ONSET

Trust Center

Security, Privacy, and AI Governance.

How we protect your data, where it lives, who can see it, and how we comply with Malaysian PDPA and ISO 42001. We publish everything that matters — sub-processors, retention windows, governance policies — so your compliance officer can review ONSET without sending us a 60-question security questionnaire.

Live status: status.onset.my · Security contact: security@onset.my · Compliance & DPO: compliance@onset.my

ONSET is the AI back-office for Malaysian and Singaporean SMEs, built and operated by Marketing Lancers Consultancy Sdn Bhd (SSM 1460628-X). Every sub-processor we use, every policy we follow, and every certification we hold (or are pursuing) is on this page. If something material changes, this page changes the same day — not the next quarterly newsletter.

Certifications & Posture

PDPA-aligned
Malaysian Personal Data Protection Act
SOC 2 Type I
Schellman engagement queued
ISO 42001:2023
AI Management System — readiness mapped
HIPAA-grade obs
Langfuse HIPAA cloud for LLM traces
Hash-chained Audit
Tamper-evident audit_logs
RLS on all tables
Postgres Row-Level Security enforced

Sub-processors

As of 14 May 2026. Updated on each material change.

Supabase
Singapore (ap-southeast-1)
Primary database + auth + storage
SOC 2 Type II, HIPAA, GDPR
n8n
Hostinger Singapore VPS
Workflow execution engine
Self-hosted, ISO 27001 hosting
OpenRouter
US (provider routing)
LLM gateway · multi-vendor
Provider-pass-through
Anthropic
US
Commercial LLM provider
SOC 2, GDPR DPA
Langfuse (HIPAA Cloud)
EU
LLM observability + tracing
SOC 2, HIPAA, GDPR
Stripe
US/EU
Subscription billing
PCI DSS Level 1, SOC 2, ISO 27001
Billplz
Malaysia
FPX + bank-rail payments (MY)
BNM-approved e-money + payment service
Retell AI
US
Voice AI agent
SOC 2, GDPR DPA
360dialog
EU
WhatsApp Business API
Meta BSP, GDPR
Telegram
Distributed
Internal owner alerts only (not client data)
SerpAPI
US
Search engine queries (Council research)

Policies & Documentation

AI Change Management Policy
Class-A/B/C module classification + human approval gates + hash-chained audit trail
Compliance & Certifications Roadmap
SOC 2 Type I + ISO 42001 readiness mapping
PDPA Compliance (Malaysia)
PDPA-aligned; DPO appointed at 20K records

Architectural Safeguards

  • Human-in-the-loop: Every Class-A AI prompt change requires owner approval via Telegram before A/B test; Class-B (proposals, regulatory, legal) cannot auto-evolve.
  • Circuit breakers: 9 external services (OpenRouter, MyInvois, Retell, Stripe, Billplz, Telegram, 360dialog, SerpAPI, Supabase REST) monitored with auto-isolation on cascading failures.
  • Dead letter queue: Failed module runs retry with exponential-jitter backoff (3 attempts), then quarantine for manual review.
  • Continuous self-audit: 4-hour CRON validates end-to-end user-flow integrity (Council dispatch, dashboard reachability, breaker state).
  • Tamper-evident logs: audit_logs uses prev-hash chain; daily 02:00 MYT CRON validates integrity.
  • PDPA suppression: Pre-outbound check against suppression list; DPO appointed at 20K-record threshold.

Security Contact

Report a vulnerability or security concern: security@onset.my
Compliance & DPO questions: compliance@onset.my
General business: hello@marketinglancers.com.my