TRUST CENTER · PDPA · ISO 42001 · SOC 2
How we protect your data, where it lives, who can see it, and how we comply with Malaysian PDPA and ISO 42001. Every sub-processor, every policy, every certification is on this page — so your compliance officer can review ONSET without sending a 60-question security questionnaire.
ONSET is built and operated by Marketing Lancers Consultancy Sdn Bhd (SSM 1460628-X). When something material changes here, this page changes the same day — not the next quarterly newsletter.
CERTIFICATIONS & POSTURE
We mark what's live versus what's in pursuit. We don't claim certifications we don't have.
PDPA-aligned
Malaysian Personal Data Protection Act
SOC 2 Type I
Schellman engagement queued · Q3 2026
ISO 42001:2023
AI Management System · readiness mapped Q2 2026
HIPAA-grade observability
Langfuse HIPAA cloud for LLM traces
Hash-chained audit log
Tamper-evident audit_logs, 7-year retention
RLS on every table
Postgres Row-Level Security, weekly cross-tenant test
SUB-PROCESSORS · 11 VENDORS
Updated on each material change. As of 6 July 2026. Detailed DPA + data-type breakdown at /trust/subprocessors.
| Sub-processor | Region | Purpose | Certifications |
|---|---|---|---|
| Supabase | Singapore (ap-southeast-1) | Primary database + auth + storage | SOC 2 Type II, HIPAA, GDPR |
| n8n | Hostinger Singapore VPS | Workflow execution engine | Self-hosted, ISO 27001 hosting |
| OpenRouter | US (provider routing) | LLM gateway · multi-vendor | Provider-pass-through |
| Anthropic | US | Commercial LLM provider | SOC 2, GDPR DPA |
| Langfuse (HIPAA Cloud) | EU | LLM observability + tracing | SOC 2, HIPAA, GDPR |
| Stripe | US/EU | Subscription billing | PCI DSS Level 1, SOC 2, ISO 27001 |
| Billplz | Malaysia | FPX + bank-rail payments (MY) | BNM-approved e-money + payment service |
| Retell AI | US | Voice AI agent | SOC 2, GDPR DPA |
| 360dialog | EU | WhatsApp Business API | Meta BSP, GDPR |
| Telegram | Distributed | Internal owner alerts only (not client data) | — |
| SerpAPI | US | Search engine queries (Council research) | — |
ARCHITECTURAL SAFEGUARDS
Every Class-A AI prompt change requires owner approval via Telegram before A/B test; Class-B (proposals, regulatory, legal) cannot auto-evolve. See AI Change Management Policy.
Every external dependency monitored with auto-isolation on cascading failures. Full sub-processor list at /trust/subprocessors.
Failed module runs retry with exponential-jitter backoff (3 attempts), then quarantine for manual review.
Automated 4-hour end-to-end checks of dispatch, dashboard reachability and breaker state.
audit_logs uses a prev-hash chain; an automated daily check validates integrity and alerts on any break.
Pre-outbound check against suppression_list table before any WhatsApp / email / voice. DPO appointed at 20K-record threshold.
POLICIES & DOCUMENTATION
AI Change Management Policy
Class-A/B/C module classification + human approval gates + hash-chained audit trail
Compliance & Certifications Roadmap
SOC 2 Type I + ISO 42001 readiness mapping
Sub-processor list
Every third-party that processes customer data on our behalf
SLA
Uptime, response, resolution targets and credit policy
Security controls
Data protection, identity, observability, resilience, compliance
Reliability commitments
Uptime, latency budgets, RPO/RTO, DR drill cadence
Email the right inbox and a real person reads it within one business hour (Mon-Fri 9-6 MYT). No tier-1 triage queue.