Commitment and Guarantee of User Data and Transaction Security

Last updated : May 04, 2022

Last revision : 

 

This Document is will be effective from Wed, 04 May 2022

To see prior version, please click here.

 

POPIT SNACK PLATFORM COMMITMENT DOCUMENTS FOR ELECTRONIC SECURITY PROTOCOL

This page is intended as a part of public information and also a tool for the Company “PT. Mandiri Tunggal Sejahtera Berkarya” to implement, assess, and evaluate the level of readiness (Completeness and Maturity)  of the application of information security based on the criteria of SNI ISO/IEC 27001, namely Governance, Management Risk,  Framework, Asset Management, Technological Aspects with the addition of Service Provider Third Party Engagement Security,  Cloud Infrastructure Services Security and Personal Data Protection.

Based on Ministerial Regulation (Permen) No. 20 of 2016 concerning Personal Data Protection (PDP) stipulated November 7, 2016, promulgated and effective from December 1, 2016 and Government Regulation (PP) No. 82/2012 concerning Implementation of Electronic Systems and Transactions (PSTE) promulgated and has been in effect since October 15, 2012. Defined as follows;

Owner of Personal Data  is an individual to whom Certain Personal Data is attached. Each Electronic System Operator must have internal rules for the protection of Personal Data to carry out the process. Each Electronic System Operator must prepare internal rules for the protection of Personal Data as a form of preventive measure to avoid failures in the protection of Personal Data which he manages. The acquisition and collection of Personal Data by the Electronic System Operator must be based on Approval or based on the provisions of laws and regulations.

Personal Data stored in the Electronic System  must be Personal Data whose accuracy has been verified. Personal Data that is stored in the Electronic System must be in the form of encrypted data. if there are no statutory provisions that specifically regulate it.

Data center rules. Terms of Provisions Data center (data center) and disaster recovery center (disaster recovery center)  Electronic System Operators for public services used for the protection process must be placed within the territory of the Republic of Indonesia,  and accredited. An accredited registrar is a company that has passed the stages of the accreditation process to gain access and authority to register a domain directly with the Registry. The accreditation and audit process covers technical feasibility, financial, and various other aspects.

In this rule, it is emphasized that the electronic system that can be used in the personal data protection process is an electronic system that has been certified and has internal rules regarding the protection of personal data that must pay attention to aspects of technology application, human resources, methods, and costs. The owner of personal data, has the right to the confidentiality of his data; has the right to file a complaint in the context of resolving personal data disputes; has the right to have access to historical personal data; and has the right to request the destruction of certain personal data belonging to him in the electronic system.

The Electronic system operator is obliged to provide access or opportunity for the Personal Data Owner to change or update his/her Personal Data without disturbing the Personal Data management system, unless otherwise stipulated by the provisions of laws and regulations; destroying Personal Data in accordance with the provisions of this Ministerial Regulation or the provisions of other laws and regulations that specifically regulate the respective Supervisory and Sector Regulatory Agencies for that purpose; and provide a contact person who is easily contacted by the Personal Data Owner regarding the management of his Personal Data.

If the owner of the personal data is a category of children, the approval as referred to in this regulation is carried out by the parent or guardian of the child concerned. For electronic system operators who have provided, stored, and managed personal data before this Ministerial Regulation came into effect, they are required to maintain the confidentiality of existing personal data. Those who violate the rules will only be subject to administrative sanctions in the form of: (a) verbal warnings; (b) Written Warning; (c) Temporary suspension of activities and/or; announcements on online sites, the procedure for which will be regulated by a Ministerial Regulation.

INDONESIAN DATA CENTER COMMUNICATION ACCESS (IIX)

The definition of “Web Hosting” is a service provided by the service provider operator to store all files and data on a special server so that it can be accessed by users via the internet network. PT. Mandiri Tunggal Sejahtera Berkarya appointed CV. RumahWeb Indonesia and Alibaba Coud Indonesia as operators of Web Hosting services , to store the central database and customer transactions of PT. Mandiri Tunggal Sejahtera Berkarya located in the Special Region of Yogyakarta and the Special Capital Region of Jakarta, Indonesia.

