Security Whitepaper

Enterprise Data Protection & Sovereignty

Skandage Technologies employs a multi-layered security model designed to mitigate risks across the entire data lifecycle. We operate as a Data Intermediary, providing tools that ensure Privacy by Design.

1. Cryptographic Standards

Our encryption strategy is built on Zero-Knowledge architecture. We ensure that client Personally Identifiable Information (PII) is never visible to Skandage staff or infrastructure providers.

AES-256-GCM at Rest

We utilise Advanced Encryption Standard in Galois/Counter Mode. This provides authenticated encryption, ensuring that encrypted data remains confidential and tamper-evident.

TLS 1.3 in Transit

All data movement is secured via Transport Layer Security 1.3 with Perfect Forward Secrecy (PFS), preventing any retroactive decryption of captured traffic.

2. Identity & Access Management (IAM)

To satisfy the MAS TRM requirements for strong authentication, Skandage enforces strict identity verification protocols.

Mandatory Multi-Factor Authentication (MFA)

Account access is gated by Email-based OTP. This ensures that even in the event of password credential theft, the client vault remains inaccessible.

Idle Session Termination

To prevent unauthorised physical access in office environments, browser sessions are automatically invalidated and purged from memory after 15 minutes of inactivity.

3. Immutable Non-Repudiation Logs

Skandage maintains a definitive record of all administrative and data-access actions. These logs are critical for demonstrating compliance during an MAS or agency-level audit.

// AUDIT_LOG_ENTRY_EXAMPLE

{
  "event": "CLIENT_VAULT_EXPORT",
  "actor_id": "agent_9912",
  "ip_address": "202.166.xx.xx",
  "timestamp": "2026-03-12T14:45:35Z",
  "status": "SUCCESS",
  "encryption_integrity": "VERIFIED"
}

4. PDPA Obligation Mapping

Protection Obligation

Fulfilled via AES-256-GCM encryption and 2FA.

Retention Limitation

Fulfilled via automated 7-year anonymisation engine.

Transfer Limitation

Fulfilled via local residency in AWS Singapore.

Consent Obligation

Fulfilled via one-click unsubscribe and explicit opt-in links.