Vendor	Purpose	Data	Region	DPA	Certification
Anthropic	Commercial LLM inference (client-facing workloads)	Prompts + responses (transient)	USA	Yes — commercial DPA	SOC 2 Type II
OpenAI (via OpenRouter)	Embedding model for vector search	Text chunks (transient)	USA	Yes	SOC 2 Type II
DeepSeek (via OpenRouter)	Commercial LLM inference (high-volume internal workloads, no PII)	Prompts + responses (transient)	Routed; non-PII workloads only	OpenRouter master DPA	—
OpenRouter	LLM gateway + routing	Prompts + responses (transient)	USA	Yes	—
Supabase	Postgres database + auth + storage	All customer data at rest	AWS ap-southeast-1 (Singapore)	Yes	SOC 2 Type II
Vercel	Frontend hosting + serverless functions	No persistent customer data; ephemeral request data only	iad1 (USA) for build; edge for runtime	Yes	SOC 2 Type II
Cloudflare	CDN + WAF + DDoS protection	In-transit HTTP traffic; logs anonymised	Global edge; primary cache MY	Yes	SOC 2 Type II + ISO 27001
Hetzner	Self-hosted n8n VPS + encrypted backups	Workflow execution + DB snapshots	Singapore datacentre	Yes	ISO 27001
Stripe	Card processing + subscriptions	Cardholder data tokenised	USA + Singapore	Yes	PCI DSS Level 1 + SOC 2 Type II
Billplz	FPX recurring billing (Malaysia)	Payer details	Malaysia	Yes	PCI DSS + BNM-regulated
360dialog	WhatsApp Business API	Message content + delivery receipts	EU primary; APAC failover	Yes	ISO 27001 + GDPR-aligned
Retell AI	Voice AI (Module V)	Call audio + transcripts (transient)	USA	Yes	SOC 2 in progress
Langfuse (self-hosted)	LLM observability	Trace metadata + sampled prompts	Self-hosted on our VPS (Singapore)	No third-party — we host	—
Telegram (bot only)	Cancel-window approval notifications	Action title + cancel button only; no PII	Cloud-routed (Pavel servers global)	Public Telegram ToS	—
GitHub	Source code hosting + CI	No customer data; only our code	USA	Yes	SOC 2 Type II
Sentry	Error tracking	Stack traces + scrubbed metadata	EU primary	Yes	SOC 2 + ISO 27001