HL7 FHIR R4) on request.
Breach Notification
Patients affected by a notifiable data breach will be notified within 72 hours of PDPC notification, or sooner if practicable.

Data Protection Officer

For access requests, correction requests, consent withdrawal, or data breach notifications, contact our Singapore-registered DPO.

dpo.sg@movo-x.com