ALIBABA CLOUD INDONESIA

By informing the public, users of the PopIt Snack site and application are deemed to have known, understood, and understood the Alibaba Cloud Indonesia Data Center Policy according to where the company data is stored. Information regarding the agreements and policies of Alibaba Cloud Indonesia as the operator of the Web Hosting service provider can be found on the official website atdi https://id.alibabacloud.com/ or visit their Alibaba Cloud Internasional Privacy Policy, Alibaba Cloud Data Enscryption SLA, Alibaba Cloud ECS SLA, Alibaba Cloud Data Transmission SLA, Alibaba Cloud CDN SLA, Alibaba Cloud Computing SLA, and Alibaba Cloud Web Hosting SLA.

CV. RUMAHWEB INDONESIA

By informing the public, users of the PopIt Snack site and application are deemed to have known, understood, and understood the CV Data Center Policy. RumahWeb Indonesia is suitable where the company data is stored. Information about agreements – agreements and policies – policies from CV. RumahWeb Indonesia as an operator of Web Hosting service providers can be seen on its official website at https://www.rumahweb.com/  or visit their RumahWeb General PolicyRumahWeb’ Service Level Agreement (SLA)RumahWeb’ Acceptable Use Policy (AUP)RumahWeb’ Web Hosting Aggrement, and RumahWeb Privacy Policy.

Another thing about the Security of Electronic System Operator PT. Mandiri Tunggal Sejahtera Berkarya has been published separately but  cannot be released, which can be seen on the  Security Commitment and Guarantee page of PT Electronic System Operators. Mandiri Tunggal Sejahtera Works on this site.

INFORMATION LOCATION OF DATA CENTER / DATA COMMUNICATION IN INDONESIA

ALIBABA CLOUD INDONESIA

IP Data Center 8.215.42.172
Host name popitsnack.com
IP range 8.215.0.0-8.215.255.255 CIDR
ASN AS45102
ISP Alibaba.com Singapore E-Commerce Private Limited
Organization Alibaba (US) Technology Co., Ltd.
Organization Alibaba Group Holding Limited.
Type Broadband
Assignment Static IP
Blacklist No.
Country  Indonesia (ID)
Region DKI Jakarta
City Jakarta
Postal Code 12850
Time zone Asia/Jakarta, GMT+0700
Latitude -6.1741 (6° 10′ 28.00″ S)
Longitude 106.8386 (106° 49′ 48.00″ E)

CV. RUMAHWEB INDONESIA

IP Data Center 103.247.9.88
Decimal 1744243032
Hostname wibisana.iixcp.rumahweb.com
ASN 58487
ISP Rumahweb Indonesia CV.
Organization Rumahweb Indonesia CV.
Type Broadband
Assignment Static IP
Blacklist No
Country  Indonesia (ID)
Region DIY Yogyakarta
City Yogyakarta
Time zone Asia/Jakarta, GMT+0700
Latitude -6.175 (6° 10′ 30.00″ S)
Longitude 106.8286 (106° 49′ 42.96″ E)

CYBER SECURITY INFORMATION

Common Name : popitsnack.com
SANs : *.popitsnack.com, popitsnack.com
Organization : PT. Mandiri Tunggal Sejahtera Berkarya
Locality : Bandung
State : West Java
Country :   Indonesia (ID)
Algorithm Type : SHA256withRSAEncryption 
Valid From : Wed, 04 May 2022
Valid To : Tue, 02 Aug 2022
Serial Number : 0357172cd6a43409e315f5d588dc1dc30777
Issuer : R3. Certification Authority
Common Name : Let’s Encrypt Certification Authority
Organization : Let’s Encrypt
Locality : San Francisco
State : California (CA)
Country : US
Algorithm Type : sha256WithRSAEncryption
Valid From : 2020-Sep-04 00:00:00 GMT
Valid To : 2025-Sep-15 16:00:00 GMT
Serial Number : 4001772137d4e942b8ee76aa3c640ab7
Issuer : ISRG Root X1 Certification Authority
Common Name : Let’s Encrypt Certification Authority
Organization : Let’s Encrypt
Locality : San Francisco
State : California (CA)
Country : US
Algorithm Type : sha256WithRSAEncryption
Valid From : 2021-Jan-20 19:14:03 GMT
Valid To : 2024-Sep-30 18:14:03 GMT
Serial Number : 4001772137d4e942b8ee76aa3c640ab7
Issuer : DST Root CA X3

Analytical information can use publicly available utilities such as Digicert.

