This policy describes the technical and organisational measures Zenta Technologies Sdn. Bhd. applies when processing personal and business data through the GetZenta platform. It is intended for audit firms, enterprise clients, and procurement teams evaluating GetZenta's data governance posture.
Last updated: 7 May 2026Processor: Zenta Technologies Sdn. Bhd. (202501060152)Governing law: PDPA 2010 (Malaysia)Audience: B2B / Procurement / Legal
Section 01
Scope & Purpose
This policy outlines the technical and organisational measures used by Zenta Technologies Sdn. Bhd. to process personal and business data on behalf of Users of the GetZenta platform. It supplements the Privacy Policy & PDPA Compliance Statement and is intended for procurement, legal, and IT audiences evaluating GetZenta for enterprise or audit firm deployment.
What GetZenta Processes
Receipt and invoice images and extracted structured fields
Account and identity data for platform users (Auditors, SMEs, Staff)
Audit trail and review decision records
Credit and subscription transaction records
Usage metadata for platform security and operational monitoring
Processing Basis
Data is processed on the basis of contractual necessity — to deliver the GetZenta service as described in the Terms of Service — and to fulfil legal obligations under Malaysian law, including the Income Tax Act 1967 and PDPA 2010.
Zenta Technologies does not process data for purposes beyond those disclosed in this policy and the Privacy Policy. We do not sell, rent, or commercially exploit user data. We do not use user data to train AI models.
GetZenta is built on a multi-layer architecture designed for data isolation, regional compliance, and audit-grade traceability.
🗄️
Database
Managed Relational Database
Database-enforced tenant isolation. Southeast Asia regional infrastructure.
🔐
Auth & Access
Managed Authentication
Short-lived authenticated sessions. MFA available. Organisation-scoped role assignment.
📁
File Storage
Private Object Storage
Receipt images and document files stored with organisation-scoped access policies.
🤖
AI / OCR
Authorised Cloud AI Services
AI-assisted OCR and field extraction. Transient processing — not stored by AI provider beyond the request.
🔧
Backend Logic
Server-Side Orchestration
Controlled backend functions for materiality calculation and workflow orchestration.
💳
Payments
Stripe
PCI-DSS Level 1. GetZenta receives transaction confirmation only — no card data stored.
Multi-Tenant Isolation
Every database request in GetZenta is evaluated against database-enforced tenant-isolation controls tied to the authenticated user's organisation context. This means:
Organisation A's data is structurally inaccessible to Organisation B — not just hidden at the application layer
Even if application-layer access controls were bypassed, database-layer controls would reject unauthorised access
Each user's role (Auditor, SME, Staff) further restricts which records and actions are permitted within their own organisation
Data Residency
Primary data storage and processing runs on Southeast Asia regional infrastructure. This supports regional processing for Malaysian compliance workflows. AI processing may involve transient cross-border transfer — see Section 04 for details.
Section 03
Sub-Processor List
The following third-party sub-processors are currently engaged by Zenta Technologies in the delivery of the GetZenta platform. This list reflects active production deployments as of the last updated date above. We will update this list before engaging any new material sub-processor.
Sub-Processor
Purpose
Data Processed
Jurisdiction
Standard
Managed Platform Infrastructure Provider
Database, authentication, file storage, and server-side functions
Platform data including receipts, user records, and audit trail
Southeast Asia regional infrastructure
SOC 2 Type II
Authorised Cloud AI Provider
Receipt OCR, field extraction, and evidence signal generation
Receipt images and extracted text — transient, not stored beyond request
Global infrastructure
ISO 27001SOC 2
Payment Processor
Payment processing and subscription billing
Transaction reference, amount, and status — no card data retained by GetZenta
Global infrastructure
PCI-DSSSOC 2
ℹ️
Production orchestration: Workflow orchestration and compliance processing are currently executed through GetZenta-controlled backend infrastructure. Only sub-processors actively processing production customer data are listed here.
Sub-Processor Change Notification
Zenta Technologies will provide advance notice of any new sub-processor engagement or material change to an existing sub-processor via email to registered account holders and update to this page. Notice will be provided at least 14 days before the change takes effect, except in cases of urgent security requirements.
Section 04
AI Processing Disclosure
GetZenta uses third-party cloud AI services for optical character recognition (OCR) and evidence signal generation. This section provides the technical disclosure required by PDPA 2010's Notice and Choice Principle and is intended for procurement and legal review.
How AI Processes Your Data
When a User submits a receipt or invoice, the image is transmitted to an authorised cloud AI service via an encrypted API call
The AI service returns structured extracted fields: merchant name, date, total, tax values, and confidence score
The image and extracted data are then stored in GetZenta's own controlled platform environment under the User's organisation scope
The AI provider processes the image transiently for inference — it is not stored by the AI provider beyond the scope of the API request
Human Override Architecture
GetZenta is architecturally designed so that no AI output is treated as a final compliance determination. All extracted records pass through one of three states:
Evidence Ready: High-confidence extraction, no risk flags — presented to the User for final confirmation
Review Gate: Low-confidence extraction, high-value threshold, or risk signal — routed to the human reviewer queue before any further action
Exception: Extraction failed or record incomplete — held pending User input
The AI never issues compliance status, audit opinions, or LHDN submission readiness independently. These determinations remain with the User or their appointed professional.
