← Privacy Policy

Subprocessor Security Addendum

PDPA-002 · Subprocessor Security Addendum
Document Reference: PDPA-002 v2.0
Effective Date: 29 April 2026
Last Revised: 29 April 2026
Classification: Internal — Legal & Compliance

1. Purpose and Scope

This Subprocessor Security Addendum ("Addendum") supplements the Figurine Empire Privacy Policy and establishes the security obligations, liability framework, and data protection standards applicable to all third-party subprocessors engaged by FIGURINE EMPIRE (Sole Proprietorship, SSM 202603090859 / JM1042627-W) ("Data Controller") for the processing of personal data under the Personal Data Protection Act 2010 (PDPA) of Malaysia.

This revision (v2.0) reflects the operational transition from HitPay to SenangPay as the primary payment gateway, effective 29 April 2026. All references to the previous payment subprocessor have been superseded by the terms set forth herein.


2. Definitions

Term Definition
Data Controller FIGURINE EMPIRE (Sole Proprietorship, SSM 202603090859 / JM1042627-W), the entity that determines the purposes and means of processing personal data.
Subprocessor A third-party service provider engaged by the Data Controller to process personal data on its behalf.
Payment Subprocessor SenangPay Sdn. Bhd., the designated payment gateway responsible for processing all FPX direct debit and e-wallet transactions.
Personal Data Any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information, as defined under Section 4 of the PDPA.
Data Breach Any unauthorised access, disclosure, alteration, loss, or destruction of personal data.

3. Subprocessor Registry

The following table constitutes the authoritative registry of all subprocessors engaged by Figurine Empire as of the effective date of this Addendum. Each subprocessor is classified by risk tier based on the sensitivity of data processed and the nature of the processing activity.

Subprocessor Service Category Data Sensitivity Risk Tier Liability Model
SenangPay Payment Gateway High — Financial Tier 1 (Critical) Direct
Supabase Cloud Database High — Personal Tier 1 (Critical) Shared Liability
Redis Session Caching Medium — Session Tier 2 (Standard) Shared Liability
Meshy 3D Model Generation Low — Product Tier 3 (Operational) Indemnification
Imagen/Google AI Image Generation Low — Product Tier 3 (Operational) Indemnification
Telegram Messaging Medium — User IDs Tier 2 (Standard) Indemnification
OneSignal Push Notifications Medium — User IDs Tier 2 (Standard) Indemnification
PosLaju/GDex Logistics & Delivery Medium — Shipping Tier 2 (Standard) Shared Liability
Anthropic PBC AI Language Model (Claude) Low — Operational Tier 3 (Operational) Indemnification
Google Workspace Email & Collaboration Low — Operational Tier 3 (Operational) Indemnification
Google Vertex AI / Gemini AI Model Platform Low — Operational Tier 3 (Operational) Indemnification
xAI Corp (Grok) AI Security Auditing Low — Operational Tier 3 (Operational) Indemnification
Gamma App Inc Presentation & Document AI Low — Operational Tier 3 (Operational) Indemnification
Twilio SMS / Communications Medium — User IDs Conditional Indemnification
Firebase Analytics & App Platform Low — Operational Conditional Indemnification
Looker Studio Reporting & Dashboard Low — Operational Conditional Indemnification

Conditional subprocessors are engaged only when the associated feature is activated. Internal tooling subprocessors process operational data only — no customer personal data is transmitted.


4. SenangPay — Direct Liability Framework

4.1 Designation and Scope

SenangPay Sdn. Bhd. is designated as the Tier 1 (Critical) Payment Subprocessor for Figurine Empire. SenangPay processes all customer payment transactions, including FPX direct debit transfers, e-wallet payments (Touch 'n Go eWallet, GrabPay, Boost, ShopeePay), and related refund operations. Given the high sensitivity of financial data and the direct impact on customer trust, SenangPay carries direct liability for the security and integrity of all personal data processed within its systems.

4.2 Direct Liability Obligations

Under this Addendum, SenangPay assumes direct liability for the following:

Data Security. SenangPay shall implement and maintain technical and organisational security measures that meet or exceed the standards prescribed by Bank Negara Malaysia (BNM) for payment service providers. These measures shall include, at minimum, encryption of data in transit (TLS 1.3) and at rest (AES-256), multi-factor authentication for administrative access, real-time intrusion detection and prevention systems, and regular penetration testing conducted by independent third-party auditors.

