TRUST CENTER · PDPA · ISO 42001 · SOC 2

Security, privacy, and AI governance — published.

How we protect your data, where it lives, who can see it, and how we comply with Malaysian PDPA and ISO 42001. Every sub-processor, every policy, every certification is on this page — so your compliance officer can review ONSET without sending a 60-question security questionnaire.

ONSET is built and operated by Marketing Lancers Consultancy Sdn Bhd (SSM 1460628-X). When something material changes here, this page changes the same day — not the next quarterly newsletter.

CERTIFICATIONS & POSTURE

Six anchors, status-stamped.

We mark what's live versus what's in pursuit. We don't claim certifications we don't have.

  • LIVE

    PDPA-aligned

    Malaysian Personal Data Protection Act

  • IN PURSUIT

    SOC 2 Type I

    Schellman engagement queued · Q3 2026

  • IN PURSUIT

    ISO 42001:2023

    AI Management System · readiness mapped Q2 2026

  • LIVE

    HIPAA-grade observability

    Langfuse HIPAA cloud for LLM traces

  • LIVE

    Hash-chained audit log

    Tamper-evident audit_logs, 7-year retention

  • LIVE

    RLS on every table

    Postgres Row-Level Security, weekly cross-tenant test

SUB-PROCESSORS · 11 VENDORS

Every third-party that touches your data.

Updated on each material change. As of 6 July 2026. Detailed DPA + data-type breakdown at /trust/subprocessors.

Sub-processorRegionPurposeCertifications
SupabaseSingapore (ap-southeast-1)Primary database + auth + storageSOC 2 Type II, HIPAA, GDPR
n8nHostinger Singapore VPSWorkflow execution engineSelf-hosted, ISO 27001 hosting
OpenRouterUS (provider routing)LLM gateway · multi-vendorProvider-pass-through
AnthropicUSCommercial LLM providerSOC 2, GDPR DPA
Langfuse (HIPAA Cloud)EULLM observability + tracingSOC 2, HIPAA, GDPR
StripeUS/EUSubscription billingPCI DSS Level 1, SOC 2, ISO 27001
BillplzMalaysiaFPX + bank-rail payments (MY)BNM-approved e-money + payment service
Retell AIUSVoice AI agentSOC 2, GDPR DPA
360dialogEUWhatsApp Business APIMeta BSP, GDPR
TelegramDistributedInternal owner alerts only (not client data)
SerpAPIUSSearch engine queries (Council research)

ARCHITECTURAL SAFEGUARDS

Six controls, baked in.

  • Human-in-the-loop

    Every Class-A AI prompt change requires owner approval via Telegram before A/B test; Class-B (proposals, regulatory, legal) cannot auto-evolve. See AI Change Management Policy.

  • Circuit breakers

    Every external dependency monitored with auto-isolation on cascading failures. Full sub-processor list at /trust/subprocessors.

  • Dead-letter queue

    Failed module runs retry with exponential-jitter backoff (3 attempts), then quarantine for manual review.

  • Continuous self-audit

    Automated 4-hour end-to-end checks of dispatch, dashboard reachability and breaker state.

  • Tamper-evident logs

    audit_logs uses a prev-hash chain; an automated daily check validates integrity and alerts on any break.

  • PDPA suppression

    Pre-outbound check against suppression_list table before any WhatsApp / email / voice. DPO appointed at 20K-record threshold.

Need to verify something?

Email the right inbox and a real person reads it within one business hour (Mon-Fri 9-6 MYT). No tier-1 triage queue.

SECURITY

security@onset.my

Report a vulnerability · responsible disclosure

COMPLIANCE / DPO

compliance@onset.my

PDPA · DPA · DSAR · audit evidence

GENERAL

hello@onset.my

Sales · partnerships · everything else

  • 1 business hour reply
  • NDA on request
  • MSA + DPA + SLA ready
  • PDPA Amendment Act 2024 aligned