← Trust Centre/ Compliance

What we comply with today,
and what we're working toward.
In writing.

No overclaim, no logos we haven't earned. The compliance status of Whaitiri Black Limited (trading as GIWAHS), dated and sourced to the Vault documents that back each claim.

Open the pre-signed DPA (review draft)
/ 01 — Status board
Active certifications
None yet — see roadmap below
DPA status
Published v1.0 — pre-signed by GIWAHS
Standardised questionnaires
SIG Lite Q3 2026 · CAIQ Q4 2026
/ 02 — Frameworks we comply with

Aligned today.

FrameworkStatusReference
EU GDPR (Regulation (EU) 2016/679) AlignedDoc 24 · 29 · 30
UK GDPR + Data Protection Act 2018 AlignedDoc 24 · 29 · 30
Swiss FADP (revised 2023) AlignedDoc 29 §7
NZ Privacy Act 2020 AlignedDoc 24 §13 · Doc 30 §13.4
Australian Privacy Act 1988 + APPs AlignedDoc 24 §13 · Doc 30 §13.5
California CCPA / CPRA AlignedDoc 24 §12 · Doc 39
Colorado · Virginia · Connecticut · Utah · Texas AlignedDoc 24 §12
ePrivacy Directive + PECR (UK) AlignedDoc 28 §4
PCI-DSS (via Stripe outsourcing — SAQ-A scope) AlignedDoc 30 §5, §6
CAN-SPAM · CASL · NZ UEMA · AU SPAM Act AlignedDoc 36 §3.4
/ 03 — Working toward

Honest roadmap, with dates.

FrameworkTargetStatus
SOC 2 Type I Year 1–2Planning — scope being defined
SOC 2 Type II Year 2Following Type I
ISO/IEC 27001 Year 2–3Gap analysis after SOC 2 Type I
ISO/IEC 27701 (privacy extension) Year 3+Planning
SIG Lite (Shared Assessments) Q3 2026Drafting
CAIQ (Cloud Security Alliance) Q4 2026Drafting
FedRAMP Not in scope
/ 04 — Data residency & transfer mechanisms

Where your data lives, and how it travels.

Data categoryPrimary residencyMechanism (EU/UK/CH origin)Mechanism (NZ/AU origin)
Application data (DB, auth, storage) Supabase / AWS (region configurable)EU SCCs · UK IDTANZ IPP 12 · APP 8
Payment metadata Stripe (USA primary)EU SCCs · UK IDTA · PCI-DSS L1Contractual safeguards
Email content + delivery metadata Resend (USA primary)EU SCCs · UK IDTAContractual safeguards
Edge / network logs Cloudflare (global POPs)EU SCCs · UK IDTAContractual safeguards
Corporate email & files Google Workspace (USA primary)Google DPA + EU SCCsContractual safeguards
LLM API (gated, currently disabled) OpenAI (USA primary)OpenAI DPA + EU SCCsContractual safeguards

Full Subprocessor Register at /trust · pending counsel sign-off before publication.

/ 05 — Data Processing Addendum (DPA)

Three paths.

  1. 1. Self-serve download. Pre-signed DPA at /legal/dpa.pdf (available after counsel sign-off). Customer countersigns by reply email.
  2. 2. Email-back countersignature. Send your signed copy to legal@giwahs.com; we counter-sign and return within 2 business days.
  3. 3. Custom DPA. Enterprise tier — we accept reasonable amendments. Material changes extend turnaround to 5–7 business days.
Email legal@giwahs.com
/ 06 — Vendor questionnaire support

SLAs you can plan around.

  • Acknowledgement: within 2 business days.
  • 250-Q standard questionnaire: 5 business days (Enterprise) · 10 business days (Gold / Elite).
  • NDA: mutual same-day countersignature; ours available on request.
Email security@giwahs.com
Compliance & questionnaires
security@giwahs.com
Privacy & DPA
privacy@giwahs.com
/ Companies Office verification

Verify us independently.

Whaitiri Black Limited (trading as GIWAHS) is a registered New Zealand company. Company details may be independently verified via the New Zealand Companies Office and the NZBN Register.

IdentifierValueVerify on
NZ Companies Office number6860633 Companies Office Aotearoa NZ
NZBN9429046803306 NZBN Register
NZ GST number125-955-886 Whaitiri Black Limited is NZ GST-registered. Tax invoices via Stripe Tax.

Registered office address: founder verification pending. NZ GST № 125-955-886. Director: Jay Elkington (100% shareholder).

© Whaitiri Black Limited · trading as GIWAHS. Registered in New Zealand.NZ Company № 6860633·NZBN 9429046803306·NZ GST 125-955-886·Companies Office NZBN Register

Made with Emergent