Data Processing Addendum

ONSET's standard Data Processing Addendum (DPA) governs how we handle personal data on your behalf as a processor. Headline terms: · Roles: You are the controller. ONSET is the processor. · Subject matter & duration: Processing is limited to what you instruct via the platform, for the term of your subscription. · Categories of data subjects: Your customers, leads, employees (depending on modules used). · Categories of personal data: Names, emails, phone numbers, IP addresses, message content, voice recordings (where Module V is used), business records. · Special categories: We do not process special-category data (health, race, religion, etc.) without explicit additional sign-off — this is hardcoded in our intake form. · Sub-processors: Listed at /trust/sub-processors. 30-day prior notice for additions. · Cross-border transfers: Standard Contractual Clauses (/trust/scc) apply where data crosses borders. · Security: TLS 1.2+ in transit, AES-256 at rest, RLS on every multi-tenant table. · Breach notification: We will notify you without undue delay (target: within 24 hours of confirmation). · Audit rights: Once per 12 months, on 30 days notice, you may audit our processing activities (or a designated auditor on your behalf). · Deletion: On termination, we delete or return all personal data within 90 days, except where law requires retention (7-year LHDN e-Invoice archive). A signed DPA is provided automatically on enterprise contracts. SMEs can request one — email legal@onset.my.