GIWAHS Subprocessor Register
Document: 31 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified data-protection counsel before being published, attached to the DPA (Doc 29), or shared with Customers. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Docs 24 (Privacy Policy §5), 28 (Cookie Policy), 29 (DPA §6, Annex C), 30 (Security & IR Policy §11).
Purpose: Single source of truth listing every third party engaged by Whaitiri Black Limited (trading as GIWAHS) to Process Personal Data of GIWAHS Customers and end users. Required by Article 28(2)–(4) GDPR / UK GDPR, the NZ Privacy Act 2020 (transparency under IPP 5 & 12), the AU Privacy Act (APP 1 & 8), and corresponding obligations under CCPA/CPRA service-provider rules.
1. Definitions
A “Subprocessor” means any third party engaged by GIWAHS to Process Personal Data, including infrastructure providers, payments providers, communications providers, identity providers, and AI/ML providers, where Personal Data may transit through or rest within their systems.
This register does not list pure read-only data sources (e.g., public companies registers) or vendors that do not Process Personal Data on our behalf.
2. Governance of This Register
- Reviewed and updated at least quarterly and on any material change.
- Material additions, replacements, or removals are notified to Customers at least 30 days in advance under Doc 29 §6.3 (DPA).
- The register is referenced from Doc 29 Annex C and forms part of the contractual disclosure of Subprocessors.
- The version history at the bottom of this document is append-only.
3. Current Subprocessors (as of the Last Updated date above)
3.1 Core platform Subprocessors
| Subprocessor | Service provided | Categories of Personal Data Processed | Processing location(s) | Transfer mechanism (from EEA/UK/CH) | Transfer mechanism (from NZ/AU) | Provider DPA / Privacy URL |
|---|---|---|---|---|---|---|
| Supabase, Inc. (USA) | Managed Postgres database, authentication, edge functions, file storage | All Customer Personal Data stored on the Platform: account, organisation, membership, RFQ, verification documents, audit logs, email logs, supplier profiles. | AWS region selected at project creation (currently configured: project jrvrqwbhyydvjipjvvyp). Provider operates globally. |
EU SCCs (Module 2 / 3) + UK IDTA; supplementary measures per Doc 30. | Contractual safeguards equivalent to IPP 12 / APP 8 via Supabase DPA. | https://supabase.com/privacy · https://supabase.com/legal/dpa |
| Stripe, Inc. (USA) | Payments processing, subscription billing, Customer Portal, Stripe Tax | Billing identifiers (customer reference, last 4 / brand / expiry only), billing address, tax ID, subscription metadata, invoice records. GIWAHS does not receive full card numbers. | USA primary; global processing. | EU SCCs + UK IDTA; PCI-DSS Level 1; supplementary measures. | Contractual safeguards. | https://stripe.com/privacy · https://stripe.com/dpa |
| Resend, Inc. (USA) | Transactional email delivery, bounce/complaint webhooks | Recipient email address, message metadata, message content for outbound emails (founder welcome, renewal reminders, payment failures, verification status), delivery/bounce/complaint events. | USA primary. | EU SCCs + UK IDTA. | Contractual safeguards. | https://resend.com/legal/privacy-policy · https://resend.com/legal/dpa |
| Cloudflare, Inc. (USA) | CDN, WAF, DDoS protection, bot management, DNS, TLS termination | IP address, request metadata, user agent, geolocation (country-level), cookies described in Doc 28 §3.1 (__cf_bm, cf_clearance). No request bodies stored beyond logs retention. |
Global edge POPs (250+ cities). | EU SCCs + UK IDTA; Cloudflare data localisation suite available on request. | Contractual safeguards. | https://www.cloudflare.com/privacypolicy/ · https://www.cloudflare.com/cloudflare-customer-dpa/ |
3.2 Corporate productivity Subprocessors
| Subprocessor | Service provided | Categories of Personal Data Processed | Processing location(s) | Transfer mechanism (EEA/UK/CH) | Transfer mechanism (NZ/AU) | Provider DPA / Privacy URL |
