This Subprocessor Security Addendum ("Addendum") supplements the Figurine Empire Privacy Policy and establishes the security obligations, liability framework, and data protection standards applicable to all third-party subprocessors engaged by FIGURINE EMPIRE (Sole Proprietorship, SSM 202603090859 / JM1042627-W) ("Data Controller") for the processing of personal data under the Personal Data Protection Act 2010 (PDPA) of Malaysia.
This revision (v2.0) reflects the operational transition from HitPay to SenangPay as the primary payment gateway, effective 29 April 2026. All references to the previous payment subprocessor have been superseded by the terms set forth herein.
| Term | Definition |
|---|---|
| Data Controller | FIGURINE EMPIRE (Sole Proprietorship, SSM 202603090859 / JM1042627-W), the entity that determines the purposes and means of processing personal data. |
| Subprocessor | A third-party service provider engaged by the Data Controller to process personal data on its behalf. |
| Payment Subprocessor | SenangPay Sdn. Bhd., the designated payment gateway responsible for processing all FPX direct debit and e-wallet transactions. |
| Personal Data | Any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information, as defined under Section 4 of the PDPA. |
| Data Breach | Any unauthorised access, disclosure, alteration, loss, or destruction of personal data. |
The following table constitutes the authoritative registry of all subprocessors engaged by Figurine Empire as of the effective date of this Addendum. Each subprocessor is classified by risk tier based on the sensitivity of data processed and the nature of the processing activity.
| Subprocessor | Service Category | Data Sensitivity | Risk Tier | Liability Model |
|---|---|---|---|---|
| SenangPay | Payment Gateway | High — Financial | Tier 1 (Critical) | Direct |
| Supabase | Cloud Database | High — Personal | Tier 1 (Critical) | Shared Liability |
| Redis | Session Caching | Medium — Session | Tier 2 (Standard) | Shared Liability |
| Meshy | 3D Model Generation | Low — Product | Tier 3 (Operational) | Indemnification |
| Imagen/Google | AI Image Generation | Low — Product | Tier 3 (Operational) | Indemnification |
| Telegram | Messaging | Medium — User IDs | Tier 2 (Standard) | Indemnification |
| OneSignal | Push Notifications | Medium — User IDs | Tier 2 (Standard) | Indemnification |
| PosLaju/GDex | Logistics & Delivery | Medium — Shipping | Tier 2 (Standard) | Shared Liability |
| Anthropic PBC | AI Language Model (Claude) | Low — Operational | Tier 3 (Operational) | Indemnification |
| Google Workspace | Email & Collaboration | Low — Operational | Tier 3 (Operational) | Indemnification |
| Google Vertex AI / Gemini | AI Model Platform | Low — Operational | Tier 3 (Operational) | Indemnification |
| xAI Corp (Grok) | AI Security Auditing | Low — Operational | Tier 3 (Operational) | Indemnification |
| Gamma App Inc | Presentation & Document AI | Low — Operational | Tier 3 (Operational) | Indemnification |
| Twilio | SMS / Communications | Medium — User IDs | Conditional | Indemnification |
| Firebase | Analytics & App Platform | Low — Operational | Conditional | Indemnification |
| Looker Studio | Reporting & Dashboard | Low — Operational | Conditional | Indemnification |
Conditional subprocessors are engaged only when the associated feature is activated. Internal tooling subprocessors process operational data only — no customer personal data is transmitted.
SenangPay Sdn. Bhd. is designated as the Tier 1 (Critical) Payment Subprocessor for Figurine Empire. SenangPay processes all customer payment transactions, including FPX direct debit transfers, e-wallet payments (Touch 'n Go eWallet, GrabPay, Boost, ShopeePay), and related refund operations. Given the high sensitivity of financial data and the direct impact on customer trust, SenangPay carries direct liability for the security and integrity of all personal data processed within its systems.
Under this Addendum, SenangPay assumes direct liability for the following:
Data Security. SenangPay shall implement and maintain technical and organisational security measures that meet or exceed the standards prescribed by Bank Negara Malaysia (BNM) for payment service providers. These measures shall include, at minimum, encryption of data in transit (TLS 1.3) and at rest (AES-256), multi-factor authentication for administrative access, real-time intrusion detection and prevention systems, and regular penetration testing conducted by independent third-party auditors.
