Doing Right
Cybersecurity and Data Privacy
The Group has implemented a robust cybersecurity and data privacy framework to protect sensitive information across our global operations.
We are committed to upholding the highest standards of cybersecurity and data privacy, while remaining vigilant about emerging challenges posed by technological advancements, including artificial intelligence and evolving cyber threats.
Our Data Protection Policy governs how personal data is collected, used and disclosed in interactions with customers and partners, and the Acceptable Use Policy sets out expectations to protect employees and systems from cybersecurity threats. The Group strictly complies with relevant data protection laws, including the General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA).
Aligned with ISO 27001 Information Security Management Systems framework, an internationally recognised standard on information security, and the National Institute of Standards and Technology (NIST) cybersecurity framework, we have established cybersecurity policies, standard operation processes (SOP) and advanced security technologies to tackle cybersecurity and data privacy threats.
Cybersecurity
The Group adopts a defence-in-depth strategy that leverages multiple layers of security defence for holistic cybersecurity protection. This approach integrates a variety of solutions and tools.
Network and Perimeter Security
We employ robust network security measures to safeguard our infrastructure, leveraging on the state-of-the-art Intrusion Detection and Prevention System (IDPS) such as Next-Gen Firewalls and secured VPN solutions.
Threat Detection and Incident Management
Our centralised 24/7 Security Operations Centre (SOC) leverages advanced monitoring tools, such as Security Information and Event Management (SIEM) system, to detect, analyse and respond to potential threats. Regular vulnerability scans and assessments, supported by Tenable platform, enhance our capabilities in proactively addressing system weaknesses. We have also engaged external vendor for annual Vulnerability Assessment and Penetration Testing (VAPT). In addition, we have a formal Incident Response Policy in place to ensure timely escalation and resolution of security incidents.
Email and Endpoint Security
We secure our communications and devices through leading AI-based Email and Endpoint Detection & Response (EDR) solutions such as Microsoft Defender suite and CrowdStrike. These tools protect us against advanced threat vectors such as email-based or web-based threats and provide realtime monitoring and response to endpoint vulnerabilities.
Third-party and External Risk Management
We have established a Cybersecurity Risk Assessment process and actively monitor third-party risks and external attack surfaces to safeguard our supply chain and mitigate vulnerabilities.
Data Protection
We utilise data loss prevention (DLP) tools, privileged identity management and privileged access management (PAM) systems to ensure the accountability of the personnel and the confidentiality and integrity of sensitive information are preserved.
Employee Awareness and Training
We conduct regular training and simulated exercises on best practices to educate employees and enhance their vigilance against potential cyber threats, building a strong cybersecurity culture. Trainings include regular Phishing Simulation Exercises, Annual Cybersecurity E-learning, Business Continuity Management (BCM) and Personal Data Protection Act (PDPA) E-learning, alongside monthly awareness emails. We also maintain a cybersecurity portal on our Intranet where employees can access these resources. In 2025, we have adopted the KnowBe4 system for the cybersecurity training.
Our cybersecurity operations function on a 24/7 basis, focusing on critical control areas to ensure strong and resilient protection across the Group’s digital environment. Core activities include firewall and network perimeter management, continuous endpoint threat monitoring and response, data loss prevention to reduce the risk of sensitive information exposure, proactive threat detection and analysis, and the safeguarding of privileged access to critical systems. Together, these measures form an integrated defence framework that supports the confidentiality, integrity and availability of the Group’s information assets.
To enhance operational efficiency and threat response capabilities, we have progressively deployed AI-enabled security tools, including Microsoft Copilot and an AI-driven anti-spam solution, to support faster detection, analysis and remediation of cybersecurity risks. In parallel, suppliers with access to IT systems are required to complete cybersecurity and data protection assessments, strengthening third-party risk management and alignment with the Group’s security standards.
In 2025, UOL attained the following cybersecurity certifications, reflecting the strength of our governance and technical capabilities as well as the maturity and resilience of our cybersecurity framework:
- ISO 27001 certification, affirming alignment with global best practices in information security
- Cyber Trust Mark Tier 5 Advocate, the highest level under the Cyber Security Agency of Singapore (CSA)’s Cyber Trust Mark programme
- Cyber Essentials Mark, recognising robust measures to protect systems and operations from common cyber-attacks
SingLand has also successfully completed their ISO 27001 and Cyber Trust Mark Year 2 Surveillance Audit in 2025, conducted by the British Standards Institution.
Data Privacy
UOL’s Personal Data Management Framework encompasses policies and procedures that governs the full lifecycle of personal data, from collection and use to storage, retention and disposal. The framework clearly defines the roles and responsibilities of individuals involved in managing personal data and is supported by policies and procedures that are regularly reviewed to remain effective and relevant. Ongoing communications and training programmes reinforce employee awareness and accountability in handling personal data.
The Group’s Data Protection Policy, which is publicly available on our corporate website, outlines how personal data is collected, used and disclosed for individuals engaging with UOL. This includes interactions through online reservations, loyalty programmes and payment transactions, where the handling of private and sensitive information is integral to business operations. To safeguard such data, UOL enforces strict security protocols and implements layered technical and organisational controls across our portfolio.
These measures include the use of various data protection tools for data privacy and protection. In 2025, the Group recorded no customer complaints regarding data privacy breaches.
Personal Data Management Framework
UOL is committed to maintaining robust data privacy and security practices across all our operations and extends these principles throughout our supply chain. Suppliers are required to adhere to the Personal Data Protection Act (PDPA) through a Letter of Undertaking and to enter into additional contractual arrangements, such as Non-Disclosure Agreements (NDA), to safeguard intellectual property and sensitive information.