SD
Security & Data Protection
How AIBot protects your data and complies with Malaysia's Personal Data Protection Act (PDPA 2010)
PDPA 2010 CompliantBYO API Key = Your Data Stays YoursNo Training on Your Data
Your Data, Your Keys
AIBot uses a Bring Your Own API (BYO API) model. This means:
- You connect your own API keys (OpenAI, Anthropic, DeepSeek, or Google)
- AI requests go directly from your key to the AI provider — AIBot routes but does not store the AI responses
- You control your own AI costs and usage limits at your provider
- You can revoke access at any time by deleting your API key from Settings
PDPA Malaysia Compliance
AITG Sdn Bhd (202601016521 / 1678618-W) operates AIBot in compliance with the Personal Data Protection Act 2010 (Act 709):
Data Collection
We only collect data necessary for the service: your email, name (optional), and chat messages you send to the AI.
Data Purpose
Your data is used solely to provide the AI chatbot service. We never sell, rent, or share your data with third parties.
Data Storage
Data is stored on secured servers with encrypted connections (TLS 1.3). Database access is restricted to authorised personnel only.
Data Retention
Chat conversations are retained for 90 days unless you delete them. You can delete your data at any time from Settings.
Your Rights
Under PDPA, you have the right to access, correct, and delete your personal data. Email [email protected] to exercise these rights.
Data Transfer
AI requests may be processed by international providers (OpenAI, Google, Anthropic). These providers have their own compliance certifications.
API Key Security
- API keys are encrypted at rest in our database
- Keys are never logged, displayed in full, or exposed in client-side code
- Each key is scoped to your account only — no cross-user access
- We recommend using provider-side rate limits (e.g., OpenAI spending limits) as an additional safeguard
- Platform fallback keys (for demo/free use) are rotated periodically
Website Widget & Visitor Data
When you embed the AIBot widget on your website:
- Lead capture only collects name, email, and phone when the visitor voluntarily provides them
- Visitor messages are processed in real-time and not permanently stored unless lead capture is enabled
- The widget uses CORS restrictions — only your approved domains can use your embed key
- Widget analytics (if enabled) track aggregate message counts, not individual visitor identities
- You own all leads collected through your widget — export them anytime from the dashboard
Infrastructure Security
- Hosting: Secured VPS with SSH key-only access, firewall (UFW), and fail2ban brute-force protection
- TLS/SSL: All traffic encrypted via Let's Encrypt TLS 1.3 certificates
- Database: PostgreSQL with connection isolation, no public access
- Container isolation: Each service runs in its own Docker container with resource limits
- Code execution sandbox: The
code_run tool runs in an isolated subprocess with a 10-second timeout and restricted imports - Regular updates: Dependencies updated monthly; security patches applied within 48 hours
🚨
Incident Response
In the event of a data breach or security incident:
- We will notify affected users within 72 hours via email (per PDPA Section 4)
- We will document the incident, its scope, and remediation steps
- We will cooperate with the Department of Personal Data Protection (JPDP) if required
- Security advisories will be published at aibot.com.my/security
Security Questions?
For security reports, data requests, or PDPA enquiries:
[email protected]AITG Sdn Bhd (202601016521 / 1678618-W) · George Town, Penang, Malaysia
Last updated: 5 July 2026 · This page is reviewed quarterly