Security is a core part of how Motict is built, not an afterthought. We process customer conversations, business contact data, and WhatsApp message flows on behalf of hundreds of Indonesian and Southeast Asian businesses, and we take that responsibility seriously. Our security programme is designed to protect the confidentiality, integrity, and availability of customer data at every layer of the platform.
This page describes the technical and organisational controls Motict maintains. We review and update our security programme continuously as the threat landscape evolves. If you are an enterprise customer with specific security requirements or wish to conduct a vendor assessment, please reach out to admin@motict.com.
Every connection between end-users, the Motict web application, mobile clients, and our API endpoints is encrypted using Transport Layer Security (TLS) 1.2 or higher. We enforce HTTPS across all public-facing surfaces, and HTTP connections are automatically redirected to HTTPS. Our TLS configuration is periodically reviewed against current OWASP recommendations, and we disable deprecated cipher suites and protocols (SSLv3, TLS 1.0, TLS 1.1) proactively.
All customer data stored on our cloud infrastructure provider's managed databases, object storage, and block storage volumes is encrypted at rest using AES-256 encryption. Database backups are encrypted using the same standard. Encryption keys are managed through our cloud infrastructure provider's key management infrastructure, with access to key management restricted to authorised Motict platform engineers.
Motict enforces a principle of least privilege across all systems. Access rights are granted on a need-to-know basis and are reviewed quarterly. All production system access by Motict employees requires multi-factor authentication (MFA), and direct database access from developer workstations is prohibited in production — all changes flow through reviewed deployment pipelines.
For customer-facing access, Motict supports email/password authentication with mandatory strong-password enforcement, and offers TOTP-based two-factor authentication (2FA) for all account users. Enterprise plans include support for Single Sign-On (SSO) via SAML 2.0, enabling customers to enforce their own authentication policies including corporate MFA requirements. All authentication events and privileged access actions are logged in tamper-evident audit logs retained for 12 months.
Motict's production environment runs exclusively on cloud infrastructure in the Singapore (SGP1) region. Our cloud infrastructure provider holds ISO/IEC 27001:2013 certification and SOC 2 Type II attestation for its infrastructure services, providing a certified secure foundation for our platform. All infrastructure is provisioned and managed as code (IaC) using version-controlled configurations to ensure consistency and auditability.
Our network architecture segments production, staging, and development environments, with no direct network connectivity between them. Production servers are not directly accessible from the public internet; all inbound access is proxied through load balancers with web application firewall (WAF) rules, and all outbound traffic is subject to firewall egress controls. We perform automated vulnerability scanning of all running infrastructure on a weekly basis.
Motict operates 24/7 infrastructure monitoring with automated alerting for anomalous activity, service degradation, and potential security events. All application and infrastructure logs are centralised, searchable, and retained for 12 months. Our security team reviews alerts on a continuous basis, with on-call engineers responsible for responding to critical incidents at any hour.
We maintain a documented Incident Response Plan (IRP) that defines severity classifications, escalation procedures, communication responsibilities, and post-incident review requirements. In the event of a confirmed personal data breach, Motict will notify the relevant Indonesian supervisory authority (Kementerian Komunikasi dan Digital) within 14 days as required by Article 46 of UU PDP No. 27/2023, and will notify affected customers as soon as practicable. A post-incident report is produced for all Severity 1 incidents.
Motict's compliance programme is anchored to Indonesian law and the regulatory requirements applicable to electronic system operators in Indonesia. We operate in compliance with UU ITE No. 11/2008 (as amended in 2016 and 2024), PP No. 71/2019 on Electronic System and Transaction Implementation, and UU PDP No. 27/2023 (Indonesia's Personal Data Protection Law, effective October 2024).
As a WhatsApp Business API implementer, Motict adheres to the WhatsApp Business API Business Policy and applicable data security requirements. We have executed a Data Processing Agreement (DPA) with our messaging platform provider covering the processing of WhatsApp Business API message data. Customers requiring a Motict DPA for their own UU PDP compliance obligations may request one via admin@motict.com.
Before onboarding any third-party vendor or sub-processor that will access or process customer data, Motict conducts a security and privacy due diligence review. This review assesses the vendor's security certifications, data handling practices, breach history, and contractual willingness to execute a Data Processing Agreement with appropriate data protection obligations.
We maintain a current sub-processor register and update it as our vendor relationships change. Customers are notified of material changes to sub-processors with at least 30 days' advance notice, providing the opportunity to object. All sub-processors are required to maintain security standards at least equivalent to those Motict applies to its own systems, and are subject to contractual audit rights.
Motict values the security research community and is committed to working with researchers who identify and responsibly disclose security vulnerabilities in our platform. If you have discovered a potential security issue in Motict's web application, API, or infrastructure, please let us know promptly so we can investigate and address it.
Please send vulnerability reports to admin@motict.com with the subject line "Security Vulnerability Report". Include a clear description of the vulnerability, the steps to reproduce it, and your assessment of its potential impact. We will acknowledge your report within 2 business days and aim to provide an initial assessment within 5 business days. We ask that you give us a reasonable remediation window — typically 90 days for complex issues — before any public disclosure.