MaidCopilot handles sensitive personal data — worker biodata, employer details, deployment records. Here is exactly how we protect it, who can access it, and how we align with Singapore law.
All MaidCopilot data is stored on managed PostgreSQL in the Southeast Asia (Singapore) region. Your agency's data never leaves Singapore-region infrastructure.
| Service | Region | Status |
|---|---|---|
| Database & Auth | Southeast Asia | Singapore |
| File Storage | Southeast Asia | Singapore |
| API Backend | Southeast Asia | Singapore |
| Web Frontend | Southeast Asia + global edge | Static only |
| WhatsApp Messaging | Meta-managed | Meta-controlled |
Note on the CDN: Only static assets (HTML, JS, CSS) are served via a global CDN edge. All personal data is fetched from the Singapore-region API backend and never cached at edge nodes.
MaidCopilot is designed to help your agency comply with Singapore's Personal Data Protection Act 2012 (PDPA) — not just our own compliance. As your data processor, we give you the tools to meet your obligations as the data controller.
| Data type | Purpose | Legal basis |
|---|---|---|
| Agency user accounts (name, email) | Authentication and audit logging | Contractual necessity |
| Employer details (name, phone, address) | CRM, matching, case management | Legitimate interest / consent |
| Maid biodata (name, NRIC/passport, nationality, skills) | Placement matching, document management | Legitimate interest |
| WhatsApp message content | Inbox, conversation history | Legitimate interest |
| Audit log entries | Compliance record-keeping | Legal obligation |
We only collect fields needed for employment agency operations. Sensitive fields like NRIC numbers and passport details are stored only in document attachments and maid biodata — not in free-text messaging fields.
Your agency is responsible for obtaining consent from employers and domestic workers before entering their data. MaidCopilot provides an audit trail that records when records were created and by whom, supporting your documentation of consent.
Singapore's Employment Agencies Act (EAA) and MOM regulations require licensed employment agencies to maintain records of placements, employer agreements, and worker documentation. MaidCopilot is built to support these requirements.
Important: MaidCopilot is a software tool, not a licensed employment agency and not a legal advisor. You remain responsible for ensuring your agency's practices comply with MOM licensing conditions. Consult MOM or a legal advisor for compliance advice.
Every database table is scoped by agency, with Row-Level Security (RLS) policies enforced at the database layer. Even if a bug existed in application code, RLS prevents one agency from reading another's data.
Authentication uses magic link (email OTP) — no passwords are stored. Session tokens are short-lived JWTs verified on every API request, with key rotation supported with zero downtime.
Two roles exist within each agency: Owner (full access, can manage team and WhatsApp connections) and Coordinator(inbox, cases, biodata — no billing or system settings). Role checks are enforced at the API layer.
WhatsApp access tokens are stored in a restricted-access database table — never exposed via any API response, never written to logs. Hardware-backed encryption via a dedicated key management service is on our roadmap.
All incoming WhatsApp webhooks are verified using Meta's HMAC-SHA256 signature before any message processing occurs. Requests that fail verification are rejected with HTTP 403, in constant time to prevent timing-based attacks.
All traffic is HTTPS-only. Both the API and the web frontend enforce HTTPS at TLS termination, with HSTS enabled.
| Data type | Retention period | Deletion method |
|---|---|---|
| Active account data | Duration of subscription | Logical (soft) delete |
| WhatsApp messages | 2 years from receipt | Automated purge (roadmap) |
| Audit logs | 5 years (MOM compliance) | Not deleted |
| Documents (files) | Duration of subscription + 1 year | Hard delete from storage |
| Account data after cancellation | 30 days grace period | Hard delete on request |
To request early deletion of your agency's data, contact us at admin@coreframeslab.com.
MaidCopilot connects to WhatsApp via Meta's Cloud API using the Embedded Signup flow. This means your agency retains ownership of your WhatsApp Business Account (WABA) — MaidCopilot acts as a tech provider, not the account holder.
We onboard your number in Meta's coexistence mode. Your team can continue using the WhatsApp Business App on their phones while MaidCopilot mirrors incoming messages for the shared inbox. Outbound messages sent from the Business App are not mirrored in MaidCopilot.
When you send a message or WhatsApp template via MaidCopilot, the message content is transmitted to Meta's Cloud API for delivery. Meta's own data handling is governed by their Business Data Processing Terms.
The access token issued by Meta during Embedded Signup is stored in your agency's isolated database row. It is never logged, never returned via API, and scoped only to your WABA.
Under PDPA, individuals whose data is held by your agency have the right to:
As the data controller, your agency is responsible for responding to these requests. MaidCopilot gives owners the ability to export or delete contact records to support your response to these requests.
For requests about Coreframes Lab's own data handling (your agency user accounts, billing info), contact us directly at admin@coreframeslab.com.
If your agency requires a formal Data Processing Agreement (DPA) — for example, as part of your own compliance audit — we can provide one on request. The DPA sets out our obligations as your data processor under PDPA, including security measures, subprocessors, and breach notification timelines.
We'll send a signed DPA to your registered email within 5 business days.
Subprocessors: A small number of trusted subprocessors are used for hosting, storage, authentication, and WhatsApp messaging. The full list — with each subprocessor's role, region, and compliance posture — is included in the DPA.
