Privacy Policy

Introduction

Cygnus Technology Solutions Sdn. Bhd. (“Cygnus”, “we”, “our”, or “us”) is committed to safeguarding personal data in accordance with the Personal Data Protection Act 2010 [Act 709], as amended by the Personal Data Protection (Amendment) Act 2024, as well as the principles of ISO/IEC 27001:2022 on Information Security Management.

This Privacy Policy outlines how we collect, use, disclose, and protect personal data in accordance with our ISO/IEC 27001-certified Information Security Management System (ISMS) and PDPA obligations, when you visit www.cygnus.com.my or engage with our services. Oversight is provided by our appointed Data Protection Officer (DPO), who ensures compliance with both regulatory and international standards.

Scope & Availability

This Privacy Policy applies to all personal data processed by Cygnus Technology Solutions Sdn. Bhd. (“Cygnus”) in connection with the use of our website www.cygnus.com.my, our digital platforms, and any services, communications, or transactions conducted with us.

It covers personal data collected from:

• Website visitors and users of our online services
• Clients, vendors, and business partners engaging with Cygnus
• Individuals whose data is processed in the course of service delivery, support, or compliance activities

This policy applies to personal data processed both within Malaysia and in jurisdictions where Cygnus operates or engages third-party service providers, subject to cross-border transfer requirements under the 2024 revised PDPA Section 26 and ISO/IEC 27001 Annex A.13.2.4.

Cygnus maintains this Privacy Policy as part of its Information Security Management System (ISMS) and reviews it annually in accordance with ISO/IEC 27001 Clause 9.3 (Management Review) and evolving regulatory obligations. This Privacy Policy is publicly available and accessible via www.cygnus.com.my/privacy-policy.

Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity Data: Full Name, NRIC / Passport Number, Job Title
• Contact Data: Email Address, Phone Number, Mailing Address
• Technical Data: IP Address, Browser Type, Device Identifiers
• Usage Data: Website Interactions, Preferences, Feedback
• Transactional Data: Service Requests, Payment Records, Audit Logs

All personal data is classified and managed as an information asset under our ISMS, subject to documented handling procedures and access controls under our ISMS and is subject to access controls and lifecycle management.

Purpose of Collection

We process personal data for the following purposes:

• To deliver and improve our IT and compliance solutions
• To respond to enquiries and provide customer support
• To manage client relationships and service contracts
• To comply with legal, regulatory, and audit obligations
• To support internal risk management and ISMS controls

Each processing activity is mapped to a lawful basis under Malaysia’s PDPA and risk-assessed within our ISMS framework and documented within our Record of Processing Activities (RoPA).

Disclosure & Data Sharing

We may disclose personal data to:

• Authorized Cygnus personnel
• Third-party vendors and service providers under signed Data Processing Agreements (DPAs)
• Regulatory authorities, where legally required
• Overseas entities, subject to PDPA 2024 cross-border transfer protocols

All disclosures are governed by DPAs and documented in accordance with ISO 27001 Annex A.13.2 (Information Transfer Policies and Procedures).

Cross Border Data Transfers

Where personal data is transferred outside Malaysia, Cygnus ensures:

• The receiving jurisdiction has adequate data protection laws
• Binding contractual clauses and safeguards are in place
• Explicit consent is obtained where required
• Transfers are reviewed and approved by the DPO

These controls align with Malaysia’s revised PDPA Section 26 and ISO 27001 Annex A.13.2.4.

Data Security Measures

Cygnus complies to ISO/IEC 27001-certified ISMS, implementing controls across Access Management (A.9), Cryptography (A.10), Operations Security (A.12), and Incident Response (A.16). Key controls include:

• Role-based access control and multi-factor authentication
• Encryption of data in transit and at rest
• Secure coding and vulnerability management
• Logging and monitoring of system activities
• Incident response and breach notification protocols

These measures are aligned with Annex A.5 – A.18 of ISO 27001 and reviewed annually.

Data Retention

Personal data is retained only as long as necessary for the stated purposes or to meet legal obligations. Retention schedules are:

• Documented in our Data Retention Policy
• Reviewed annually by the DPO
• Enforced via automated and manual controls

Secure disposal methods are applied in accordance with ISO 27001 Annex A.8.3, ensuring data is irrecoverably destroyed when no longer required.

Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate or outdated data
• Withdraw consent at any time
• Object to processing for direct marketing
• Request data portability (where applicable)
• Lodge a complaint with the Personal Data Protection Commissioner

Requests can be submitted to our DPO using the contact details below. All requests are logged and responded to within statutory timelines, with audit trails maintained under our ISMS for accountability.

Contact our DPO

Policy Review & Updates

This Privacy Policy is reviewed annually as part of our management review cycle and updated to reflect changes in law, technology, or business practices. All updates will be posted on this page with the effective date clearly indicated.