Singapore PDPA
WORM Evidence
Judicial Grade
5CIP Trust Center
Security, privacy, and evidence-integrity commitments for law enforcement agencies, legal counsel, and enterprise clients.
Core Commitments
Every forensic report delivered by 5CIP satisfies these non-negotiable standards.
WORM Evidence Integrity
- MinIO S3 Object Lock — GOVERNANCE mode
- SHA-256 + SHA3-256 dual-hash chain per write
- Immutable 90-day retention floor
- COMPLIANCE mode upgrade post Day-87
- Evidence files are tamper-evident by design
Judicial-Grade Forensics
- Every TX hash verified on-chain before report
- No address truncation — full 42-char EIP-55 only
- Three-tier confidence rating (Tier 1A/1B/2/3)
- Cross-validated by 3+ independent LLMs
- verify_pipeline.py must pass before delivery
Data Protection (PDPA)
- Singapore Personal Data Protection Act 2012
- Designated DPO: [email protected]
- Data-subject requests fulfilled within 30 days
- Breach notification to PDPC within 72 hours
- Sub-processor DPA reviewed annually
Application Security
- OWASP Top-10 controls enforced in CI
- JWT RBAC — no shared credentials
- Parameterised queries — no SQL injection surface
- Hard Gate pre-flight blocks unsafe deploys
- Secrets in environment variables, never in code
Availability & Reliability
- Celery + Redis async queue — no blocking I/O
- DLQ Watchdog alerts on stale tasks > 180 s
- DRAIN flag for zero-downtime maintenance
- Live monitoring portal with queue depth metrics
- Automated nightly self-audit at 01:00 SGT
Multi-Chain Coverage
- Ethereum, BSC, Polygon, Arbitrum, Base
- TRON, Solana, Bitcoin (UTXO model)
- Cross-chain bridge tracing (all major bridges)
- Tornado Cash / mixer detection
- CEX deposit identification via MistTrack + Arkham
Certifications & Standards
Singapore PDPA 2012
Governing law for all personal data processed by Innora Information Technology Pte. Ltd.
ActiveGoverning law for all personal data processed by Innora Information Technology Pte. Ltd.
DPO Appointment
Statutory DPO designated per PDPA Section 11(3), effective 2026-04-29.
ActiveStatutory DPO designated per PDPA Section 11(3), effective 2026-04-29.
PDPC Registry Filing
DPO contact published; PDPC registry notification in progress.
In ProgressDPO contact published; PDPC registry notification in progress.
SOC 2 Type I
Scheduled Day-180+. External auditor shortlisted. Controls already mapped.
PlannedScheduled Day-180+. External auditor shortlisted. Controls already mapped.
ISO 27001
Gap assessment planned Q3 2026 concurrent with SOC 2 audit.
PlannedGap assessment planned Q3 2026 concurrent with SOC 2 audit.
Security Controls Summary
Authentication
JWT RS256, RBAC, short-lived tokens, email verification
JWT RS256, RBAC, short-lived tokens, email verification
Encryption at rest
AES-256 via MinIO server-side encryption
AES-256 via MinIO server-side encryption
Encryption in transit
TLS 1.3 enforced; HSTS preload submitted
TLS 1.3 enforced; HSTS preload submitted
Secrets management
All secrets in environment variables; never committed to git
All secrets in environment variables; never committed to git
Dependency scanning
pip-audit + npm audit in CI pipeline
pip-audit + npm audit in CI pipeline
Hard Gate
pre_flight_hard_gate.py exits non-zero on compliance failure; deploy aborts
pre_flight_hard_gate.py exits non-zero on compliance failure; deploy aborts
Incident response
IRP in compliance/incident_response_playbook.md; P0 = 72h PDPC notification
IRP in compliance/incident_response_playbook.md; P0 = 72h PDPC notification
Evidence Pipeline — How We Protect Your Data
STEP 01
Intake & EncryptionCase data is received over TLS 1.3. PII fields are encrypted at rest. Case files are assigned a cryptographic case-ID.STEP 02
On-Chain VerificationEvery address and TX hash is verified against the live blockchain via Etherscan V2 + MistTrack + Arkham before analysis begins.STEP 03
WORM ArchivalAll evidence files are written to MinIO with Object Lock GOVERNANCE. SHA-256 + SHA3-256 hashes are recorded in the dual-hash chain.STEP 04
LLM Second OpinionHigh-uncertainty conclusions are automatically reviewed by a second independent LLM. The review payload is appended to the WORM log.STEP 05
Pipeline Verificationverify_pipeline.py performs two-stage validation: Python exact-match on 45 addresses, 13 TX hashes; then LLM semantic validation.STEP 06
GPG-Signed DeliveryFinal report is rendered to PDF, signed with GPG key 7D1A285E ([email protected]), and delivered via encrypted email.GPG Report Signing Key
All 5CIP forensic reports are signed with a GPG detached signature. Verify the PDF has not been modified since delivery.
