General Information

Definitions

This section provides clear definitions used in the policy with practical examples from enterprise application development scenarios. Each definition includes a short example showing where the term applies in a real project lifecycle.

Personal data means any information relating to an identified or identifiable natural person. Examples in our projects include employee names in a payroll integration, user email addresses for single sign-on, device identifiers used for mobile apps, and contact details recorded in a customer relationship module.

Processing covers any operation performed on personal data, whether automated or manual. Typical processing activities we undertake include collecting onboarding forms, transforming data during migration, analyzing error logs for troubleshooting, and archiving data as part of retention schedules.

User refers to any natural person who interacts with the services VoraTstack builds or maintains. In a case scenario, a user's actions might include submitting a support ticket, authenticating to the enterprise portal, or interacting with a reporting dashboard.

Service denotes the suite of enterprise application development, deployment, integration, and support offerings provided by VoraTstack. Practical case: a payroll system deployment that integrates HR, management and third-party tax services.

Cookies are small text files stored on a user's device to support session management, preferences and analytics. Example: a session cookie enabling single sign-on across modules, or a persistent cookie storing language preference in a client portal.

Purposes of Processing

We process personal data for specific operational and contractual purposes tied to enterprise application development, deployment and maintenance. Each purpose below is illustrated with an example scenario to demonstrate practical application.

• Project delivery: using client-provided configuration and user details to build, test and deploy customized enterprise applications; example: importing employee data to configure access controls.
• Authentication and access management: verifying identities and managing permissions to ensure secure operation of enterprise systems in production.
• Support and incident management: analyzing support tickets and logs to resolve technical issues encountered in live environments.
• Billing and contract administration: processing invoicing data and purchase orders related to the services provided.
• Security and fraud prevention: monitoring access patterns and alerts to detect misuse and coordinate mitigation with client SOC teams.
• Product improvement: aggregated and anonymized usage metrics used to prioritize feature development based on real-case deployments.
• Compliance and legal obligations: retaining records and responding to lawful requests from authorities when required by applicable laws or contractual commitments.
• Testing and quality assurance: using sanitized or masked data in staging environments to validate functionality before production releases.

Legal Basis for Processing

We rely on appropriate legal bases for processing personal data depending on the context and applicable law. The choices are documented per project and include contractual necessity, legitimate interests and legal obligations. Each basis is considered with practical safeguards.

• Contractual necessity: processing required to perform obligations under agreements with clients, such as delivering software and support services.
• Legitimate interests: processing for reasonable operational needs like security monitoring and service improvements, balanced against individual rights and risks.
• Legal obligations: processing necessary to comply with statutory duties such as tax, accounting or compulsory disclosure requests.
• Consent: where specific activities fall outside other bases, we may request explicit consent for certain marketing communications or optional analytics during non-contractual interactions.

GDPR and International Data Subjects

Although VoraTstack operates from Malaysia, we may process personal data of EU residents in cross-border projects. For those situations we follow documented approaches to meet GDPR principles, including lawful basis assessments, DPIAs for high-risk processing, and documented safeguards for transfers.

• Lawful basis documentation: projects handling EU personal data include a recorded lawful basis and purpose limitation aligned with contract terms and client instructions.
• Data protection impact assessments: conducted for high-risk activities such as large-scale system integrations or processing of special categories of data.
• Vendor due diligence: third-party suppliers used in such projects are assessed for data protection practices and contractual clauses reflecting appropriate obligations.
• Transfer mechanisms: when EU data is transferred internationally, we implement appropriate safeguards such as standard contractual clauses or rely on client-approved lawful mechanisms.
• Rights facilitation: we support data subject rights requests received in relation to projects involving EU personal data and coordinate with clients to provide required responses.
• Record keeping: processing activities involving EU data are logged and reviewed as part of our compliance and operational audit processes.

Cookies and Similar Technologies

Our websites and some deployed applications use cookies and related technologies to support authentication, performance monitoring and analytics. We describe cookie types, categories and management options to help clients and users make informed choices.

Types of cookies we use include session cookies for authenticated sessions, persistent cookies for remembering preferences, and third-party analytics cookies for aggregated usage measurement. In an enterprise portal example, a session cookie maintains a user login across modules, while analytics cookies help assess feature adoption during a pilot.

Cookies are categorized as strictly necessary (required for service operation), performance and analytics (aggregate usage), functional (preferences), and optional marketing-type cookies. We avoid placing marketing cookies on client portals without explicit client consent.

Users can manage cookie preferences via browser settings or the cookie control mechanisms provided on the website. For client deployments, cookie configuration is discussed during implementation to align with the client's privacy and consent policies.

