Select country
Review how this page describes privacy-law coverage for your school jurisdiction.
Last reviewed: March 2026
River SIS processes personal data for school management operations including student administration, staff records, and school activities. For Malaysia schools, this page summarises how our operational privacy practices align to the Personal Data Protection Act 2010 (Act 709), which regulates personal data processed in commercial transactions, and to its seven Personal Data Protection Principles: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access.
| Classification | Description | Examples |
|---|---|---|
| PII | Personally identifiable information | Database records, user profile images |
| Confidential | Sensitive operational data | App configuration, environment secrets |
| Audit | Access and activity records | Database audit logs, admin activity |
| Internal | Non-personal operational data | Application logs, container images |
| Data Category | Storage | Retention | Deletion |
|---|---|---|---|
| Customer images (current) | S3 | Indefinite | Manual on request |
| Customer images (superseded) | S3 | 30 days | Automatic (S3 Lifecycle) |
| Database backups | DocumentDB | 30 days | Automatic |
| Application logs | CloudWatch | 7 days | Automatic |
| Database audit logs | CloudWatch | 90 days | Automatic |
Malaysia's PDPA includes an access principle and supports requests to access personal data and correct inaccuracies, subject to applicable exceptions. We support verified access requests through customer administrators and internal review controls.
Malaysia's PDPA emphasises retention limitation rather than a broad standalone erasure right. We therefore assess deletion requests against the purpose of processing, customer requirements, legal obligations, and retention controls already applied to the service.
The Data Integrity Principle requires reasonable steps to ensure personal data is accurate, complete, not misleading, and kept up to date where necessary. Customer-facing correction workflows and administrative review support this obligation.
Malaysia's PDPA is principle-based and does not mirror every portability right found in some other regimes. Where appropriate and technically feasible, we can support structured exports while focusing primarily on notice, disclosure control, and access rights under Act 709.
For Malaysia coverage, we focus on disclosure controls, security safeguards, retention discipline, and handling verified requests or objections through the customer relationship and applicable legal requirements.
Review data classification, retention settings, access permissions, and operational changes that may affect privacy risk.
Conduct least-privilege access reviews, verify key security controls, and document material changes to processing activities or vendor arrangements.
Perform a fuller review of data inventories, test data-rights handling and deletion workflows, review incident-response readiness, and update this document.
To exercise any of your data rights or for privacy-related enquiries, please contact SchoolHero.io OÜ at info@riversis.com or by post at Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe, 74626, Estonia.