Breach Notification. In the event of a data breach affecting personal data processed on behalf of Figurine Empire, SenangPay shall notify the Data Controller within 24 hours of becoming aware of the breach. The notification shall include the nature and scope of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to mitigate the adverse effects.
Regulatory Compliance. SenangPay shall maintain compliance with all applicable Malaysian financial regulations, including the Financial Services Act 2013 (FSA), the Payment Systems (Designated Payment Instruments) Order, and the PDPA. SenangPay shall provide evidence of compliance upon request by the Data Controller.
Incident Response. SenangPay shall maintain a documented incident response plan that addresses data breaches, service disruptions, and fraud events. The plan shall be tested at least annually and updated to reflect changes in the threat landscape.
Audit Rights. Figurine Empire reserves the right to conduct or commission security audits of SenangPay's systems and processes, with reasonable notice, to verify compliance with the obligations set forth in this Addendum. SenangPay shall cooperate fully with such audits and provide access to relevant documentation, logs, and personnel.
SenangPay shall bear direct financial liability for any losses, damages, penalties, or claims arising from a data breach or security incident attributable to SenangPay's failure to comply with the security obligations set forth in this Addendum. This includes, without limitation, costs of customer notification, credit monitoring services, regulatory fines imposed under the PDPA (up to RM 500,000 per offence under Section 5(2)), legal fees, and compensation to affected data subjects.
All payment data processed by SenangPay on behalf of Figurine Empire shall be stored and processed within Malaysia. SenangPay shall not transfer payment data to any jurisdiction outside Malaysia without the prior written consent of the Data Controller and without ensuring that adequate safeguards, as required under Section 129 of the PDPA, are in place.
Tier 1 subprocessors (SenangPay, Supabase) process high-sensitivity data and are subject to the most stringent security requirements. These subprocessors must maintain SOC 2 Type II certification or equivalent, provide annual security audit reports, implement end-to-end encryption for all data in transit and at rest, maintain a documented business continuity and disaster recovery plan, and submit to periodic security assessments by the Data Controller.
Tier 2 subprocessors (Redis, Telegram, OneSignal, PosLaju/GDex) process medium-sensitivity data and are required to maintain industry-standard security practices, provide security documentation upon request, implement access controls and authentication mechanisms, and report security incidents within 72 hours.
Tier 3 subprocessors (Meshy, Imagen/Google, Anthropic PBC, Google Workspace, Google Vertex AI/Gemini, xAI Corp, Gamma App Inc) process low-sensitivity operational or product data and are required to maintain reasonable security measures consistent with the nature of the data processed, comply with their published privacy policies and terms of service, and report material security incidents within 7 calendar days. Internal AI tooling subprocessors (Anthropic, Google Vertex AI/Gemini, xAI Corp, Gamma App Inc) process operational workflow data only — no customer personal data is transmitted to these services.
Any change to the subprocessor registry, including the addition, removal, or replacement of a subprocessor, shall be documented in a revised version of this Addendum. Material changes affecting Tier 1 subprocessors require approval from the Data Protection Officer and notification to affected data subjects in accordance with PDPA requirements.
The transition from HitPay to SenangPay, documented in this revision, was executed in accordance with the change management procedures outlined above. All customer-facing documentation, including the Privacy Policy and Refund & Dispute Policy, has been updated to reflect this change.
This Addendum shall be governed by and construed in accordance with the laws of Malaysia. Any disputes arising from or in connection with this Addendum shall be resolved through mediation administered by the Asian International Arbitration Centre (AIAC) in Kuala Lumpur. If mediation fails, the dispute shall be referred to the courts of Malaysia, which shall have exclusive jurisdiction.
| Role | Name | Date |
|---|---|---|
| Data Controller — FIGURINE EMPIRE (Sole Proprietorship, SSM 202603090859 / JM1042627-W) | _________________________ | 29 April 2026 |
| Payment Subprocessor — SenangPay Sdn. Bhd. | _________________________ | _____________ |
| Data Protection Officer — Figurine Empire | _________________________ | 29 April 2026 |