Skip to content

Data Protection Impact Assessment (DPIA)

Status: Draft for pilot / design-partner review
Version: 0.1 · Date: 2026-07-11
Owner: Waspada AI engineering
Scope: Edge SDK + Gateway API (Phase A–B0). Phase B1–B6 durable store controls are designed; writers not yet live.


1. Summary

Waspada AI processes scam evidence (bank/e-wallet receipts) on the user device, extracts threat indicators (mule account, BIC, scammer alias, malicious URLs), and submits advisory telemetry to a gateway for bank FMS formatting. Victim identity documents (NRIC, phone) are stripped before egress. The pilot disposition is always advisory — no automated freeze.

Residual risk (honest): scammer alias may be a real person’s name used on a receipt; alias exposure is governed by SCAMMER_ALIAS_POLICY (hash / omit / clear). mule_key is a consistent hash of account|BIC and is re-identifiable pseudonymous data under PDPA — tenant-scoped queries and erasure apply.


2. Processing purposes

PurposeLegal basis (pilot framing)Notes
Extract mule / scam indicators from user-submitted evidenceLegitimate interest / consent of reporting userOn-device processing
Submit advisory telemetry to partner bank FMSContract with partner platformAlways disposition: advisory in pilot; partner_signed only
Quarantine anonymous public / WhatsApp triage indicatorsLegitimate interest / consent of reporting usersource_tier: public_triagenever FMS/corroboration without promotion; see ADV-005
Analyst review via SSE dashboardPartner operational needAuth via analyst API key / tickets
Retention for RMiT evidenceRegulatory expectation (design)90-day partner default; 30-day quarantine default; B6 purge

3. Data flows (high level)

See Data Flow Diagrams.

  1. Evidence (client): File → OCR/PDF → regex/NER → indicators → optional encrypted IndexedDB store.
  2. Telemetry egress: Indicators + JWT (RS256) → Gateway. Raw receipt text does not leave the device.
  3. Gateway: Verify JWT → optional RDAP enrich → FMS alert → webhook / SSE.
  4. Durable store (B0 schema, B3+ writers): Encrypted alert blob (per-row DEK), tenancy, retention columns.

4. PII / personal data inventory

DataWhere processedEgress?Retention
Raw receipt image/PDFClient memory / OCRNoVolatile; user-controlled if stored in IndexedDB
NRIC / phone in receipt textClient stripperNo (stripped)N/A
Mule account numberClient → Gateway (encrypted at rest in B3+)Yes (threat intel)90 days (design)
Mule account number (public_triage)Client → triage_quarantine (when public ingest ships)Analyst queue only until promotion30 days
Scammer aliasClient → Gateway (policy: hash/omit/clear)Conditional90 days
mule_key (sha256)Gateway / DBYes (join key)Erasure-scoped
Partner JWT claims (iss, jti)Gateway Redis/memoryInternaljti ≈ token lifetime
Analyst API keyAuth onlyNever logged as identitySecret rotation

PII stripper: regex-based NRIC + MY phone + email redaction before egress. Measured via unit tests; not a substitute for a formal DPIA sign-off.


5. Risks and mitigations

RiskLikelihoodImpactMitigation
Wrong mule account extractedMedHigh (bad intel)CI corpus eval (P/R gates); advisory-only disposition
Anonymous public-triage poisoning of FMS / corroborationMed (if public ingest)HighADV-005 source_tier quarantine — structural nevers at UPSERT / outbox / advisory / STIX
Alias is victim nameMedMedAlias policy hash/omit; advisory notice
Cross-tenant linkage via mule_keyLow (pilot)HighSchema CHECK (reporting_tenant_id = tenant_id) until Phase C legal basis
DB compromise of cleartext accountMedHighApp-level AES-GCM + AAD; no plaintext signed JSONB
Replay / JWT abuseMedMedjti store, payload binding, rate limits
FMS delivery dropMedMedOutbox (B4) — not yet shipped

6. Retention and erasure

StoreDefault retentionErasure
Client IndexedDB evidenceUser-controlledApp delete / clear site data
Gateway JTI / tickets~1h (token-bound)TTL expiry
Postgres alerts (B3+)90 days (retention_expires_at)Crypto-shred row + purge mule_key from corroboration
Postgres triage_quarantine (when shipped)30 daysCrypto-shred row + purge quarantine indexes; never in corroboration
Logs90 days (ops target)Rotate / delete

Crypto-shred limits: PITR/WAL backups may retain ciphertext longer — bound backup retention ≤ product retention.


7. International transfers

Pilot: gateway hosted on Railway (region TBD). Document region and SCCs/adequacy before production bank onboard.


8. Consultation and review

  • [ ] Internal security review
  • [ ] Independent VAPT letter
  • [ ] Design-partner bank DPIA review
  • [ ] Re-assess when Phase C cross-tenant corroboration is enabled

9. Decision

Proceed with pilot under advisory-only disposition, measured extraction gates, and B0 encryption/tenancy schema. Do not claim “BNM-compliant” until RMiT control mapping is completed and reviewed.

Waspada AI: Enterprise infrastructure powering public defense.