CLOUD COMMUNICATION ACCESS

PT. Mandiri Tunggal Sejahtera Berkarya distributes Content Delivery Network (CDN) traffic access for web browsers and applications through Alibaba Cloud’s CDN Service. CDN is the backbone within the internet network that is responsible for content delivery.

As for the Electronic Mail (Email) traffic service, it is not through the Alibaba Cloud Service, but through CV. RumahWeb Indonesia all our site and application traffic is protected with encrypted security algorithms, according to the Index KAMI Technical Guidelines (Information Security).

TRANSACTION ACCESS

PT. Mandiri Tunggal Sejahtera Berkarya distributes traffic access for transactions through payment gateways for web browsers and applications designated by the company in accordance with the transaction security protocol chart. Publications regarding the Company’s Partners are available on the  Payment Policy page .

The security of your transactions is our priority.
We understand that the security of transaction data is of utmost importance. Therefore, we do our best to provide security for each of your transactions. Company Partners are required to have advanced anomaly detection technology, tokenization, and anomaly detection formula layers specifically to be applied in our algorithm. Other matters in determining the Transaction Security Guarantee and User / Customer Data which are national standards according to the law are as follows;

  1. Registered and Comply with Bank Indonesia
    Registered with Bank Indonesia and holds a Bank Indonesia license. This national standard stipulates the terms and conditions for payment gateway companies in providing payment services.
  2. Registered and Comply with the Ministry of Communication and Information of the Republic of Indonesia
    Registered as an Electronic System Operator at the Ministry of Communication and Information of the Republic of Indonesia.
  3. Have AES 256
    Encryption AES (Advanced Encryption Standard) is an electronic encryption standard established by the US National Institute of Standards and Technology. First used by the United States government and then used worldwide, AES uses the latest algorithms to protect digital information. The implementation of AES-256 encryption ensures that we protect sensitive data from thieves and unauthorized access. We protect every transaction with AES-256 so you can transact with peace of mind.
  4. Have PCI DSS Certification
    Payment Card Industry Data Security Standard (PCI-DSS) License. Issued by the PCI Security Standards Council, this license certifies that our systems meet high data security standards. The security of your transactions is very important to us. Therefore, we always ensure that our team meets the operational and technical requirements set by the PCI Security Standard Council. We apply all these standards to protect transactions from data vulnerabilities. We are following the security measures that have been implemented. This includes maintaining a secure network, encrypting cardholder data, and maintaining strict access controls. Some of the things that we have mentioned are only some of the standards set. Further information can be accessed on the PCI Security Standard Council website.
  5. Has ISO 27001
    Certification ISO/IEC 27001 Certification. This international standard establishes the requirements for establishing, running, maintaining, and advancing the security of information management systems in an organization. This certification requires us to assess and process information security risks specific to our organization. By complying with the requirements of ISO 27001, we can protect your data and transactions from internal and external risks based on international standards.

Penetration information may use publicly available utilities such as Browserleaks to view our encrypted connection to the browser you are using. Recommendations for the type of browser including the minimum display dimensions that should be used have been submitted by us at the foot of the site. The encryption connection may vary from one user to another, due to different settings for each use.

 

TRANSACTION SECURITY PROTOCOL FLOWCHART

 

This Commitment and Guarantee Information is published, edited, and last displayed in accordance with the Privacy Policy of the official PopIt Snack website and the Technical Guidelines for the Index KAMI (Information Security) at the Ministry of Communications and Information Technology of the Republic of Indonesia and the State Cyber Password Agency of the Republic of Indonesia in the context of Electronic System Operation, dated Monday 28 February 2022.

 

Did the information shown in this page help you solve your problem?

The purpose is receiving the feedback from the visitors, so we can make necessary changes to our informations which increase trust and customer satisfaction and make our platform better. For futher information about Customer Research: Designing for Transparency and Trust, please visit our Trust and Transparency Principles. .