SD

Security & Data Protection

How AIBot protects your data and complies with Malaysia's Personal Data Protection Act (PDPA 2010)

PDPA 2010 CompliantBYO API Key = Your Data Stays YoursNo Training on Your Data

Your Data, Your Keys

AIBot uses a Bring Your Own API (BYO API) model. This means:

  • You connect your own API keys (OpenAI, Anthropic, DeepSeek, or Google)
  • AI requests go directly from your key to the AI provider — AIBot routes but does not store the AI responses
  • You control your own AI costs and usage limits at your provider
  • You can revoke access at any time by deleting your API key from Settings

PDPA Malaysia Compliance

AITG Sdn Bhd (202601016521 / 1678618-W) operates AIBot in compliance with the Personal Data Protection Act 2010 (Act 709):

Data Collection

We only collect data necessary for the service: your email, name (optional), and chat messages you send to the AI.

Data Purpose

Your data is used solely to provide the AI chatbot service. We never sell, rent, or share your data with third parties.

Data Storage

Data is stored on secured servers with encrypted connections (TLS 1.3). Database access is restricted to authorised personnel only.

Data Retention

Chat conversations are retained for 90 days unless you delete them. You can delete your data at any time from Settings.

Your Rights

Under PDPA, you have the right to access, correct, and delete your personal data. Email [email protected] to exercise these rights.

Data Transfer

AI requests may be processed by international providers (OpenAI, Google, Anthropic). These providers have their own compliance certifications.

API Key Security

  • API keys are encrypted at rest in our database
  • Keys are never logged, displayed in full, or exposed in client-side code
  • Each key is scoped to your account only — no cross-user access
  • We recommend using provider-side rate limits (e.g., OpenAI spending limits) as an additional safeguard
  • Platform fallback keys (for demo/free use) are rotated periodically

Website Widget & Visitor Data

When you embed the AIBot widget on your website:

  • Lead capture only collects name, email, and phone when the visitor voluntarily provides them
  • Visitor messages are processed in real-time and not permanently stored unless lead capture is enabled
  • The widget uses CORS restrictions — only your approved domains can use your embed key
  • Widget analytics (if enabled) track aggregate message counts, not individual visitor identities
  • You own all leads collected through your widget — export them anytime from the dashboard

Infrastructure Security

  • Hosting: Secured VPS with SSH key-only access, firewall (UFW), and fail2ban brute-force protection
  • TLS/SSL: All traffic encrypted via Let's Encrypt TLS 1.3 certificates
  • Database: PostgreSQL with connection isolation, no public access
  • Container isolation: Each service runs in its own Docker container with resource limits
  • Code execution sandbox: The code_run tool runs in an isolated subprocess with a 10-second timeout and restricted imports
  • Regular updates: Dependencies updated monthly; security patches applied within 48 hours
🚨

Incident Response

In the event of a data breach or security incident:

  1. We will notify affected users within 72 hours via email (per PDPA Section 4)
  2. We will document the incident, its scope, and remediation steps
  3. We will cooperate with the Department of Personal Data Protection (JPDP) if required
  4. Security advisories will be published at aibot.com.my/security

Security Questions?

For security reports, data requests, or PDPA enquiries:

[email protected]

AITG Sdn Bhd (202601016521 / 1678618-W) · George Town, Penang, Malaysia

Last updated: 5 July 2026 · This page is reviewed quarterly