Security & Compliance

Operated by Altream Sdn Bhd, Kuala Lumpur, Malaysia

Last updated: March 2026

Certification Status

NeurometriX is working toward SOC 2 Type II certification. Below is our current security posture and the controls we have in place. We are fully compliant with Malaysia PDPA 2024, GDPR, and CCPA.

Security Overview

We take the security of your data seriously. NeurometriX is built on enterprise-grade infrastructure with multiple layers of protection. Our security practices are designed to protect the cognitive and behavioral assessment data we process on behalf of employers and candidates.

Infrastructure Security

Cloud Provider

Amazon Web Services (AWS)

Data Centers

ISO 27001 certified AWS facilities

Regions

US, EU, APAC — data residency selection available

Uptime SLA

99.95% for Professional and Enterprise plans

Data Encryption

Data State	Method
Data in transit	TLS 1.3
Data at rest	AES-256
Database	AWS RDS encryption
Backups	Encrypted with separate keys

Access Controls

Multi-factor authentication available for all accounts
Role-based access control with 6 permission levels
Principle of least privilege enforced across all services
Configurable session timeouts (1 hour to 1 week)
Immutable audit logging of all administrative actions
IP-based rate limiting on authentication endpoints

Compliance Status

Standard	Status
Malaysia PDPA 2024	Compliant
GDPR (EU)	Compliant
CCPA (California)	Compliant
SOC 2 Type II	In Progress
ISO 27001	Roadmap 2026

Vulnerability Management

Regular penetration testing by independent security firms
Automated dependency scanning in CI/CD pipeline
Security patches deployed within 48 hours for critical CVEs
Bug bounty program for responsible disclosure

Incident Response

• 24/7 infrastructure monitoring and alerting
• Data breach notification within 72 hours to PDP Commissioner (per PDPA Amendment 2024)
• Affected individual notification within 7 days if significant harm risk
• Documented and tested incident response plan
• Post-incident review and remediation process

Request Security Documentation

Enterprise customers and prospects can request the following documentation:

• Security questionnaire responses (SIG, CAIQ, custom)
• Data Processing Agreement (DPA)
• Penetration test summary report
• Architecture and data flow diagrams

Contact: security@neurometrix.io

Data State

Method

Data in transit

TLS 1.3

Data at rest

AES-256

Database

AWS RDS encryption

Backups

Encrypted with separate keys

Access Controls

Multi-factor authentication available for all accounts
Role-based access control with 6 permission levels
Principle of least privilege enforced across all services
Configurable session timeouts (1 hour to 1 week)
Immutable audit logging of all administrative actions
IP-based rate limiting on authentication endpoints

Standard

Status

Malaysia PDPA 2024

Compliant

GDPR (EU)

Compliant

CCPA (California)

Compliant

SOC 2 Type II

In Progress

ISO 27001

Roadmap 2026

Incident Response

• 24/7 infrastructure monitoring and alerting
• Data breach notification within 72 hours to PDP Commissioner (per PDPA Amendment 2024)
• Affected individual notification within 7 days if significant harm risk
• Documented and tested incident response plan
• Post-incident review and remediation process