Privacy Policy

1. Introduction

This Privacy Policy forms an integral and inseparable part of the Terms and Conditions governing the use of SOFICloud, PISICloud, PISI People, and related services provided by PT Inforsys Indonesia ('INFORSYS').

This Privacy Policy explains how the INFORSYS collects, uses, stores, processes, and protects Personal Data in connection with the Services.

By accessing or using the Services, Customers and Users confirm that they have read, understood, and agreed to this Privacy Policy and the applicable Terms and Conditions.

2. Legal Basis

This Privacy Policy is prepared in accordance with the applicable laws and regulations of the Republic of Indonesia, including but not limited to:

Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Perlindungan Data Pribadi – UU PDP)
Law No. 11 of 2008 on Electronic Information and Transactions (UU ITE), as amended
Government Regulation No. 71 of 2019 concerning the Implementation of Electronic Systems and Transactions (PP 71/2019)

3. Definition of Personal Data

Personal Data refers to any data about an identified or identifiable individual, including but not limited to:

Identity information (name, employee ID, email address, phone number)
Employment-related data (position, department, attendance, leave, overtime)
System access data (username, login activity, IP address)

4. Data Collected

INFORSYS may collect and process the following types of data:

4.1 Customer Data

Company name, address, contact person details
Subscription and billing information

4.2 Employee / User Data

Personal identification data
HR-related records such as attendance, leave, overtime (OT), and employment status

4.3 Technical Data

Log files, access time, device information, and system usage statistics

5. Purpose of Data Processing

Personal Data is collected and processed for the following purposes:

Providing and operating the Services
Managing user access and authentication
Processing HR functions such as attendance, leave, and overtime
System maintenance, troubleshooting, and security monitoring
Compliance with applicable laws and regulations

6. Data Ownership and Roles

6.1 The Customer acts as the Data Controller for Employee / User Personal Data

6.2 INFORSYS acts as the Data Processor, processing Personal Data solely based on the Customer’s instructions

6.3 Ownership of all Customer and Employee data remains with the Customer

7. Data Storage and Security

7.1 Each Customer is provided with a dedicated Virtual Private Server (VPS) to ensure data isolation

7.2 Personal Data is protected using reasonable technical and organizational security measures, including access controls and encryption where applicable

7.3 Access to Personal Data is limited to authorized personnel only.

7.4 PISI People is hosted on third-party cloud infrastructure operated by Firebase. Personal Data processed through PISI People may be stored and processed on such third-party infrastructure in accordance with applicable data protection laws and the security standards implemented by the service provider.

7.5 Access to the Services is provided through a unique subdomain assigned to each Customer. Upon the Customer’s written request, access to the subdomain may be restricted through IP address whitelisting or other access control mechanisms, subject to technical feasibility.

7.6 The Customer is responsible for providing accurate, complete, and up-to-date IP address information for whitelisting purposes. INFORSYS shall not be responsible for any access limitations, service interruptions, or security incidents resulting from incorrect, outdated, or incomplete IP information provided by the Customer.

8. Data Retention

8.1 Personal Data is retained for as long as the subscription is active or as required by applicable laws

8.2 Upon termination of the Services, Customers may request data export within a defined retention period

8.3 After the retention period, Personal Data may be permanently deleted.

9. Data Disclosure and Sharing

9.1 INFORSYS does not sell or rent Personal Data to third parties

9.2 Personal Data may be disclosed only:

With the Customer’s consent
To comply with legal obligations
To trusted third-party service providers supporting infrastructure or system operations, under confidentiality obligations

10. Data Subject Rights

In accordance with UU PDP, Data Subjects have the right to:

Access and obtain a copy of their Personal Data
Request correction or update of inaccurate data
Request deletion or destruction of Personal Data
Withdraw consent where applicable
File a complaint with the relevant authority

Requests related to Data Subject rights must be submitted through the Customer (employer) as the Data Controller.

11. Cross-Border Data Transfer

If Personal Data is transferred outside Indonesia, INFORSYS shall ensure compliance with applicable Indonesian data protection regulations and adequate data protection standards.

12. System Availability and Risk

While INFORSYS implements security best practices, no electronic system is completely secure. Customers acknowledge and accept inherent risks associated with electronic data transmission and storage.

13. Changes to This Privacy Policy

INFORSYS may update this Privacy Policy from time to time. Material changes will be communicated through official channels.

14. Contact Information

For questions, requests, or complaints related to this Privacy Policy, please contact the INFORSYS through official communication channels.

15. Personal Data Breach Notification

In the event of a Personal Data breach that may impact the confidentiality, integrity, or availability of Personal Data, INFORSYS shall notify the Customer without undue delay after becoming aware of the breach. Such notification shall include, to the extent reasonably available, the nature of the breach, affected data categories, and mitigation measures taken. The Customer, as Data Controller, remains responsible for notifying Data Subjects and relevant authorities in accordance with applicable laws.