← TRUST CENTER

TRUST DOCUMENT

Sub-processors

Third parties that may process your data on our behalf.

LAST UPDATED · 09 May 2026

In line with PDPA § 9 and standard DPA practice, we publish our sub-processors. Material additions are notified ≥30 days in advance. Infrastructure · Supabase Inc. — Postgres, Auth, Edge Functions. Data residency: ap-southeast-1. · Vercel Inc. — Hosting + edge for the dashboard. · Hetzner Online GmbH — Self-hosted n8n orchestration. EU region. AI / LLM · OpenRouter Inc. — LLM gateway for ONSET router-approved task profiles. · OpenAI — fallback provider where account-scoped keys are configured, plus text embeddings for pgvector. · Model routing is selected by task profile, not by customer-visible model picker. Messaging · 360dialog GmbH — WhatsApp Business gateway (WABA). · Retell AI / Vapi — Voice AI providers. · Sendgrid / Postmark — Transactional email (per tenant). Observability · Langfuse — HIPAA Cloud trace coverage. Payments · Stripe — Card and recurring rails. · Billplz — FPX and Malaysian e-wallet rails. Compliance & ops · LHDN MyInvois — e-Invoice submission (Malaysian government). · HubSpot Inc. — CRM sync (where you opt in). Customer data flows are bound by Data Processing Addendums (DPA) we hold with each vendor. Cross-tenant isolation is enforced by RLS at the Supabase layer.

Questions about this document? Email compliance@onset.my — one business hour reply.