|---|---|---|---|---|---|---|
| Google LLC – Google Workspace (USA) | Email (founder/support inboxes), document collaboration, calendar, identity provider for internal SSO | Inbound emails from/to Customers (including any Personal Data Customers include in messages); document contents; identity/authentication events for GIWAHS personnel. No application Customer data is stored in Workspace except where Customers email it to us. | USA primary; Google global infrastructure. | EU SCCs (incorporated into Google Workspace DPA) + UK IDTA. | Contractual safeguards. | https://workspace.google.com/terms/dpa_terms.html · https://policies.google.com/privacy |
3.3 AI / model Subprocessors
| Subprocessor | Service provided | Categories of Personal Data Processed | Processing location(s) | Transfer mechanism (EEA/UK/CH) | Transfer mechanism (NZ/AU) | Provider DPA / Privacy URL |
|---|---|---|---|---|---|---|
| OpenAI, L.L.C. (USA) — gated; currently disabled per D-009 / D-010 | LLM API for any AI-augmented features (e.g., supplier intelligence summaries) — currently turned off across the Platform. Where activated in future, only the minimum prompt context strictly required is sent; Customer is given prior notice through the DPA-§6.3 mechanism. | Prompt content (which may include limited Customer Personal Data only where unavoidable); model output. No-training and zero data-retention API endpoints are used; data is not used to train OpenAI models. | USA primary. | EU SCCs (incorporated into OpenAI Data Processing Addendum) + UK IDTA. | Contractual safeguards. | https://openai.com/policies/privacy-policy · https://openai.com/policies/data-processing-addendum |
3.4 Affiliates and authorised personnel
- Whaitiri Black Limited (trading as GIWAHS) employees and contractors operating under written confidentiality and security obligations.
- Subject to Doc 30 §4 (Access Control) and the joiner/mover/leaver process described therein.
4. Subprocessor Engagement Rules
4.1 Intake checklist (applied to every prospective Subprocessor)
- Documented data-protection terms with provider (DPA or equivalent).
- Transfer mechanism evaluated and recorded (Section 3).
- Independent assurance reviewed where available (SOC 2 Type II / ISO 27001 / equivalent).
- Security posture assessment per Doc 30 §11.
- Categories of Personal Data and processing purpose minimised and recorded.
- Notification posted to this register at least 30 days before live cutover.
- Customer objections (Doc 29 §6.3) addressed before cutover.
4.2 Replacement and removal
- Replacements follow the same intake checklist.
- Removed Subprocessors retained in the version history (Section 7) with removal date and reason.
- Personal Data is deleted or returned per the exiting Subprocessor’s contractual obligations and Doc 29 §11.
5. Customer Notification Mechanism
- Customers are notified of additions/replacements via:
- Email to the security/privacy contact on file; and
- In-app banner where applicable.
- Customers may subscribe to register updates at privacy@giwahs.com.
6. Sub-Subprocessors
GIWAHS Subprocessors may engage their own sub-processors (e.g., Stripe and Supabase use AWS for infrastructure). Those sub-sub-processors are governed by the respective Subprocessor’s own DPA and listed in their public Subprocessor pages. We rely on contractual back-to-back data-protection obligations from each Subprocessor.
7. Version History
| Version | Date | Change | Rationale |
|---|---|---|---|
| 1.0 | To be inserted on publication | Initial register published with 6 Subprocessors: Supabase, Stripe, Resend, Cloudflare, Google Workspace, OpenAI (OpenAI gated/disabled at platform level per D-009/D-010). | Foundational disclosure aligned with Docs 24 / 28 / 29 / 30 for the Phase 1 Founding Partner launch. |
(Append-only. Add a new row for every material change.)
8. Contact
- Subprocessor questions: privacy@giwahs.com
- Security questions: security@giwahs.com
End of Document 31.