Trust is what we can show you.
A regulated-lending vendor is judged on what regulators, auditors, and counsel can verify without our help. This page is what they read first.
Custody posture
Bolehlah is not an e-money issuer. We do not hold customer funds.
Disbursement and collection move through the lender's own licensed banking rail at all times — typically CIMB OctoSync, Bank Rakyat batch upload, or an equivalent. Funds never settle into a Bolehlah-owned account on the way to the borrower. Where a lender opts for the pass-through backup rail, the transit is minutes through the lender's nominated custodian under their written standing authority — not Bolehlah's balance sheet.
Audit trail
Every action written to an evidence trail a regulator can read without our help.
Consent capture, AKAD signature, disbursement instruction, eKYC outcome, and any manual override are logged with timestamp, actor, prior state, and resulting state. Records are append-only and tamper-evident. PDPA 2010 retention and subject-access obligations are written into the schema, not bolted on. The expectation: a regulator, internal auditor, or external counsel can reconstruct any decision without contacting us.
Consent architecture
Per-loan consent plus a member-owned catalogue of standing permissions.
The Malaysian loan form captures per-loan consent at AKAD signing — a binding, snapshot-encrypted record of exactly what the borrower agreed to, for that loan. A separate standing catalogue at /member/profile/consents lets the borrower see and revoke ongoing permissions (monthly monitoring, research retention, channel preferences). Any non-AKAD pull from a credit bureau requires explicit, logged consent.
Identity & access
Two-tier authentication, uniform across every lender.
Tier-1 is .com SSO — Google, Facebook, Apple, with MyDigitalID coming soon — bound to a verified NRIC. Tier-2 is dashboard step-up — password plus TOTP — required for any Member granted /client/* or /admin/* access, with no per-lender opt-out. NRIC is stored encrypted at rest. Member and User remain separate data models, linked only by foreign key, so a borrower's identity is never co-mingled with operator credentials.
Regulatory posture
Compliance is written into the platform's spine, not bolted on after the fact.
The platform was designed against Akta Pemberi Pinjam Wang 1951, BNM AMLA, PDPA 2010, and Shariah AKAD requirements — not adapted to them later. Bolehlah is operated by Lunar Flame Sdn Bhd, a Malaysian incorporated company. The product is currently in founder-led pilot stage; we do not list reference customers we have not earned. Due-diligence packs are available on request.
Data sovereignty
Private by architecture, honest by policy.
Every tenant is isolated at the database layer with row-level security, and every consequential action is hash-chained into a tamper-evident audit trail. AI processing runs in-region in Malaysia on a sophisticated AI model under contractual no-training, no-retention terms — prompts and outputs are not stored and are never used to train third-party models. Your data is never sold or shared, and is retained only as long as servicing and Malaysian law require, under the published retention policy below — then deleted.
Retention policy
What we keep, for how long, and the machinery that deletes it.
B conversation logs are kept for 24 months for servicing and audit, then anonymised. Active loan records are kept for the loan tenure plus seven years after the final instalment, in line with BNM record-keeping expectations. Marketing data is deleted on opt-out. Vaulted documents are retained for legal and AML record-keeping. Deletion is automated, not aspirational: a daily automated PII-retention sweep, an audit-retention schedule, and account closure with a 30-day grace period followed by teardown. On termination, a lender's data is returned or deleted within 30 days under the data-processing agreement.
Sub-processors
The third parties that process personal data on our behalf.
Our Privacy Policy names every sub-processor we use. This register restates the same parties in one place — each operates under a contractual data-processing agreement with protections equivalent to our Privacy Policy.
| Sub-processor | Role | Region |
|---|---|---|
| Innov8tif (the EMAS eKYC platform) | Licensed eKYC provider — one-time face / liveness identity verification. Lenders never receive the facial image; only the pass/fail result. | Singapore region (stored encrypted) |
| Amazon Web Services, Inc. (AWS Bedrock) | AI processing — generates B's replies and document intelligence from the messages you send and the minimum account context needed; under AWS Bedrock's service terms the data is not stored, not used to train models, and the model provider has no access to it. | Malaysia (ap-southeast-5) |
| Anthropic, PBC | Model provider — standby direct-API processing path under contractual no-training / data-protection terms. Under the primary AWS Bedrock route, Anthropic does not receive member data. | United States |
Aggregate visit counts and page-performance metrics use Vercel Web Analytics and Speed Insights (Vercel Inc., our hosting provider) — cookieless, with no advertising cookies and no cross-site tracking (see the Privacy Policy's Cookies + tracking section).
This register is also reflected in the data-processing agreements (DPAs) we sign with customers.
Shariah trading rails
Every Shariah-flagged loan will ride the same DMCC TradeFlow Tawarruq rails used by 14 Malaysian Islamic banks.
When a loan is structured as Tawarruq, Bolehlah submits a commodity-trade order over licensed Shariah-compliant Tawarruq trading rails (integration UAT-complete; live at go-live). The trading platform behind those rails is used by the country's leading Islamic banks (CIMB Islamic, Maybank Islamic, RHB Islamic, Public Islamic, Affin Islamic, MBSB, Kuwait Finance House, Bank Pembangunan, Agrobank, MIDF Amanah, Kenanga, Exim). Every Tawarruq AKAD produces three e-certificates (Purchase · Murabahah · Sale) evidenced on DMCC TradeFlow, attached verbatim to the loan's hash-chained audit trail. Borrowers and regulators get the same paper trail an Affin or Maybank Islamic customer would receive.
Investor access
Access to Bolehlah's investor materials
Behind this gate sits a one-page briefing book and a short product walkthrough deck. Requests are reviewed manually. We respond within one business day, Kuala Lumpur time.