← TRUST CENTER

TRUST DOCUMENT

Incident response

How we handle security incidents.

LAST UPDATED · 09 May 2026

Our incident response policy: Detection · Automated infrastructure + application health monitoring (15-min cadence) · Daily PDPA + cross-tenant isolation checks · Hourly output-quality + safety sampling (5% of traffic per module) · Customer reports: security@onset.my, 24-hour acknowledgement target Classification (severity) · SEV1 — major outage, data exposure, customer-impacting bug spreading · SEV2 — partial outage, degraded performance · SEV3 — informational degradation, no customer impact · SEV4 — internal observation Response · On detection, the on-call engineer opens the incident in our internal incident-management surface. · A war-room is opened in Telegram with the on-call. · Public-facing updates land at /status within 15 minutes for SEV1/SEV2. · Affected customers are emailed within 24 hours for any incident that touched their data. Post-incident · A blameless post-mortem is published internally within 5 working days. · Customer-visible incidents have a public post-mortem within 14 days. · SLA credits are applied automatically per /sla. PDPA security breach: notified to NDPC within 72 hours of confirmation, per the PDPA Amendment 2024. 24/7 contact: security@onset.my (PGP key on request).

Questions about this document? Email compliance@onset.my — one business hour reply.