Cross-Border AI Processing
Cloud AI inference may occur on infrastructure outside Malaysia and Singapore. By using GetZenta, Users consent to this transient cross-border processing. We configure AI API calls to minimise data retention by the provider beyond the immediate inference request. Our AI sub-processor is assessed against recognised security and compliance standards before engagement.
⚠️
Specific AI model versions are not disclosed in this policy. Our technical stack may be updated without notice. Locking to a named model version would create a misleading disclosure. Procurement teams requiring specific model disclosures for contractual purposes should request this via the DPA process in Section 08.
Section 05
Access Controls & Security Measures
GetZenta applies the following technical and organisational security measures in active production deployment. These are not aspirational controls — they describe the architecture as built.
Enc
Encryption at Rest & in Transit
Industry-standard encryption at rest. Modern transport encryption for all data in transit, including API calls to authorised AI sub-processors and payment gateways. Encryption is applied at the infrastructure layer.
Iso
Database-Enforced Tenant Isolation
Every database request is evaluated against tenant-isolation controls enforcing organisation scope and role membership. Cross-tenant data access is structurally prevented, not just application-layer restricted.
RBAC
Role-Based Access Control
Three distinct role tiers — Auditor, SME, Staff — with different permission scopes for data read, write, review, and export. Role assignments are organisation-scoped and administrator-controlled.
MFA
Multi-Factor Authentication
MFA is available for platform users and enforced for Zenta Technologies administrative infrastructure access. Authenticated sessions are short-lived and refreshed on re-authentication.
Audit
Immutable Audit Trail
All evidence decisions — AI extraction output, human review actions, override reasons, and timestamps — are written to an immutable audit log. Records cannot be altered after locking without generating a visible audit event. Supports ISA 230 documentation requirements.
Access
Administrative Access Controls
Production database and infrastructure access is limited to a minimum number of authorised Zenta Technologies personnel. Access is logged, reviewed periodically, and revoked immediately upon role change.
Section 06
Data Retention Schedule
The following schedule governs how long different categories of data are retained by Zenta Technologies in connection with the GetZenta platform.
Data Category
Retention Period
Basis
Post-Period Action
Evidence records & audit trail
Duration of active subscription
Contractual necessity; ITA 1967 support
Available for export 90 days post-closure, then securely deleted
Account & identity data
Duration of active subscription + 90 days
Contractual necessity; PDPA 2010
Securely deleted 90 days after account closure
Receipt & document images
Duration of active subscription
Contractual necessity
Securely deleted with evidence records
Payment transaction records
7 years
Companies Act 2016; tax compliance
Retained in anonymised form for financial audit purposes
Security & access logs
12 months rolling
Security incident investigation
Automatically purged after 12 months
AI extraction logs
Not retained by AI provider
Transient processing only
Extracted fields stored in GetZenta DB; raw image not retained by AI provider
⚠️
GetZenta's 90-day post-closure window is shorter than the 7-year retention requirement under the Income Tax Act 1967. Users are responsible for exporting compliance records before account closure or arranging extended retention in writing before termination.
Section 07
Breach Response SLA
Zenta Technologies maintains a structured breach response process with defined service-level commitments for notification and remediation.
Detection & Containment
Target detection time: Continuous monitoring through infrastructure logs and access anomaly detection
Containment target: Affected access isolated within 4 hours of confirmed breach identification
Notification SLA
User notification: Within 24 hours of internal confirmation of a breach affecting User data
PDPA Commissioner notification: Within 72 hours of confirmation (User's obligation as Data User — supported by our 24-hour lead time)
Ongoing updates: Every 24 hours during active incident until resolution
Breach Notification Content
Each breach notification will include: nature of the breach, categories and approximate volume of data affected, likely consequences, measures taken and proposed, and DPO contact details for further enquiries.
Post-Incident Review
Following resolution of any significant breach, Zenta Technologies will conduct a post-incident review and provide affected Users with a summary of findings and remediation measures within 30 days of incident closure.
ℹ️
To report a suspected security incident or data breach: dpo@getzenta.com.my or info@zentatechnologies.com. Urgent security matters should be submitted through verified email channels with clear incident details.
Section 08
DPA Request Process
Audit firms, enterprise clients, and organisations with contractual data processing requirements may request a formal Data Processing Agreement (DPA) from Zenta Technologies. A DPA supplements this policy with organisation-specific terms, additional warranties, and audit rights as required.
When to Request a DPA
Your organisation's procurement policy requires a formal DPA with all SaaS vendors
You are deploying GetZenta across multiple client workspaces under a white-label arrangement
You require specific AI model disclosure for contractual purposes
Your organisation requires additional security certifications or evidence beyond this policy
You are an audit firm subject to ISQM 1 or other professional body data governance requirements
⏱Initial response: within 3 business days · DPA draft: within 10 business days
📋Please include in your request: organisation name, registration number, nature of deployment, and specific DPA requirements or template if applicable
This Data Processing Policy describes Zenta Technologies' processing practices as of the last updated date above. It does not constitute legal advice and does not replace a formal Data Processing Agreement where one is required. Zenta Technologies reserves the right to update this policy to reflect changes in technology, law, or business practice. Material sub-processor changes will be communicated with a minimum of 14 days' advance notice.