SECURITY · 5 CONTROL DOMAINS

Built with the same controls we audit our customers against.

Encryption, isolation, retention, observability and compliance — none of it bolted on. ONSET ships with PDPA opt-out enforcement wired into the code path, not the runbook.

The full Trust Center (sub-processors, certifications, policy library, architectural safeguards) lives at /trust. This page is the security-specific slice for buyers and CISOs.

  • AES-256 at rest
  • TLS 1.2+ in transit
  • Hash-chained audit
  • PDPA § 43 enforced
  • HIPAA-grade obs

CONTROL 1 / 5

Data protection

Customer data is encrypted at every boundary — wire, disk, and inside the database row.

  • TLS 1.2+ in transit, AES-256 at rest

  • Row-level security on every multi-tenant table (RLS enforced in Postgres, not application code)

  • Cross-tenant isolation tested daily by automated compliance checks

  • No customer PII in logs — LLM call logs strip emails / phone numbers / addresses before persistence

CONTROL 2 / 5

Identity & access

Least-privilege by default. Service-role keys never leave server-side code paths.

  • Supabase Auth · SSO available (Google Workspace, Microsoft Entra ID)

  • Super-admin actions gated by allowlisted email + per-action audit_log row

  • OAuth tokens stored encrypted at rest, never returned in API responses

  • Service-role keys rotated quarterly; pre-commit hook blocks accidental commit of literal API keys

CONTROL 3 / 5

Observability

You cannot fix what you cannot see — and we cannot afford to miss anything.

  • HIPAA-compliant trace coverage for every LLM call (Langfuse HIPAA Cloud)

  • audit_log on every privileged mutation — immutable, hash-chained, 7-year retention

  • 5% of customer-facing replies sampled hourly for quality scoring

  • Weekly client-health digest delivered to your inbox — module-by-module

CONTROL 4 / 5

Resilience

Things fail. Our job is to make sure customers don't feel it.

  • Circuit breakers on every third-party service — auto-isolate cascading failures

  • Dead-letter queue + exponential-jitter retry (3 attempts before quarantine)

  • Daily Supabase point-in-time recovery (PITR) — 24h RPO worst case

  • Quarterly DR drill (documented runbook, signed-off restore)

CONTROL 5 / 5

Compliance

PDPA, LHDN MyInvois, and the certifications regulated industries need to sign with us.

  • PDPA 2010 + Amendment Act 2024 aligned — § 43 opt-out enforced in code (suppression_list check pre-outbound)

  • LHDN MyInvois ASP-listed — production endpoints whitelisted

  • SOC 2 Type I · Q3 2026 (Schellman engagement scheduled)

  • ISO 27001 · Q1 2027 · ISO 42001 (AI Management System) · Q3 2027

Responsible disclosure.

Found something? Email security@onset.my with a proof-of-concept. We acknowledge within 24 hours and triage within 72. Bounty available for genuine vulnerabilities — RM 500 to RM 10,000 depending on severity.