Sub-processors

In line with PDPA § 9 and standard DPA practice, we publish our sub-processors. Material additions are notified ≥30 days in advance. Infrastructure · Supabase Inc. — Postgres, Auth, Edge Functions. Data residency: ap-southeast-1. · Vercel Inc. — Hosting + edge for the dashboard. · Hetzner Online GmbH — Self-hosted n8n orchestration. EU region. AI / LLM · OpenRouter Inc. — LLM gateway. We use DeepSeek and Anthropic only (Anthropic Opus is permanently banned by internal policy). · Anthropic PBC — Claude Sonnet / Haiku via OpenRouter. · DeepSeek — Default model. Sovereign EU/ROW routing. · OpenAI — text-embedding-3-small only for pgvector embeddings. No completion calls. Messaging · 360dialog GmbH — WhatsApp Business gateway (WABA). · Retell AI / Vapi — Voice AI providers. · Sendgrid / Postmark — Transactional email (per tenant). Observability · Langfuse — HIPAA Cloud trace coverage. Payments · Stripe — Card and recurring rails. · Billplz — FPX and Malaysian e-wallet rails. Compliance & ops · LHDN MyInvois — e-Invoice submission (Malaysian government). · HubSpot Inc. — CRM sync (where you opt in). Customer data flows are bound by Data Processing Addendums (DPA) we hold with each vendor. Cross-tenant isolation is enforced by RLS at the Supabase layer.