Trust Center

Security and trust posture, on one page.

Where customer data lives, how it's protected, who else touches it, and how we respond when something breaks. Anything you can't find here, ask [email protected].

01 — Residency

Customer data stays in Indonesia.

Customer workloads, personal data, and operational telemetry are stored on Dalang.io infrastructure physically located in Indonesia — primary in Jakarta, secondary in Banten. Your data does not leave Indonesia unless you explicitly request a different region.

International egress for content distribution may transit through partner facilities (see the sub-processor list), but no customer data is stored at rest outside Indonesia under standard contracts.

Aligned with sovereign-data expectations under UU PDP, POJK 11/2022, and Permenkominfo 5/2020.
Replication is limited to Indonesian regions; cross-border replication requires written customer authorization.
Backups are encrypted at the host and retained on-shore.

02 — Encryption

Encryption at every layer where it matters.

Specific posture by layer. Anything not listed here is not claimed.

In transit (public)

TLS 1.2+ (TLS 1.3 preferred) on all public endpoints. HSTS enforced on dalang.io. Cipher suites restricted to modern AEAD families.

In transit (internal)

Inter-node and control-plane traffic carried over private overlay networks; mTLS for service-to-service authentication where applicable.

At rest (block storage)

Customer block volumes can be deployed on LUKS-encrypted underlying storage on request. Keys are managed within the Dalang.io control plane and not shared with the colocation facility.

At rest (control plane)

Customer credentials, API tokens, and OAuth refresh tokens are stored encrypted at the application layer. Database backups are encrypted before leaving the host.

Key management

Keys are rotated on a documented schedule and held outside the customer-data plane. Customer-managed keys (BYOK) available on enterprise contracts on request.

03 — Certifications

Held today, on the roadmap, or applicable by regulation.

Certificate numbers, issuing bodies, and certified holders are available under NDA. Roadmap items carry a target date — slippage is communicated in advance to enterprise customers.

ISO/IEC 27001:2022 (Jakarta facility)

Jakarta region is hosted in a data center facility certified to ISO/IEC 27001:2022 for information security management. Certificate number, issuing body, and certified holder available under NDA.
Certified
ISO 9001:2015 (Jakarta facility)

The same Jakarta facility holds ISO 9001:2015 quality management certification. Certificate details available under NDA.
Certified
Uptime Institute Tier-equivalent design

Jakarta region runs on Tier 3-equivalent infrastructure (concurrently maintainable). Banten region runs on Tier 1-equivalent infrastructure (basic). Neither facility is Uptime Institute-certified — "equivalent" describes design specifications matched to those reference tiers.
Applies
UU 27/2022 (UU PDP)

Indonesia's Personal Data Protection Law applies to all personal data we process on behalf of customers. Subject rights, breach notification, and DPA terms are documented in /privacy and our standard DPA.
Applies
POJK 11/2022 (financial-sector outsourcing)

Where customers are OJK-supervised (banks, multifinance, insurtech), our infrastructure is configured to support customer compliance with POJK 11/2022 outsourcing requirements: data residency, audit access, sub-processor disclosure.
Applies
Permenkominfo 5/2020 (PSE Privat)

Dalang.io services operate as a Penyelenggara Sistem Elektronik (PSE) Privat under Indonesian regulation. PSE registration is maintained on PSE.go.id.
Applies

04 — Incident response

Severity-driven response, named owners, public status.

Times below are initial response targets — the time to a human acknowledgement, not to resolution. Enterprise contracts include a named Technical Account Manager for Sev-1 and Sev-2.

Severity	Definition	Initial response	Updates
Sev-1	Service unavailable, data integrity issue, or active security incident	1 hour	Every hour
Sev-2	Major degradation; workaround available	4 business hours	Every 4 hours
Sev-3	Minor degradation or single-tenant issue	1 business day	Daily
Sev-4	Cosmetic, low-impact, or informational	2 business days	On change

Confirmed security incidents that affect customer data trigger a written notification to the named customer security contact within 72 hours, in line with UU PDP Article 46 obligations.

05 — Vulnerability disclosure

Found something? Tell us before you tell the world.

Send vulnerability reports to the contact listed below. We acknowledge reports within 2 business days, triage within 5, and aim to remediate critical issues within 30 days. PGP key publication is on the roadmap; meanwhile, encrypt sensitive details with a one-time secret-share tool (e.g. onetimesecret.com) and link in the email.

Safe-harbor scope

Good-faith research targeting your own account, your own VPS, or our public marketing surfaces is welcome. We will not pursue legal action against researchers who follow this policy.

Out of scope

Other customers' tenants, denial-of-service attempts, social engineering of staff or partners, physical access, and findings derived solely from automated scanners without exploitability evidence.

06 — Sub-processors

Who else touches customer or end-user data.

We notify enterprise customers at least 30 days before adding or replacing a sub-processor. Subscribe to changes via your DPA's notification clause.

Sub-processor	Purpose	Location	Regime
Cloudflare, Inc.	DDoS mitigation, edge TLS termination, DNS	Global edge (data ingress only)	USA / DPF
Xendit (PT Sinar Digital Terdepan)	Payment processing for Indonesian customers	Indonesia (Jakarta)	ID UU PDP
Google LLC	OAuth identity (sign-in only; no profile sync)	USA	USA / DPF
GitHub, Inc.	OAuth identity (sign-in only; no repo access)	USA	USA / DPF
Misaka Network, Inc.	International BGP transit / egress (no customer data at rest)	Singapore (Equinix SG3)	SG PDPA
Melbicom (Melbikomas UAB)	International BGP transit / egress (no customer data at rest)	Netherlands (Amsterdam)	EU GDPR
PT Internetindo Data Centra Indonesia	Jakarta data center facility (colocation)	Indonesia (Jakarta)	ID UU PDP

07 — Customer rights

Your rights under UU PDP, exercisable in writing.

As a Subjek Data Pribadi (data subject) under UU 27/2022, you have the right to access, rectify, delete, withdraw consent for, and obtain a portable copy of personal data Dalang.io processes about you. Customers acting as Pengendali Data may also obtain DPA-defined controls over their end-users' data.

Send your request to the contact below, or reach out via your account contact.
Verification by signed authorization or in-product confirmation.
Response within 14 calendar days for substantive requests; same-day acknowledgement.
Right to file a complaint with the relevant Indonesian data-protection authority.

Full disclosures live in the privacy notice.

Contact

[email protected]

One inbox for trust, security, and privacy matters.

Trust & compliance

DPAs, sub-processor questions, audit access, certifications.
Security

Active incidents, CVEs, vulnerability reports, responsible disclosure.
Data subject rights

Access, rectification, deletion, portability, consent withdrawal.