GIWAHS — trading as Whaitiri Black Limited Whaitiri Black Limited · Review draft
/ GIWAHS Founder Vault · Review draft

GIWAHS Security & Incident Response Policy

Document: 30 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified security/data-protection counsel before being shared with customers, auditors, or referenced in contracts. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Docs 24 (Privacy Policy §11), 25 (Terms of Service), 29 (DPA), 31 (Subprocessor Register).

Audience: Customers, auditors, regulators, internal engineering. This policy is the source of truth for the technical and organisational measures referenced in Doc 29 Annex B and any Standard Contractual Clauses Annex II.


1. Scope

This Policy describes the administrative, technical, and physical measures Whaitiri Black Limited, a company incorporated in New Zealand, trading as GIWAHS (“GIWAHS”, “we”) takes to protect the confidentiality, integrity, and availability of:

It also defines our Incident Response process — detection, containment, eradication, recovery, notification, and post-incident review — and our notification commitments to Customers, regulators, and affected individuals.

This Policy supports compliance with: - NZ Privacy Act 2020 Information Privacy Principles 5 (Storage and Security) and 12 (Disclosure outside NZ); - EU GDPR / UK GDPR Articles 32 (Security), 33 (Breach Notification to Supervisory Authority), 34 (Breach Notification to Data Subjects); - CCPA/CPRA and other US state privacy laws’ “reasonable security” requirements and breach-notification statutes (US state-by-state laws). - Australia Privacy Act 1988 APP 11 (Security) and the Notifiable Data Breaches scheme.

2. Security Governance

2.1 Ownership

2.2 Risk management

2.3 Policies and standards

2.4 Personnel

3. Asset Inventory and Classification

Asset class Examples Classification Default handling
Customer Personal Data Names, emails, billing metadata, RFQ content, verification documents Restricted Encrypted at rest; encrypted in transit; least-privilege access; audit-logged.
Authentication secrets Password hashes, session tokens, refresh tokens, API keys Restricted Hashed (Argon2/bcrypt where applicable); rotated; never logged.
Application source code Repos in version control Confidential Access via SSO; protected branches; code review required.
Operational logs Application, database, edge-function, cron logs Confidential PII redacted where feasible; retained 13 months.
Aggregated analytics De-identified usage metrics Internal Standard access controls.
Public marketing Landing pages, vault docs marked public Public No restriction.

4. Access Control

5. Cryptography

Layer Standard
In-transit (public) TLS 1.2+ with modern cipher suites; HSTS enabled; HTTP redirects to HTTPS; Cloudflare-managed TLS termination.
In-transit (internal) TLS or equivalent inside provider VPCs (Supabase, Stripe).
At rest AES-256 for database storage; encrypted backups; encrypted object storage.
Passwords Hashed using Argon2id or bcrypt per Supabase Auth defaults; never stored in plaintext.
Session tokens Short-lived JWTs (1h access / 30d refresh); rotated on refresh.
Webhook signatures HMAC-SHA256 with provider signing secrets (Stripe, Resend).
Key management Provider-managed KMS where available (Supabase, Cloudflare); root keys not handled by GIWAHS.

6. Network and Edge Security

7. Application Security

8. Data Protection

9. Logging and Monitoring

10. Business Continuity & Disaster Recovery

Component RTO RPO
Public landing pages < 1 hour 0 (static, redeployable)
Backend API < 4 hours < 5 minutes (managed DB streaming)
Database < 8 hours < 24 hours (worst case)
Email dispatch (Resend) < 4 hours via dispatcher; degraded mode logs-only without data loss 0
Billing & subscription state Managed by Stripe (provider-rated 99.99%+) 0

Tabletop exercises run annually to validate recovery procedures.

11. Vendor / Subprocessor Risk

12. Incident Response

12.1 Definitions

12.2 Severity matrix

Sev Examples Initial response time
SEV-1 Confirmed Personal Data Breach affecting Restricted data; production fully down; active exploitation. Acknowledge within 15 minutes; war-room within 1 hour.
SEV-2 Partial service degradation; suspected but not confirmed breach; high-rate webhook signature failures. Acknowledge within 1 hour; investigation within 4 hours.
SEV-3 Single-tenant issue; minor functional degradation; security vuln found via scanning. Acknowledge within 1 business day; patch within 7–30 days per CVSS.
SEV-4 Informational; non-prod environment issue. Triage in next business day.

12.3 Phases

  1. Identification — alert/report received; on-call engineer paged for SEV-1/2; incident ticket opened.
  2. Containment — limit blast radius (revoke credentials, block IPs, take affected services offline, rotate secrets); preserve forensic state.
  3. Eradication — remove cause (patch, configuration, code fix, account deactivation).
  4. Recovery — restore service from clean state; monitor for re-occurrence.
  5. Notification — internal stakeholders, Customers, regulators, affected individuals per Section 13.
  6. Lessons learned — blameless post-incident review within 10 business days; corrective actions tracked to closure.

12.4 Forensics

13. Breach Notification

13.1 To Customers (Doc 29 §9)

13.2 To supervisory authorities

13.3 To data subjects

13.4 To NZ Privacy Commissioner

13.5 To OAIC (Australia)

13.6 To US Attorneys General / consumers

13.7 No admission of fault

14. Physical Security

GIWAHS is a remote-first operation. There is no GIWAHS-owned data centre; physical security of production systems is delegated to: - Supabase / AWS for primary database and edge functions; - Stripe for payment infrastructure; - Cloudflare for edge POPs; - Google Workspace for corporate identity/email/storage. Each is reviewed for SOC 2 Type II / ISO 27001 / equivalent independent assurance.

Personnel devices: full-disk encryption; screen-lock; managed via MDM where deployed; secure-by-default configuration.

15. Vulnerability Disclosure

16. Compliance Roadmap

17. Review & Change Control

18. Contact


End of Document 30.