SUB-PROCESSORS · 16 VENDORS
What they process, where it lands, under which contract, with which certifications. We add to this list every time a new vendor goes into production — never retroactively.
Material changes are pre-announced to customers by email 30 days in advance, per PDPA "reasonable expectations" standard. Last updated: 06 July 2026.
THE TABLE
| Vendor | Purpose | Data | Region | DPA | Certification |
|---|---|---|---|---|---|
| Anthropic | Commercial LLM inference (client-facing workloads) | Prompts + responses (transient) | USA | Yes — commercial DPA | SOC 2 Type II |
| OpenAI (via OpenRouter) | Embedding model for vector search | Text chunks (transient) | USA | Yes | SOC 2 Type II |
| DeepSeek (via OpenRouter) | Commercial LLM inference (high-volume internal workloads, no PII) | Prompts + responses (transient) | Routed; non-PII workloads only | OpenRouter master DPA | — |
| OpenRouter | LLM gateway + routing | Prompts + responses (transient) | USA | Yes | — |
| Supabase | Postgres database + auth + storage | All customer data at rest | AWS ap-southeast-1 (Singapore) | Yes | SOC 2 Type II |
| Vercel | Frontend hosting + serverless functions | No persistent customer data; ephemeral request data only | iad1 (USA) build; edge runtime | Yes | SOC 2 Type II |
| Cloudflare | CDN + WAF + DDoS protection | In-transit HTTP traffic; logs anonymised | Global edge; primary cache MY | Yes | SOC 2 Type II + ISO 27001 |
| Hetzner | Self-hosted n8n VPS + encrypted backups | Workflow execution + DB snapshots | Singapore datacentre | Yes | ISO 27001 |
| Stripe | Card processing + subscriptions | Cardholder data tokenised | USA + Singapore | Yes | PCI DSS Level 1 + SOC 2 Type II |
| Billplz | FPX recurring billing (Malaysia) | Payer details | Malaysia | Yes | PCI DSS + BNM-regulated |
| 360dialog | WhatsApp Business API | Message content + delivery receipts | EU primary; APAC failover | Yes | ISO 27001 + GDPR-aligned |
| Retell AI | Voice AI (Module V) | Call audio + transcripts (transient) | USA | Yes | SOC 2 in progress |
| Langfuse (self-hosted) | LLM observability | Trace metadata + sampled prompts | Self-hosted on our VPS (Singapore) | No third-party — we host | — |
| Telegram (bot only) | Cancel-window approval notifications | Action title + cancel button only; no PII | Cloud-routed | Public Telegram ToS | — |
| GitHub | Source code hosting + CI | No customer data; only our code | USA | Yes | SOC 2 Type II |
| Sentry | Error tracking | Stack traces + scrubbed metadata | EU primary | Yes | SOC 2 + ISO 27001 |
Questions about a specific vendor relationship, contractual scope, or data residency? Email compliance@onset.my. One business hour reply.