GIWAHS — trading as Whaitiri Black Limited Whaitiri Black Limited · Review draft
/ GIWAHS Founder Vault · Review draft

GIWAHS Subprocessor Register

Document: 31 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified data-protection counsel before being published, attached to the DPA (Doc 29), or shared with Customers. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Docs 24 (Privacy Policy §5), 28 (Cookie Policy), 29 (DPA §6, Annex C), 30 (Security & IR Policy §11).

Purpose: Single source of truth listing every third party engaged by Whaitiri Black Limited (trading as GIWAHS) to Process Personal Data of GIWAHS Customers and end users. Required by Article 28(2)–(4) GDPR / UK GDPR, the NZ Privacy Act 2020 (transparency under IPP 5 & 12), the AU Privacy Act (APP 1 & 8), and corresponding obligations under CCPA/CPRA service-provider rules.


1. Definitions

A “Subprocessor” means any third party engaged by GIWAHS to Process Personal Data, including infrastructure providers, payments providers, communications providers, identity providers, and AI/ML providers, where Personal Data may transit through or rest within their systems.

This register does not list pure read-only data sources (e.g., public companies registers) or vendors that do not Process Personal Data on our behalf.

2. Governance of This Register

3. Current Subprocessors (as of the Last Updated date above)

3.1 Core platform Subprocessors

Subprocessor Service provided Categories of Personal Data Processed Processing location(s) Transfer mechanism (from EEA/UK/CH) Transfer mechanism (from NZ/AU) Provider DPA / Privacy URL
Supabase, Inc. (USA) Managed Postgres database, authentication, edge functions, file storage All Customer Personal Data stored on the Platform: account, organisation, membership, RFQ, verification documents, audit logs, email logs, supplier profiles. AWS region selected at project creation (currently configured: project jrvrqwbhyydvjipjvvyp). Provider operates globally. EU SCCs (Module 2 / 3) + UK IDTA; supplementary measures per Doc 30. Contractual safeguards equivalent to IPP 12 / APP 8 via Supabase DPA. https://supabase.com/privacy · https://supabase.com/legal/dpa
Stripe, Inc. (USA) Payments processing, subscription billing, Customer Portal, Stripe Tax Billing identifiers (customer reference, last 4 / brand / expiry only), billing address, tax ID, subscription metadata, invoice records. GIWAHS does not receive full card numbers. USA primary; global processing. EU SCCs + UK IDTA; PCI-DSS Level 1; supplementary measures. Contractual safeguards. https://stripe.com/privacy · https://stripe.com/dpa
Resend, Inc. (USA) Transactional email delivery, bounce/complaint webhooks Recipient email address, message metadata, message content for outbound emails (founder welcome, renewal reminders, payment failures, verification status), delivery/bounce/complaint events. USA primary. EU SCCs + UK IDTA. Contractual safeguards. https://resend.com/legal/privacy-policy · https://resend.com/legal/dpa
Cloudflare, Inc. (USA) CDN, WAF, DDoS protection, bot management, DNS, TLS termination IP address, request metadata, user agent, geolocation (country-level), cookies described in Doc 28 §3.1 (__cf_bm, cf_clearance). No request bodies stored beyond logs retention. Global edge POPs (250+ cities). EU SCCs + UK IDTA; Cloudflare data localisation suite available on request. Contractual safeguards. https://www.cloudflare.com/privacypolicy/ · https://www.cloudflare.com/cloudflare-customer-dpa/

3.2 Corporate productivity Subprocessors

Subprocessor Service provided Categories of Personal Data Processed Processing location(s) Transfer mechanism (EEA/UK/CH) Transfer mechanism (NZ/AU) Provider DPA / Privacy URL
Google LLC – Google Workspace (USA) Email (founder/support inboxes), document collaboration, calendar, identity provider for internal SSO Inbound emails from/to Customers (including any Personal Data Customers include in messages); document contents; identity/authentication events for GIWAHS personnel. No application Customer data is stored in Workspace except where Customers email it to us. USA primary; Google global infrastructure. EU SCCs (incorporated into Google Workspace DPA) + UK IDTA. Contractual safeguards. https://workspace.google.com/terms/dpa_terms.html · https://policies.google.com/privacy

3.3 AI / model Subprocessors

Subprocessor Service provided Categories of Personal Data Processed Processing location(s) Transfer mechanism (EEA/UK/CH) Transfer mechanism (NZ/AU) Provider DPA / Privacy URL
OpenAI, L.L.C. (USA) — gated; currently disabled per D-009 / D-010 LLM API for any AI-augmented features (e.g., supplier intelligence summaries) — currently turned off across the Platform. Where activated in future, only the minimum prompt context strictly required is sent; Customer is given prior notice through the DPA-§6.3 mechanism. Prompt content (which may include limited Customer Personal Data only where unavoidable); model output. No-training and zero data-retention API endpoints are used; data is not used to train OpenAI models. USA primary. EU SCCs (incorporated into OpenAI Data Processing Addendum) + UK IDTA. Contractual safeguards. https://openai.com/policies/privacy-policy · https://openai.com/policies/data-processing-addendum

3.4 Affiliates and authorised personnel

4. Subprocessor Engagement Rules

4.1 Intake checklist (applied to every prospective Subprocessor)

  1. Documented data-protection terms with provider (DPA or equivalent).
  2. Transfer mechanism evaluated and recorded (Section 3).
  3. Independent assurance reviewed where available (SOC 2 Type II / ISO 27001 / equivalent).
  4. Security posture assessment per Doc 30 §11.
  5. Categories of Personal Data and processing purpose minimised and recorded.
  6. Notification posted to this register at least 30 days before live cutover.
  7. Customer objections (Doc 29 §6.3) addressed before cutover.

4.2 Replacement and removal

5. Customer Notification Mechanism

6. Sub-Subprocessors

GIWAHS Subprocessors may engage their own sub-processors (e.g., Stripe and Supabase use AWS for infrastructure). Those sub-sub-processors are governed by the respective Subprocessor’s own DPA and listed in their public Subprocessor pages. We rely on contractual back-to-back data-protection obligations from each Subprocessor.

7. Version History

Version Date Change Rationale
1.0 To be inserted on publication Initial register published with 6 Subprocessors: Supabase, Stripe, Resend, Cloudflare, Google Workspace, OpenAI (OpenAI gated/disabled at platform level per D-009/D-010). Foundational disclosure aligned with Docs 24 / 28 / 29 / 30 for the Phase 1 Founding Partner launch.

(Append-only. Add a new row for every material change.)

8. Contact


End of Document 31.