Compliance Roadmap

Last Updated: May 5, 2026

This page is the dated, public view of our compliance posture. It exists so that procurement teams and security reviewers do not have to guess at the difference between what is in production today and what we are still building. We update it as work lands.

 At a glance: SOC 2 Type I: in progress, target H2 2026 (subject to auditor scheduling)
Trust Services Criteria in scope: Security, Availability, Confidentiality
Regional data protection: aligned with Malaysia PDPA 2010 (as amended 2024), Singapore PDPA 2012, Indonesia PDP Law (UU 27/2022)
Data residency: Singapore (ap-southeast-1) — AWS and Supabase
GDPR / UK GDPR / CCPA: compliant today
Documents available under NDA: security questionnaire response, control overview, DPA
 

1. What is in production today

Already in place

Encryption in transit (TLS 1.2 / 1.3) and at rest (AES-256, AWS KMS-managed keys).
AWS infrastructure with multi-availability-zone deployment and AWS Shield Standard.
Account-scoped data isolation enforced at the database layer.
Daily encrypted backups with point-in-time recovery.
No customer data is used to train AI models. Enterprise data-processing agreements are in place with Anthropic and Google.
Sub-processor list published with a 30-day change-notice commitment. See Sub-processors.
Standard Contractual Clauses and the UK International Data Transfer Addendum for cross-border data flows.
Data Processing Agreement available to all customers. See DPA.
Vulnerability disclosure contact published at /.well-known/security.txt per RFC 9116.

2. Regional data protection — Southeast Asia

Smalt AI Sdn Bhd is incorporated in Malaysia and operates primary infrastructure in Singapore. We are accountable under three regional data-protection regimes; the table in our Privacy Policy §4a sets out the applicable laws and our position under each. The points below summarise our compliance-posture commitments.

What we commit to today

Data Protection Officer designated — accountable for PDPA compliance under the 2024 Amendment Act, reachable at support@smaltai.com. Formal registration with Malaysia's PDPC will be filed when the platform crosses the personal-data thresholds set by the JPDP DPO Appointment Guidelines (20,000 individuals, or 10,000 sensitive-data individuals).
Singapore data residency — customer data, including authentication and primary application storage, is hosted in Singapore (AWS ap-southeast-1, Supabase Singapore). See Sub-processors for the full hosting map.
Cross-border transfer safeguards — where personal data leaves the SEA region (for example, AI model providers operating in the US), transfers rely on Standard Contractual Clauses, the UK International Data Transfer Addendum where applicable, and Data Processing Agreements with each sub-processor. Routing follows Singapore PDPC and Malaysia PDPC cross-border guidance.
Data breach notification — we follow the breach-notification timelines set by Malaysia PDPC (2025 Guidelines), Singapore PDPC (72-hour materially significant breach), and GDPR (72 hours). One incident-response process meets all three.
Direct accountability as a data processor — under Malaysia's PDPA 2024 Amendment, data processors are directly liable. We accept that responsibility for customer data processed on our platform.

Under evaluation for the regional roadmap

Singapore Data Protection Trustmark (DPTM, SS 714:2025) — voluntary IMDA / PDPC certification under evaluation as enterprise customer demand emerges. Eligible for the Enterprise Singapore (ESG) Enterprise Development Grant. Targeted for 2027.
Indonesia data residency — pinned-region deployment evaluated as Indonesian enterprise demand grows; the PDP Agency is expected to issue implementing regulations from 2026 onward.
Bahasa Malaysia and Bahasa Indonesia language coverage in privacy notices and DPA templates.

3. SOC 2 Type I — in progress

Item	Detail
Audit type	SOC 2 Type I — auditor's opinion on the suitability of control design at a point in time.
Trust Services Criteria	Security, Availability, Confidentiality. Privacy and Processing Integrity are not in scope for Type I.
System scope	The Smalt AI platform at app.smaltai.com: workspace and chat, file upload, memory and retrieval, office files, AI employee, billing and credits.
Infrastructure scope	AWS Elastic Beanstalk, Supabase, Stripe, Anthropic, Google, Composio, and the supporting workers and storage layers.
Target	Type I report in H2 2026, subject to auditor scheduling.

Engineering hardening underway

Work that is being completed before the Type I observation point so that the controls map cleanly to what runs in production:

Browser auth hardening: migrating session tokens out of localStorage into HttpOnly secure cookies, with CSRF tokens on all state-changing endpoints.
Background workers: moving indexing, memory synthesis, AI employee, and file processing onto a real queue with retry, idempotency, and failure visibility.
Object storage as source of truth: signed access, TTL cleanup, per-account quotas, and audit logs for file preview and download.
Billing integrity: immutable credit-transactions ledger with idempotency keys and reconciliation against the payment provider.
Observability: structured logs with request IDs across the stack, and alerting for auth-denial spikes, provider failures, indexing failures, and ledger mismatches.
Backup restore testing: documented restore drills on a fixed cadence.

Policy and operational controls being formalised

Information Security Policy
Access Control Policy and quarterly access reviews
Password and MFA Policy (MFA enforced for all production admin access)
Change Management Policy with required PR review and CI checks before deploy
Incident Response Plan with severity tiers and tabletop exercises
Vendor Risk Management Policy with security review before onboarding any vendor that handles customer data
Data Classification, Retention, and Deletion Policies
Backup and Disaster Recovery Policy
Vulnerability Management Policy with dependency and secret scanning in CI
Secure SDLC Policy
Acceptable Use Policy (already public — see AUP)
Employee onboarding and offboarding checklist with 24-hour access removal
Risk Register reviewed by management on a fixed cadence

4. On the longer roadmap

Framework	Status	Notes
SOC 2 Type II	Planned 2027	Initiated once Type I controls have operated through the required observation period.
SOC 2 Privacy criterion	Under evaluation	Reassessed as we expand long-term memory and retrieval features that handle personal data on customers' behalf.
ISO 27001	Under evaluation	Considered after Type II, particularly if requested by enterprise customers in regulated regions.
EU data residency	Under evaluation	Region-pinned deployments for EU-only customers, evaluated as enterprise demand emerges.

5. Out of scope for now

SOC 2 Processing Integrity. Financial-output correctness sits more naturally in a SOC 1 engagement if customers later require attestation over financial reporting outputs. Our Responsible AI commitments and human-in-the-loop workflow handle correctness expectations today.
HIPAA. We are not a healthcare data processor and the platform is not configured for protected health information.
FedRAMP. We do not currently target US Federal customers.

6. Documents available under NDA

What we can share on request

Security questionnaire response (SIG Lite or your standard format)
Control overview mapped to SOC 2 Trust Services Criteria
Architecture and data-flow diagrams
Vendor and sub-processor inventory beyond what is published on Sub-processors
Backup, restore, and incident-response procedure summaries
Risk register summary

Email support@smaltai.com to start a security review or request documents under NDA.

7. Public documents

Security & Trust Center — full security narrative
Data Processing Agreement
Sub-processors
Service Level Agreement
Privacy Policy
Acceptable Use Policy
Responsible AI
/.well-known/security.txt (RFC 9116)

8. Contact

Compliance and procurement enquiries: support@smaltai.com
Vulnerability reports: support@smaltai.com (see Responsible Disclosure)