Breach Notification. In the event of a data breach affecting personal data processed on behalf of Figurine Empire, SenangPay shall notify the Data Controller within 24 hours of becoming aware of the breach. The notification shall include the nature and scope of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to mitigate the adverse effects.

Regulatory Compliance. SenangPay shall maintain compliance with all applicable Malaysian financial regulations, including the Financial Services Act 2013 (FSA), the Payment Systems (Designated Payment Instruments) Order, and the PDPA. SenangPay shall provide evidence of compliance upon request by the Data Controller.

Incident Response. SenangPay shall maintain a documented incident response plan that addresses data breaches, service disruptions, and fraud events. The plan shall be tested at least annually and updated to reflect changes in the threat landscape.

Audit Rights. Figurine Empire reserves the right to conduct or commission security audits of SenangPay's systems and processes, with reasonable notice, to verify compliance with the obligations set forth in this Addendum. SenangPay shall cooperate fully with such audits and provide access to relevant documentation, logs, and personnel.

4.3 Financial Liability

SenangPay shall bear direct financial liability for any losses, damages, penalties, or claims arising from a data breach or security incident attributable to SenangPay's failure to comply with the security obligations set forth in this Addendum. This includes, without limitation, costs of customer notification, credit monitoring services, regulatory fines imposed under the PDPA (up to RM 500,000 per offence under Section 5(2)), legal fees, and compensation to affected data subjects.

4.4 Data Localisation

All payment data processed by SenangPay on behalf of Figurine Empire shall be stored and processed within Malaysia. SenangPay shall not transfer payment data to any jurisdiction outside Malaysia without the prior written consent of the Data Controller and without ensuring that adequate safeguards, as required under Section 129 of the PDPA, are in place.


5. General Subprocessor Security Requirements

5.1 Tier 1 (Critical) Subprocessors

Tier 1 subprocessors (SenangPay, Supabase) process high-sensitivity data and are subject to the most stringent security requirements. These subprocessors must maintain SOC 2 Type II certification or equivalent, provide annual security audit reports, implement end-to-end encryption for all data in transit and at rest, maintain a documented business continuity and disaster recovery plan, and submit to periodic security assessments by the Data Controller.

5.2 Tier 2 (Standard) Subprocessors

Tier 2 subprocessors (Redis, Telegram, OneSignal, PosLaju/GDex) process medium-sensitivity data and are required to maintain industry-standard security practices, provide security documentation upon request, implement access controls and authentication mechanisms, and report security incidents within 72 hours.

5.3 Tier 3 (Operational) Subprocessors

Tier 3 subprocessors (Meshy, Imagen/Google, Anthropic PBC, Google Workspace, Google Vertex AI/Gemini, xAI Corp, Gamma App Inc) process low-sensitivity operational or product data and are required to maintain reasonable security measures consistent with the nature of the data processed, comply with their published privacy policies and terms of service, and report material security incidents within 7 calendar days. Internal AI tooling subprocessors (Anthropic, Google Vertex AI/Gemini, xAI Corp, Gamma App Inc) process operational workflow data only — no customer personal data is transmitted to these services.


6. Change Management

Any change to the subprocessor registry, including the addition, removal, or replacement of a subprocessor, shall be documented in a revised version of this Addendum. Material changes affecting Tier 1 subprocessors require approval from the Data Protection Officer and notification to affected data subjects in accordance with PDPA requirements.

The transition from HitPay to SenangPay, documented in this revision, was executed in accordance with the change management procedures outlined above. All customer-facing documentation, including the Privacy Policy and Refund & Dispute Policy, has been updated to reflect this change.


7. Governing Law and Dispute Resolution

This Addendum shall be governed by and construed in accordance with the laws of Malaysia. Any disputes arising from or in connection with this Addendum shall be resolved through mediation administered by the Asian International Arbitration Centre (AIAC) in Kuala Lumpur. If mediation fails, the dispute shall be referred to the courts of Malaysia, which shall have exclusive jurisdiction.


8. Signatories

Role Name Date
Data Controller — FIGURINE EMPIRE (Sole Proprietorship, SSM 202603090859 / JM1042627-W) _________________________ 29 April 2026
Payment Subprocessor — SenangPay Sdn. Bhd. _________________________ _____________
Data Protection Officer — Figurine Empire _________________________ 29 April 2026