Refer to the Cookie Policy page on VoraTstack.digital for a detailed list of cookies and management instructions.

Data Sharing and Disclosure

We share personal data only when necessary for service delivery, with authorized subprocessors, or to comply with legal obligations. Each sharing instance is supported by contractual measures and documented in project records.

• Service providers and subprocessors engaged to host infrastructure, provide analytics, or deliver specialized services under written contracts limiting use to the purposes we specify.
• Client-authorized transfers to third-party systems as part of integrations, carried out under the client's instructions and configuration choices.
• Law enforcement and regulators when disclosure is required by law; disclosures are scoped and documented to the extent permitted by law.
• Affiliates and subcontractors performing operational tasks under confidentiality terms and access controls aligned with project requirements.
• Aggregated and anonymized datasets shared for product improvement or research that do not allow identification of individuals.
• Merger, acquisition or corporate restructure situations where personal data may be transferred as part of a business transaction subject to contractual and legal obligations.

International Transfers

Cross-border transfers occur when clients or their users interact with services hosted outside Malaysia or when integrating international systems. Transfers are conducted using documented safeguards, and we assess transfer risks and implement contractual protections when necessary.

Typical safeguards include binding contractual clauses, data processing agreements with subprocessors, technical controls such as encryption in transit and at rest, and client-approved processor lists. Specific measures are recorded in project documentation.

Data Retention

Retention schedules are defined per data category and project to align with operational needs, contractual obligations and legal requirements. We apply minimization and periodic review to avoid unnecessary storage.

Account and administrative records are retained for the duration of the business relationship and for a defined period after termination to support billing reconciliation and to respond to enquiries, typically aligned with contract terms.

Support tickets, correspondence and case notes are retained to maintain service history and improve incident response. Retention periods are determined by relevance to ongoing service obligations and may vary by client agreement.

System and security logs are retained for operational and security purposes for periods necessary to contribute incidents and comply with audit requirements. Logs are routinely archived and deleted according to documented schedules.

When retention periods expire or upon valid data deletion requests, data is securely deleted or anonymized in accordance with documented deletion procedures and with attention to backups and retained copies within reasonable operational timelines.

Security Measures

VoraTstack implements a combination of organizational, technical and physical measures to protect personal data. Security practices are adapted to project risk profiles and include access controls, encryption, monitoring and incident response procedures. Case examples show how measures are applied during deployments and incident handling.

• Access control and least privilege: role-based access for project teams and production access approvals documented in change logs.
• Encryption: use of TLS for data in transit and encryption at rest for sensitive data stores in hosted environments and customer-managed keys where requested.
• Monitoring and incident response: centralized logging, alerting and a documented incident response process that coordinates with client operation teams during a security event.

User Rights

Individuals may hold rights under applicable law related to their personal data. We provide structured processes to receive and handle these requests and coordinate with clients when they act as controllers for project data. Practical examples explain how requests are validated and fulfilled.

• Right of access: individuals can request confirmation of processing and a copy of their personal data where applicable; requests are triaged and responded to following verification procedures.
• Right to rectification: correction of inaccurate or incomplete personal data is implemented in source systems and reflected across integrations as appropriate.
• Right to erasure: where applicable by law and contract, we assess and act on deletion requests, considering retention obligations and the need to preserve records for legitimate business or legal reasons.
• Right to restriction and objection: requests to restrict processing or object to processing for certain purposes are evaluated with practical considerations for service continuity and contractual obligations.
• Right to data portability: where technically feasible and lawful, we provide exports of personal data in structured, commonly used formats to support migration or transfer scenarios in client projects.
• How to submit a request: contact privacy inquiries through the contact details listed on VoraTstack.digital or the business address; requests will be logged, verified and handled according to documented procedures with timelines explained in confirmation responses.
• Right to withdraw consent for specific processing activities where consent was the legal basis, and to receive confirmation that processing has stopped for those purposes.
• Right to lodge a complaint with the relevant supervisory authority in Malaysia if you believe your personal data is being processed in violation of applicable data protection laws.

Exercising your privacy rights

To submit a request to access, correct, erase, restrict or port your personal data, or to object to processing, contact VoraTstack via our privacy request form at https://VoraTstack.digital/privacy or by mail to our office at Jalan Kodiang, Pekan Jitra, 06000 Jitra, Kedah, Malaysia. Include a clear description of the request, relevant identifiers and any supporting documents. Please note we may need to verify your identity before fulfilling requests to protect your information.

[email protected]

We aim to respond to verifiable privacy requests within 30 calendar days of receipt. Complex requests or requests requiring coordination with third parties may take longer; in such cases we will notify you of the expected timeline and any information we need to proceed.