Skip to main content
Pasal.id

Data Protection Impact Assessment

Last reviewed: March 15, 2026

Project Description

Pasal.id is an open-source platform providing free access to structured Indonesian legal data. The platform collects user data via OAuth login for personalization and service improvement. This assessment is conducted pursuant to UU PDP Article 34, which requires data controllers to conduct a data protection impact assessment.

Data Processing Activities

OAuth login: name, email, and profile picture from Google. Bookmarks: regulations saved by users (linked to user_id). Article visit tracking: anonymous cookie (pasal_visited), 30-day expiry, not linked to user identity. Admin analytics: aggregated signup counts and provider breakdown (no individual tracking).

Necessity and Proportionality Assessment

OAuth data: minimum necessary for account identification and outreach. Bookmarks: core product feature, user-initiated. Visit tracking: anti-scraping measure, anonymous, auto-expires. No sensitive/special data collected (no health, religion, political affiliation, or biometrics).

Risk Assessment

Risk 1: Data breach exposing email addresses. Likelihood: low (Supabase managed infrastructure, RLS, restricted service key). Impact: medium. Mitigation: encrypted at rest, TLS, RLS policies on all tables. Risk 2: Cross-border transfer to Singapore. Likelihood: certain (Supabase SG region). Impact: low (Singapore PDPA comparable to UU PDP). Mitigation: explicit consent at login, contractual safeguards via Supabase ToS. Risk 3: Unauthorized access via compromised OAuth tokens. Likelihood: low. Impact: medium. Mitigation: httpOnly cookies, server-side validation via getUser(), session refresh in middleware. Risk 4: Excessive data retention. Likelihood: low. Impact: low. Mitigation: 30-day deletion after account removal, anonymous cookies auto-expire.

Data Subject Rights Implementation

Access: /akun page shows all stored data. Rectification: profile data comes from OAuth provider (user updates at source). Erasure: /akun delete button, cascade deletion, 30-day completion. Portability: not yet implemented (low priority — minimal data stored). Response timeline: 72 hours per UU PDP.

Third-Party Processors

Supabase (database, auth) — Singapore region, SOC2 Type II certified. Vercel (web hosting) — Edge network, no user data stored. Google (OAuth provider) — identity data only, per their respective privacy policies.

Review Schedule

Annual review, or upon significant changes to data processing activities.