General Data Protection Regulation. Full compliance for all EU data subjects including rights of access, erasure, portability, and consent withdrawal.
Personal Data Protection Act 2010. Consent-first biometric enrollment, data minimisation, and subject access request handling.
Personal Data Protection Act 2012 (amended 2021). Mandatory breach notification, data portability obligation, and enhanced consent framework for biometric data.
Data Privacy Act of 2012 (Republic Act 10173). NPC-registered data processing with explicit consent for sensitive personal information including biometrics.
Personal Data Protection Act B.E. 2562 (2019). Explicit consent for biometric data as a sensitive data category, data subject rights, and cross-border transfer controls.
Personal Data Protection Decree 13/2023/ND-CP. Biometric data classified as sensitive, mandatory impact assessments, and prior consent for collection and processing.
Personal Data Protection Law No. 27/2022. Explicit consent for biometric and sensitive data, mandatory DPO appointment, and two-year compliance transition period.
Personal Data Protection Order 2021. Consent-based processing, data subject access and correction rights, and cross-border transfer obligations.
Operating under applicable ASEAN data governance frameworks and Cambodia's e-Commerce Law pending a dedicated personal data protection law. Consent-first practices applied.
Operating under Laos' Electronic Data Protection provisions and ASEAN regional frameworks pending comprehensive data protection legislation. Consent-first practices applied.
All transactions and biometric templates are encrypted in transit (TLS 1.3) and at rest (AES-256). Raw facial images are never stored.
Compliant with Visa, Mastercard, and PayNet security standards. Tokenized payment credentials — no raw card data stored.
Multi-tenant cloud infrastructure with regional data residency options. 99.9% uptime SLA. Auto-scaling, DDoS protection, and WAF.
Immutable audit logs for all transactions, biometric events, and admin actions. Tamper-evident logging for compliance and forensics.
Presentation Attack Detection certified to ISO/IEC 30107-3. Active liveness check prevents photo, video, and mask spoofing — all biometric enrollment and authentication is compliant with this standard.
Infrastructure and operations aligned to SOC 2 Trust Service Criteria covering Security, Availability, and Confidentiality. Regular penetration testing, role-based access controls, and documented incident response procedures.
Discovered a security vulnerability? We take all reports seriously and aim to respond within 24 hours.
Report a Vulnerability