Full fingerprint7D1A 285E F3FE 907C 1594 FA29 2E73 300F 628A E89EKey UIDJiqiang Feng <[email protected]>ed25519 · created 2026-03-01
Verify a report
gpg --import 5cip-gpg-public.asc gpg --verify report.pdf.asc report.pdf
Data Residency & Sub-Processors
5CIP processes data in Singapore. All primary infrastructure is hosted on Hetzner Cloud (Singapore region). Evidence WORM storage uses self-hosted MinIO on dedicated hardware within Singapore.
Key sub-processors and their roles:
Hetzner Cloud (SG)Primary compute — Singapore CX servers
CloudflareCDN, DDoS protection, DNS — no data stored
EtherscanPublic blockchain data — no PII transmitted
Arkham IntelligenceEntity labels — wallet addresses only
MistTrackRisk scoring — wallet addresses only
PayPalPayment processing — PCI DSS Level 1
Data Subject Rights
Under Singapore's PDPA, individuals whose personal data we process may exercise the following rights:
Right to AccessRequest a copy of your personal data within 30 calendar days.
Right to CorrectionRequest correction of inaccurate personal data.
Right to Withdraw ConsentWithdraw consent at any time with reasonable notice.
Right to Data PortabilityReceive your data in a structured, machine-readable format.
Breach NotificationYou will be notified within 72 hours of a credible notifiable breach.
To exercise any right, email [email protected] with subject line
[PDPA Request].Data Protection Officer
Designated under PDPA Section 11(3) · Innora Information Technology Pte. Ltd. · Singapore
This page was last reviewed on 2026-04-29.
5CIP is operated by Innora Information Technology Pte. Ltd.
UEN: pending registration · Singapore
5CIP is operated by Innora Information Technology Pte. Ltd.
UEN: pending registration · Singapore
Data Processing Agreement (DPA)
5CIP maintains a standard DPA for enterprise clients and law firms requiring a PDPA-compliant data processing agreement. It covers sub-processors, data residency (Singapore), retention periods, audit rights, and your DSAR response SLA.
PDPA Singapore
GDPR Art. 28 compatible
v1.0 · 2026-05-22
Typically returned within 1 business day
Enterprise Procurement Packet
Security and compliance documents for vendor due diligence, InfoSec reviews, and procurement teams.
Security OverviewAvailable on request
Architecture summary, access controls, encryption, incident response, and OWASP controls.Request document →Data Processing Agreement (DPA)Available on request
PDPA- and GDPR-aligned DPA covering data subject rights, sub-processor flows, retention periods, and breach notification.Request document →Sub-Processor ListAvailable on request
Full list of third-party sub-processors with data category, transfer mechanism, and DPA status.Request document →Data Retention PolicyAvailable on request
Retention schedules by data category: case files (90-day WORM floor + client-directed), PII (30-day post-engagement), logs (12 months).Request document →Penetration Test SummaryUnder NDA
Executive summary of most recent internal security audit. Full report available under NDA.Request document →SOC 2 Type I ReportPlanned
SOC 2 Type I audit scheduled Day-180+. Controls already mapped to AICPA Trust Services Criteria.Email [email protected] with subject line shown — documents sent within 1 business day.
Evidence Methodology
Every 5CIP report is produced under a published, versioned methodology — including confidence tiers, mandatory data sources, WORM storage, and cryptographic verification.