Veriva Systems Cross-Border Data Transfer Statement

Effective Date: 28 April 2025

1. Introduction

Veriva Systems Sdn Bhd (“Veriva”, “we”, “our,” or “us”) is committed to protecting personal data in accordance with applicable data protection laws, including Malaysia’s Personal Data Protection Act (PDPA) and similar frameworks.

As part of delivering our services, Customer Data may be transferred across national borders, including to countries that may not have the same level of data protection laws as the customer’s home country.

This Statement explains Veriva’s approach to cross-border data transfers.

2. Hosting and Processing Locations

Veriva delivers its services through a combination of cloud infrastructure and third-party providers, including but not limited to:

• Microsoft Azure Data Centers currently located in Singapore and the United States.
• Certain technology and service partners (such as OpenAI, Meta, and Google) which may process data in the United States or other jurisdictions, depending on their infrastructure and operational models.

Veriva may expand or adjust its data center locations over time in accordance with applicable legal, regulatory, and security requirements. Future data center placements are under evaluation and may include other jurisdictions to better serve regional needs and compliance obligations.

For customers requiring full control over data residency, Veriva offers a Customer-Hosted deployment option, allowing them to retain data within their own chosen infrastructure and jurisdiction.

3. Safeguards for International Transfers

As a Malaysia-based company, Veriva is not currently certified under frameworks such as ISO 27001, SOC 2, or Binding Corporate Rules.

However, Veriva takes reasonable and commercially practical steps to protect Customer Data during cross-border transfers, including:

• Working with established cloud infrastructure providers that implement industry-standard security measures
• Incorporating data protection obligations into our contracts with authorized Sub-Processors
• Offering contractual flexibility to customers, including support for Standard Contractual Clauses (SCCs) where necessary

Veriva is committed to supporting customers’ compliance obligations through transparency and cooperation.

4. Customer Control and Responsibility

Customers are encouraged to:

• Review Veriva’s available deployment options
• Notify Veriva of any specific data residency, security, or compliance needs during the onboarding process
• Conduct their own due diligence in relation to their legal and regulatory requirements

5. Updates to This Statement

Veriva may update this Cross-Border Data Transfer Statement from time to time to reflect changes in law, hosting infrastructure, or Sub-Processor arrangements.
Material changes will be communicated through our website or by direct notice.

6. Contact Information

For inquiries about cross-border data transfers, please contact:

Privacy Office
Veriva Systems Sdn Bhd
Email: privacy@verivasystems.com