Appearance
Data Protection Impact Assessment (DPIA)
Status: Draft for pilot / design-partner review
Version: 0.1 · Date: 2026-07-11
Owner: Waspada AI engineering
Scope: Edge SDK + Gateway API (Phase A–B0). Phase B1–B6 durable store controls are designed; writers not yet live.
1. Summary
Waspada AI processes scam evidence (bank/e-wallet receipts) on the user device, extracts threat indicators (mule account, BIC, scammer alias, malicious URLs), and submits advisory telemetry to a gateway for bank FMS formatting. Victim identity documents (NRIC, phone) are stripped before egress. The pilot disposition is always advisory — no automated freeze.
Residual risk (honest): scammer alias may be a real person’s name used on a receipt; alias exposure is governed by SCAMMER_ALIAS_POLICY (hash / omit / clear). mule_key is a consistent hash of account|BIC and is re-identifiable pseudonymous data under PDPA — tenant-scoped queries and erasure apply.
2. Processing purposes
| Purpose | Legal basis (pilot framing) | Notes |
|---|---|---|
| Extract mule / scam indicators from user-submitted evidence | Legitimate interest / consent of reporting user | On-device processing |
| Submit advisory telemetry to partner bank FMS | Contract with partner platform | Always disposition: advisory in pilot; partner_signed only |
| Quarantine anonymous public / WhatsApp triage indicators | Legitimate interest / consent of reporting user | source_tier: public_triage — never FMS/corroboration without promotion; see ADV-005 |
| Analyst review via SSE dashboard | Partner operational need | Auth via analyst API key / tickets |
| Retention for RMiT evidence | Regulatory expectation (design) | 90-day partner default; 30-day quarantine default; B6 purge |
3. Data flows (high level)
See Data Flow Diagrams.
- Evidence (client): File → OCR/PDF → regex/NER → indicators → optional encrypted IndexedDB store.
- Telemetry egress: Indicators + JWT (RS256) → Gateway. Raw receipt text does not leave the device.
- Gateway: Verify JWT → optional RDAP enrich → FMS alert → webhook / SSE.
- Durable store (B0 schema, B3+ writers): Encrypted alert blob (per-row DEK), tenancy, retention columns.
4. PII / personal data inventory
| Data | Where processed | Egress? | Retention |
|---|---|---|---|
| Raw receipt image/PDF | Client memory / OCR | No | Volatile; user-controlled if stored in IndexedDB |
| NRIC / phone in receipt text | Client stripper | No (stripped) | N/A |
| Mule account number | Client → Gateway (encrypted at rest in B3+) | Yes (threat intel) | 90 days (design) |
Mule account number (public_triage) | Client → triage_quarantine (when public ingest ships) | Analyst queue only until promotion | 30 days |
| Scammer alias | Client → Gateway (policy: hash/omit/clear) | Conditional | 90 days |
mule_key (sha256) | Gateway / DB | Yes (join key) | Erasure-scoped |
Partner JWT claims (iss, jti) | Gateway Redis/memory | Internal | jti ≈ token lifetime |
| Analyst API key | Auth only | Never logged as identity | Secret rotation |
PII stripper: regex-based NRIC + MY phone + email redaction before egress. Measured via unit tests; not a substitute for a formal DPIA sign-off.
5. Risks and mitigations
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Wrong mule account extracted | Med | High (bad intel) | CI corpus eval (P/R gates); advisory-only disposition |
| Anonymous public-triage poisoning of FMS / corroboration | Med (if public ingest) | High | ADV-005 source_tier quarantine — structural nevers at UPSERT / outbox / advisory / STIX |
| Alias is victim name | Med | Med | Alias policy hash/omit; advisory notice |
Cross-tenant linkage via mule_key | Low (pilot) | High | Schema CHECK (reporting_tenant_id = tenant_id) until Phase C legal basis |
| DB compromise of cleartext account | Med | High | App-level AES-GCM + AAD; no plaintext signed JSONB |
| Replay / JWT abuse | Med | Med | jti store, payload binding, rate limits |
| FMS delivery drop | Med | Med | Outbox (B4) — not yet shipped |
6. Retention and erasure
| Store | Default retention | Erasure |
|---|---|---|
| Client IndexedDB evidence | User-controlled | App delete / clear site data |
| Gateway JTI / tickets | ~1h (token-bound) | TTL expiry |
| Postgres alerts (B3+) | 90 days (retention_expires_at) | Crypto-shred row + purge mule_key from corroboration |
Postgres triage_quarantine (when shipped) | 30 days | Crypto-shred row + purge quarantine indexes; never in corroboration |
| Logs | 90 days (ops target) | Rotate / delete |
Crypto-shred limits: PITR/WAL backups may retain ciphertext longer — bound backup retention ≤ product retention.
7. International transfers
Pilot: gateway hosted on Railway (region TBD). Document region and SCCs/adequacy before production bank onboard.
8. Consultation and review
- [ ] Internal security review
- [ ] Independent VAPT letter
- [ ] Design-partner bank DPIA review
- [ ] Re-assess when Phase C cross-tenant corroboration is enabled
9. Decision
Proceed with pilot under advisory-only disposition, measured extraction gates, and B0 encryption/tenancy schema. Do not claim “BNM-compliant” until RMiT control mapping is completed and reviewed.