SECURITY · 5 CONTROL DOMAINS
Encryption, isolation, retention, observability and compliance — none of it bolted on. ONSET ships with PDPA opt-out enforcement wired into the code path, not the runbook.
The full Trust Center (sub-processors, certifications, policy library, architectural safeguards) lives at /trust. This page is the security-specific slice for buyers and CISOs.
CONTROL 1 / 5
Customer data is encrypted at every boundary — wire, disk, and inside the database row.
TLS 1.2+ in transit, AES-256 at rest
Row-level security on every multi-tenant table (RLS enforced in Postgres, not application code)
Cross-tenant isolation tested daily by automated compliance checks
No customer PII in logs — LLM call logs strip emails / phone numbers / addresses before persistence
CONTROL 2 / 5
Least-privilege by default. Service-role keys never leave server-side code paths.
Supabase Auth · SSO available (Google Workspace, Microsoft Entra ID)
Super-admin actions gated by allowlisted email + per-action audit_log row
OAuth tokens stored encrypted at rest, never returned in API responses
Service-role keys rotated quarterly; pre-commit hook blocks accidental commit of literal API keys
CONTROL 3 / 5
You cannot fix what you cannot see — and we cannot afford to miss anything.
HIPAA-compliant trace coverage for every LLM call (Langfuse HIPAA Cloud)
audit_log on every privileged mutation — immutable, hash-chained, 7-year retention
5% of customer-facing replies sampled hourly for quality scoring
Weekly client-health digest delivered to your inbox — module-by-module
CONTROL 4 / 5
Things fail. Our job is to make sure customers don't feel it.
Circuit breakers on every third-party service — auto-isolate cascading failures
Dead-letter queue + exponential-jitter retry (3 attempts before quarantine)
Daily Supabase point-in-time recovery (PITR) — 24h RPO worst case
Quarterly DR drill (documented runbook, signed-off restore)
CONTROL 5 / 5
PDPA, LHDN MyInvois, and the certifications regulated industries need to sign with us.
PDPA 2010 + Amendment Act 2024 aligned — § 43 opt-out enforced in code (suppression_list check pre-outbound)
LHDN MyInvois ASP-listed — production endpoints whitelisted
SOC 2 Type I · Q3 2026 (Schellman engagement scheduled)
ISO 27001 · Q1 2027 · ISO 42001 (AI Management System) · Q3 2027
Found something? Email security@onset.my with a proof-of-concept. We acknowledge within 24 hours and triage within 72. Bounty available for genuine vulnerabilities — RM 500 to RM 10,000 depending on severity.