Disclaimer
Data Security and Liability Disclaimer
Data Security and Liability Disclaimer
This Data Security and Liability Disclaimer (“Disclaimer”) is entered into between ControlVM Sdn Bhd (“ControlVM”, “we”, or “our”) and the client (“Client”, “you”, or “your”) that engages or uses ControlVM’s server management and/or remote support, hosting, cloud, or other services (the “Services”). This Disclaimer forms part of ControlVM’s Terms of Service (the “Agreement”), unless executed as a standalone document, in which case this Disclaimer itself constitutes the Agreement.
ControlVM reserves the right to modify this Disclaimer from time to time. Unless otherwise stated, any updated version shall become effective on the effective date specified in the updated Disclaimer after being published at https://controlvm.com/disclaimer/ (or such other official website designated by ControlVM). The version of this Disclaimer published on the above link(s) shall constitute the current and authoritative version applicable to the Services. Any previously executed, signed, or published version shall be superseded by the online version from its applicable effective date, to the extent permitted by applicable law.
If the Client does not agree to a material amendment affecting the Client’s rights or obligations, the Client may terminate the Services in accordance with the Agreement before the effective date of such amendment.
Last Update: 1st July 2026
Effective Date: 1st Aug 2026
The Client’s continued use of the Services after the effective date of any amendment constitutes acceptance of the updated Disclaimer.
1. Security Commitment and Limitations
- Scope of Security Commitment: ControlVM implements reasonable technical and organizational security measures designed to protect the server under its management. However, despite these efforts, no network, server, system, or software can be guaranteed to be completely secure against cybersecurity threats. Accordingly, ControlVM cannot and does not warrant or guarantee absolute security protection.
- Client Responsibilities: The Client remains responsible for ensuring that all their own applications, databases, systems, software, scripts, and related environments that are not managed or controlled by ControlVM are properly maintained, secured, configured, and kept up-to-date. ControlVM shall not be responsible for application-level security, source code review, vulnerability remediation, penetration testing, regulatory compliance assessments or cybersecurity consulting services.
- Exclusion of Third-Party and Application Liabilities: ControlVM shall not be responsible for security incidents, data breaches, or system failures arising from vulnerabilities, unsupported or out-dated systems, applications, or software that is not directly managed or controlled by ControlVM, including those developed, operated or maintained by third-party vendors engaged or authorised by the Client.
2. Responsibility Under the Malaysia Personal Data Protection Act (PDPA)
- Where the Client determines the purposes and means of processing personal data, the Client, under the Malaysia PDPA, remains solely responsible for compliance with all PDPA obligations and any applicable regulations, including but not limited to breach notifications to the Commissioner and affected individuals.
- The Client remains responsible for determining the geographic location, regulatory suitability, and lawful processing basis of any data stored or processed through the Services.
- ControlVM solely provides server management and remote support services in accordance with the Client’s instructions, and within the agreed scope of services.
3. Data Breach Response
- In the event that ControlVM becomes aware of a security incident affecting servers under its management, ControlVM will take reasonable steps to mitigate potential harm to the best of our knowledge and ability.
- ControlVM will notify the Client of such an incident no later than forty-eight (48) hours, after becoming aware of a material security incident affecting the server under its management.
- The Client remains solely responsible for any legal or regulatory notifications, filings required under the Malaysia Personal Data Protection Act (PDPA) or other applicable laws, including notifications to regulators, affected individuals, financial institutions, or other third parties.
4. No Direct Access to Client Data
- ControlVM provides server management or remote support services at the infrastructure and operating system level.
- ControlVM does not intentionally or directly access, retrieve, process, use, or disclose the Client’s business information or application-layer personal data stored within the server, except where strictly necessary for the provision of server management, troubleshooting, maintenance, or support activities, or where expressly instructed or authorized by the Client in writing (including email or verified messaging platforms such as WhatsApp).
- The Client remains solely responsible for the confidentiality, integrity, and security of the data it stores, transmits, or processes on the server, including compliance with applicable laws and regulations.
5. Third-Party Access
- If the Client authorizes any third-party vendor, consultant, or service provider to access the server, the Client assumes full responsibility and liability for granting and managing such access control decisions.
- ControlVM shall not be liable for acts, omissions, loss, damage, security incidents, or data breaches caused by third-party access authorized by the Client.
- ControlVM reserves the right to log and monitor such access for operational security, but the responsibility for approving and managing third-party access remains with the Client.
6. Security Recommendations and Waiver
- ControlVM may recommend that the Client implement security measures, including but not limited to:
- Multi-Factor Authentication (MFA);
- privileged account segregation & role-based access;
- password management & access control policies;
- application & system software patching.
- vulnerability remediation;
- Security event activity logging.
- Should the Client decline, disable, or failure to implement such recommendations, the Client explicitly acknowledges the increased cybersecurity risks and accepts full responsibility for all associated risks, data breaches, or losses arising from such decisions.
7. Limitation of Liability:
The Client acknowledges that it remains responsible for its compliance obligations under the Personal Data Protection Act 2010 of Malaysia in relation to the personal data processed through its systems.
To the maximum extent permitted by applicable law:
- ControlVM shall not be liable for any indirect, incidental, consequential, exemplary, punitive or special damages, including loss of profits, business interruption, loss of goodwill, loss of anticipated savings, loss of business opportunity or reputational damage arising out of or in connection with the Services. Except to the extent arising from ControlVM’s gross negligence, wilful misconduct, fraud, or any liability that cannot be excluded or limited under applicable law, ControlVM, its directors, officers, employees, and affiliates shall not be liable to the Client or to any third party for any damages, losses, claims, liabilities, costs, or expenses (including legal fees) arising out of or in connection with data breaches, cyberattacks, system vulnerabilities, unauthorized access, or third-party actions.
- This limitation applies to all claims, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, including claims brought by or through the Client, the Client’s customers, end users, business partners, vendors, business clients (B2B), investors, shareholders, insurance companies, banks, payment processors, financial institutions, cybersecurity auditors, or consultants.
- ControlVM’s total aggregate liability arising out of or relating to the Services, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the total fees actually paid by the Client to ControlVM for the Services during the three (3) months immediately preceding the first event giving rise to claim.
8. Indemnification
The Client agrees to indemnify, defend, and hold harmless ControlVM, its directors, officers, employees, and affiliates from and against any claims, damages, costs, liabilities and expenses (including legal fees) arising from:
- any act or omission of the Client or any third-party vendor, consultant, or service provider authorised by the Client;
- the Client’s failure to implement or maintain security measures recommended by ControlVM;
- the Client’s breach of its obligations under the Personal Data Protection Act 2010 of Malaysia or any other applicable law; or
- any instructions, configurations, or actions requested or approved by the Client that materially contribute to the relevant claim or loss.