Truestack

Cybersecurity Policy

How Truestack approaches security across its website, fintech platforms, and regulated service infrastructure.

Last updated: March 2026

1. Purpose and Scope

This Cybersecurity Policy provides a public overview of how Truestack designs, operates, and protects systems used to deliver lending software, KPKT compliance services, and e-KYC capabilities in Malaysia.

It applies to our public website and related service interfaces connected to Truestack products and operations, including:

  • truestack.my
  • admin.truestack.my
  • kredit.truestack.my
  • core.truestack.my
  • api.truestack.my

This page is intended as a high-level security statement for customers, partners, and users. Additional contractual, technical, or regulatory controls may apply to specific Truestack services.

2. Security Principles

Malaysia-hosted infrastructure

We design our platforms around Malaysian data residency requirements and infrastructure hosted in the AWS Malaysia region where applicable.

Protected access

Administrative and operational access is restricted through role-based permissions and controlled access to sensitive systems and data.

Secure APIs and applications

Customer-facing systems such as TrueIdentity and TrueKredit are built with secure APIs, protected storage, and controls intended to reduce unauthorised access.

Monitoring and traceability

We maintain system monitoring, alerting, and audit trail capabilities to support operational visibility, investigations, and compliance readiness.

3. Controls We Apply

Depending on the service and deployment model, our controls may include:

  • Encryption in transit and protected storage for sensitive records
  • Role-based access control for administrative and operational users
  • Centralised logging and audit trails for important platform actions
  • Real-time monitoring and alerting to support detection and response
  • Redundant or resilient infrastructure for service continuity objectives

Some Truestack systems support sensitive financial, identity, or biometric workflows. Those environments are subject to stricter access, monitoring, and handling expectations.

4. Service-Specific Considerations

TrueIdentity e-KYC

Identity verification workflows involve document capture, OCR extraction, selfie and liveness checks, biometric matching, fraud screening, and verification outcomes.

TrueKredit loan management

Loan servicing environments may contain borrower profiles, loan records, repayment histories, compliance outputs, and audit-ready documentation.

Compliance and signing infrastructure

For regulated workflows, Truestack may operate dedicated or controlled infrastructure, including environments that support compliance or digital signing requirements.

5. Incident Detection and Response

We aim to detect, assess, contain, and recover from security events in a timely manner using monitoring, audit logs, and operational escalation processes.

  • Investigate suspicious activity or anomalous system behaviour
  • Contain affected services or access paths when necessary
  • Restore operations and review preventive improvements
  • Notify relevant customers or authorities when required by law, contract, or regulatory obligation

6. User and Customer Responsibilities

Security is a shared responsibility. Customers, partners, and authorised users should also help protect Truestack systems by:

  • Safeguarding login credentials and restricting account sharing
  • Applying least-privilege access within their organisations
  • Reporting suspected misuse, vulnerabilities, or security incidents promptly
  • Using supported devices, networks, and browsers when accessing services

7. Policy Review

We may update this Cybersecurity Policy from time to time to reflect changes in our services, infrastructure, regulatory obligations, or security practices. Updates will be published on this page with a revised effective date.

8. Contact

To report a security concern or request more information about our security practices, contact: