← TRUST CENTER

SUB-PROCESSORS · 16 VENDORS

Every third-party that processes customer data on our behalf.

What they process, where it lands, under which contract, with which certifications. We add to this list every time a new vendor goes into production — never retroactively.

Material changes are pre-announced to customers by email 30 days in advance, per PDPA "reasonable expectations" standard. Last updated: 06 July 2026.

  • 16 sub-processors
  • DPA on file with all
  • PDPA-compliant notice
  • 30-day change window

THE TABLE

The full ledger.

VendorPurposeDataRegionDPACertification
AnthropicCommercial LLM inference (client-facing workloads)Prompts + responses (transient)USAYes — commercial DPASOC 2 Type II
OpenAI (via OpenRouter)Embedding model for vector searchText chunks (transient)USAYesSOC 2 Type II
DeepSeek (via OpenRouter)Commercial LLM inference (high-volume internal workloads, no PII)Prompts + responses (transient)Routed; non-PII workloads onlyOpenRouter master DPA
OpenRouterLLM gateway + routingPrompts + responses (transient)USAYes
SupabasePostgres database + auth + storageAll customer data at restAWS ap-southeast-1 (Singapore)YesSOC 2 Type II
VercelFrontend hosting + serverless functionsNo persistent customer data; ephemeral request data onlyiad1 (USA) build; edge runtimeYesSOC 2 Type II
CloudflareCDN + WAF + DDoS protectionIn-transit HTTP traffic; logs anonymisedGlobal edge; primary cache MYYesSOC 2 Type II + ISO 27001
HetznerSelf-hosted n8n VPS + encrypted backupsWorkflow execution + DB snapshotsSingapore datacentreYesISO 27001
StripeCard processing + subscriptionsCardholder data tokenisedUSA + SingaporeYesPCI DSS Level 1 + SOC 2 Type II
BillplzFPX recurring billing (Malaysia)Payer detailsMalaysiaYesPCI DSS + BNM-regulated
360dialogWhatsApp Business APIMessage content + delivery receiptsEU primary; APAC failoverYesISO 27001 + GDPR-aligned
Retell AIVoice AI (Module V)Call audio + transcripts (transient)USAYesSOC 2 in progress
Langfuse (self-hosted)LLM observabilityTrace metadata + sampled promptsSelf-hosted on our VPS (Singapore)No third-party — we host
Telegram (bot only)Cancel-window approval notificationsAction title + cancel button only; no PIICloud-routedPublic Telegram ToS
GitHubSource code hosting + CINo customer data; only our codeUSAYesSOC 2 Type II
SentryError trackingStack traces + scrubbed metadataEU primaryYesSOC 2 + ISO 27001

Questions about a specific vendor relationship, contractual scope, or data residency? Email compliance@onset.my. One business hour reply.