Security
Built with the same controls we audit our customers against.
Encryption, isolation, retention, observability and compliance — none of it is bolted on.
Data protection
- ✓TLS 1.2+ in transit, AES-256 at rest (Supabase + Vercel)
- ✓Row-level security on every multi-tenant table
- ✓Cross-tenant isolation tested daily by GUARDIAN CRON
- ✓No customer data in logs (LLM call logs strip PII before persistence)
Identity & access
- ✓Supabase Auth · SSO available (Google Workspace, Microsoft)
- ✓Super-admin actions gated by allowlisted email + audit log
- ✓OAuth tokens stored encrypted, never returned in responses
- ✓Service-role keys rotated quarterly
Observability
- ✓Langfuse HIPAA Cloud trace coverage for every LLM call
- ✓Audit log on every super-admin mutation (immutable, 7-year retention)
- ✓SENTINEL samples 5% of every customer-facing reply for quality
- ✓PULSE weekly client-health digest
Resilience
- ✓Circuit breakers on every third-party service
- ✓Dead-letter queue + automatic retry with jitter
- ✓Daily Supabase point-in-time recovery (PITR)
- ✓Weekly DR drill (documented runbook)
Compliance
- ✓PDPA 2010 aligned — § 43 opt-out honoured in code
- ✓LHDN MyInvois ASP-listed
- ✓SOC 2 Type I — Q3 2026 (Schellman)
- ✓ISO 27001 — Q1 2027 · ISO 42001 — Q3 2027
Responsible disclosure
Find something? Email security@onset.my. We acknowledge inside 24 hours and triage inside 72.