Skip to content

Trust Center

Updated as at June 24, 2026.

Our Approach

IMPACT is a productivity platform that helps teams and organisations of every size organise their work, move it forward, and lead their people. Trusting a platform with your business and customer data is a serious decision. This page describes — plainly and honestly — how we protect that data and where we are on our security journey. We state only what is true today, and we say "working toward" where work is still in progress.

Infrastructure

IMPACT runs on Google Cloud Platform (GCP). Our hosting provider operates data centres certified to international standards including ISO/IEC 27001 and SOC 2 — these are Google Cloud's certifications for the underlying infrastructure, which IMPACT builds on under the cloud shared-responsibility model. We do not operate our own data centres.

Encryption

  • In transit: all connections to IMPACT are encrypted using TLS (HTTPS).
  • At rest: customer data is encrypted at rest using Google Cloud / Cloud SQL platform encryption.

Data Ownership & Tenancy

Your business data belongs to you. IMPACT acts as a data processor handling your data on your instructions; you remain the controller of your business and customer information. Each customer's data is logically separated within the platform, with access enforced by application-layer authorization. Strengthening and independently testing these tenant-isolation controls is an active priority for us.

Sub-processors

We use a small number of trusted providers to deliver the service. Each processes only the data needed for its function:

ProviderPurpose
Google Cloud (GCP)Hosting and infrastructure
StripePayment processing (card details are handled by Stripe, not stored by IMPACT)
AnthropicAI-powered features
TavilyWeb search for AI features

Card payments are processed by Stripe, a PCI-DSS Level 1 certified payment provider (Stripe's certification, under the shared-responsibility model). IMPACT never sees or stores full card numbers.

We update this list when our sub-processors change. The current list is also reflected in our Data Processing Addendum.

Privacy & Compliance

  • PDPA (Malaysia): IMPACT operates under Malaysia's Personal Data Protection Act 2010. You can exercise your data rights, and reach our Data Protection Officer, at pdpo.my@imstar.io.
  • EU & US privacy: our Privacy Notice includes GDPR (EU/UK) and CCPA (California) disclosures. We do not sell or share your personal data.
  • International standards: we are working toward formal alignment with ISO/IEC 27001 and SOC 2 practices. We will publish independent verification here once it is completed — we do not claim a certification we have not earned.
  • Cookies: we ask for your consent before setting non-essential cookies on our website. See our Cookie Policy for the full list and your choices.
  • Data retention: we keep personal data only as long as it is needed for the purposes we describe. Our Privacy Notice sets out retention periods by category of data.
  • Breach notification: if a personal-data breach affects your information, we will notify you and the relevant authorities in line with our Data Processing Addendum and applicable law.

Contact