Undang-Undang Pelindungan Data Pribadi (UU PDP) No. 27 Tahun 2022 adalah regulasi utama perlindungan data di Indonesia yang berlaku efektif Oktober 2024. Platform CRIVE sebagai pemroses dan pengendali data pribadi wajib mematuhi seluruh ketentuan UU ini.
| No | Item Compliance | Referensi UU PDP | Status |
|---|---|---|---|
| H.1 | Kebijakan Privasi (Privacy Policy) — Bilingual ID/EN, 13 sections | Pasal 20, 21, 26 | ✅ PASS |
| H.2 | Syarat & Ketentuan (Terms of Service) — Bilingual ID/EN, 12 sections | Pasal 22-24, App Store | ✅ PASS |
| H.3 | Data Processing Agreement (DPA) — 20 sub-processors aktif | Pasal 35-37 | ✅ PASS |
| H.4 | Endpoint Penghapusan Data (Right to Erasure) — Cryptographic Erasure | Pasal 44-46 | ✅ PASS |
| H.5 | DPO Designation + Data Residency — CEO as DPO, AWS Singapore | Pasal 52-54 | ✅ PASS |
| H.6 | AI Consent Screen — Default ON, toggle opt-out | Pasal 20-26 | ✅ PASS |
| H.7 | 7 Kategori Data Sensitif Excluded dari AI Training | Pasal 4(2), 16 | ✅ PASS |
| H.8 | Breach Response SOP + Lawyer Sign-Off | Pasal 46-48 | ⏸️ DEFER |
| Total Item | PASS | DEFER | Gate Status |
|---|---|---|---|
| 8 Item | 7 / 8 | 1 / 8 (H.8 Lawyer) | ✅ CONDITIONAL GO |
CVE-003 v7.0.0 menetapkan 5 Privacy Enhancements yang melampaui persyaratan minimum UU PDP:
| ID | Enhancement | Deskripsi | Sprint |
|---|---|---|---|
| PV.1 | Privacy Dashboard Granular | Dashboard visual data inventory + access log + kontrol | Sprint 13 |
| PV.2 | AI Transparency Report | Laporan transparan penggunaan data untuk AI training per user | Sprint 13 |
| PV.3 | Poinmate Privacy Addendum | ZERO browsing data guarantee + kill switch | Sprint 9 |
| PV.4 | Breach Notification 3×24 jam | Standar internal CRIVE (lebih ketat dari 14 hari UU PDP) | Sprint 13 |
| PV.5 | Granular Consent Matrix | Consent terpisah per: profil, konten, AI, analytics, Poinmate | Sprint 3 |
| Pasal | Ketentuan | Relevansi CRIVE |
|---|---|---|
| Pasal 4-16 | Kategori data pribadi umum dan sensitif | Klasifikasi data user, 7 kategori excluded dari AI |
| Pasal 20-26 | Persetujuan (consent) pemrosesan data | AI Consent Screen, Cookie Banner, ToS acceptance |
| Pasal 35-37 | Kewajiban pengendali & pemroses data | DPA dengan 20 sub-processors aktif |
| Pasal 44-46 | Hak penghapusan data subjek | POST /v1/user/privacy/delete + Cryptographic Erasure |
| Pasal 46-48 | Notifikasi pelanggaran data | Breach Response SOP: 3×24 jam (PV.4) / 14 hari kerja |
| Pasal 52-54 | Data Protection Officer | CEO sebagai DPO ad interim, privacy@crive.app |
| Pasal 65 | Sanksi pidana data sensitif | Denda maks Rp 60 Miliar / pidana 6 tahun |
| Pasal 66 | Sanksi korporasi | Denda maks Rp 600 Miliar untuk badan hukum |
Pertanyaan tentang kepatuhan data?
privacy@crive.appJamal NR — CEO & DPO ad interim
PT Vintora Teknologi Indonesia
Respons dalam 14 hari kerja
The Personal Data Protection Law (UU PDP) No. 27 of 2022 is Indonesia's primary data protection regulation, effective October 2024. CRIVE as a data processor and controller must comply with all provisions.
| No | Compliance Item | UU PDP Reference | Status |
|---|---|---|---|
| H.1 | Privacy Policy — Bilingual ID/EN, 13 sections | Articles 20, 21, 26 | ✅ PASS |
| H.2 | Terms of Service — Bilingual ID/EN, 12 sections | Articles 22-24, App Store | ✅ PASS |
| H.3 | Data Processing Agreement (DPA) — 20 active sub-processors | Articles 35-37 | ✅ PASS |
| H.4 | Data Deletion Endpoint (Right to Erasure) — Cryptographic Erasure | Articles 44-46 | ✅ PASS |
| H.5 | DPO Designation + Data Residency — CEO as DPO, AWS Singapore | Articles 52-54 | ✅ PASS |
| H.6 | AI Consent Screen — Default ON, toggle opt-out | Articles 20-26 | ✅ PASS |
| H.7 | 7 Sensitive Data Categories Excluded from AI Training | Articles 4(2), 16 | ✅ PASS |
| H.8 | Breach Response SOP + Lawyer Sign-Off | Articles 46-48 | ⏸️ DEFER |
| Total Items | PASS | DEFER | Gate Status |
|---|---|---|---|
| 8 Items | 7 / 8 | 1 / 8 (H.8 Lawyer) | ✅ CONDITIONAL GO |
CVE-003 v7.0.0 defines 5 Privacy Enhancements exceeding UU PDP minimum requirements:
| ID | Enhancement | Description | Sprint |
|---|---|---|---|
| PV.1 | Granular Privacy Dashboard | Visual data inventory + access log + controls | Sprint 13 |
| PV.2 | AI Transparency Report | Per-user transparent report on AI data usage | Sprint 13 |
| PV.3 | Poinmate Privacy Addendum | ZERO browsing data guarantee + kill switch | Sprint 9 |
| PV.4 | Breach Notification 3×24h | CRIVE internal standard (stricter than 14-day UU PDP) | Sprint 13 |
| PV.5 | Granular Consent Matrix | Separate consent per: profile, content, AI, analytics, Poinmate | Sprint 3 |
| Article | Provision | CRIVE Relevance |
|---|---|---|
| Articles 4-16 | General and sensitive personal data categories | User data classification, 7 categories excluded from AI |
| Articles 20-26 | Consent for data processing | AI Consent Screen, Cookie Banner, ToS acceptance |
| Articles 35-37 | Controller & processor obligations | DPA with 20 active sub-processors |
| Articles 44-46 | Data subject right to erasure | POST /v1/user/privacy/delete + Cryptographic Erasure |
| Articles 46-48 | Data breach notification | Breach Response SOP: 3×24h (PV.4) / 14 working days |
| Articles 52-54 | Data Protection Officer | CEO as DPO ad interim, privacy@crive.app |
| Article 65 | Criminal penalties for sensitive data | Fines up to Rp 60 Billion / 6 years imprisonment |
| Article 66 | Corporate penalties | Fines up to Rp 600 Billion for legal entities |
Questions about data compliance?
privacy@crive.appJamal NR — CEO & DPO ad interim
PT Vintora Teknologi Indonesia
Response within 14 working days
