Security at GIWAHS isn't a department.
It's a contract.
We protect Founder Partner data with the same rigour we expect of the suppliers we verify. This page is the public summary; Doc 30 is the full record.
Need a current uptime SLA letter for procurement? Email security@giwahs.com.
Concrete controls, not adjectives.
- · MFA + SSO mandatory on production systems (Supabase, Stripe, Cloudflare, GitHub, Google Workspace, Resend, OpenAI org).
- · Role-based access via Supabase Row-Level Security and SECURITY DEFINER RPCs.
- · Quarterly access reviews; annual full review; joiner/mover/leaver SLA 24 hours.
- · TLS 1.2+ in transit; AES-256 at rest.
- · Argon2id / bcrypt for passwords; never plaintext.
- · Short-lived JWTs (1h access / 30d refresh); HMAC-SHA256 webhook signatures.
- · Cloudflare WAF, DDoS mitigation, bot management, rate limiting, IP-reputation filtering.
- · Restricted egress for backend processes — only documented Subprocessors.
- · Stripe (PCI-DSS Level 1) handles all card data — GIWAHS never receives raw cards.
- · Code review on every change touching auth, billing, RLS, or PII.
- · Automated dependency scanning; critical patches ≤ 7 days.
- · OWASP Top 10 review annually; CSRF + scoped CORS; webhook signature verification.
- · Tenant isolation via per-org RLS policies.
- · Daily encrypted backups with ≥ 35-day retention; annual restore test.
- · AI usage: no-training / zero-data-retention endpoints only. Currently disabled at platform level.
- · Application logs retained 13 months; PII redacted by default.
- · Database audit log via audit_log table (migrations 015–020).
- · Alerts on failed-login spikes, webhook signature failures, cron non-completion.
Recovery targets, in writing.
| Component | RTO | RPO |
|---|---|---|
| Public landing pages | < 1 hour | 0 (static, redeployable) |
| Backend API | < 4 hours | < 5 min (managed DB streaming) |
| Database | < 8 hours | < 24 hours (worst case) |
| Email dispatch (Resend) | < 4 hours; degraded logs-only without data loss | 0 |
| Billing & subscription state | Stripe-managed (99.99%+) | 0 |
Tabletop exercises run annually. Lessons-learned tracked to closure.
When something goes wrong, this is what happens.
- 4-tier severity model. SEV-1 (confirmed breach, prod down, active exploitation) through SEV-4 (informational).
- 6-phase lifecycle. Identification → Containment → Eradication → Recovery → Notification → Lessons Learned.
- 72-hour Customer notification of a Personal Data Breach affecting Customer Personal Data.
- Regulatory paths: GDPR Articles 33–34 · NZ NotifyUs · AU NDB / OAIC · US state breach laws.
Safe-harbour for good-faith research.
- Report to security@giwahs.com.
- Acknowledgement within 2 business days.
- Triage within 5 business days.
- Remediation target: Critical ≤ 7 days · High ≤ 30 days · Medium ≤ 90 days.
Where we're going, transparently.
Documented runbooks. Vendor SOC 2 reliance.
Independent audit cycle initiated.
Gap analysis after SOC 2 Type I.
GDPR · UK GDPR · NZ Privacy · AU Privacy · CCPA reviews led by counsel.
Verify us independently.
Whaitiri Black Limited (trading as GIWAHS) is a registered New Zealand company. Company details may be independently verified via the New Zealand Companies Office and the NZBN Register.
| Identifier | Value | Verify on |
|---|---|---|
| NZ Companies Office number | 6860633 | Companies Office Aotearoa NZ |
| NZBN | 9429046803306 | NZBN Register |
| NZ GST number | 125-955-886 | Whaitiri Black Limited is NZ GST-registered. Tax invoices via Stripe Tax. |
Registered office address: founder verification pending. NZ GST № 125-955-886. Director: Jay Elkington (100% shareholder).
