Security Policy
Effective date: 1 July 2026 · Last updated: 1 July 2026
The security of your account and your children's data is a priority for MisiCerdas. This policy describes the security measures we have in place to protect your information.
1. Encryption in Transit
All communication between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS). Unencrypted HTTP connections are automatically redirected to HTTPS. We do not transmit personal data over unencrypted connections.
2. Password Security
- Passwords are never stored in plain text. They are hashed using a strong one-way cryptographic algorithm (bcrypt) before storage.
- We enforce a minimum password strength requirement.
- If you forget your password, a reset link is sent to your registered email; we cannot retrieve your original password.
3. Payment Card Data
We do not store, transmit, or have access to your payment card number, CVV, or card expiry date. All payment processing is handled directly by Curlec, a PCI-DSS compliant payment gateway. Our servers receive only a tokenised reference to confirm that a payment was successful.
4. Access Controls
- Parent and child accounts are strictly separated. A child's session operates under the parent's account and cannot be used to access or modify account settings.
- Administrative access to the platform is restricted to authorised personnel only, protected by strong authentication and access logging.
- Database access is limited to application-level queries; direct database access from the internet is blocked.
5. Infrastructure Security
- Our application is hosted on a reputable cloud infrastructure provider with physical security, redundancy, and regular security patching.
- Database backups are performed regularly and stored in encrypted form.
- Application dependencies are monitored for known vulnerabilities and updated promptly.
6. Children's Account Protection
Child profiles cannot register independently or log in without the parent first impersonating (switching to) the child's session. There is no direct login mechanism for child accounts that could be accessed without the parent's credentials.
7. Session Security
- Login sessions expire after a period of inactivity.
- Sessions are invalidated immediately upon logout.
- We use CSRF tokens to protect all form submissions against cross-site request forgery attacks.
8. Vulnerability Disclosure
If you discover a security vulnerability in our service, we ask that you report it responsibly by emailing hello@misicerdas.my with the subject line "Security Vulnerability". Please do not disclose the issue publicly until we have had a reasonable opportunity to investigate and address it. We commit to acknowledging all reports within 5 business days.
9. Data Breach Response
In the event of a data breach that affects your personal data, we will notify affected users and the relevant Malaysian authorities as required under applicable law, as promptly as reasonably possible.
10. Contact
For security-related enquiries, email us at hello@misicerdas.my or use our contact page.