← Trust Centre/ Security

Security at GIWAHS isn't a department.
It's a contract.

We protect Founder Partner data with the same rigour we expect of the suppliers we verify. This page is the public summary; Doc 30 is the full record.

Platform uptime SLA target
99.95%
Last security review (internal)
Continuous — merge-time
Customer-impacting incidents (12 mo.)
0

Need a current uptime SLA letter for procurement? Email security@giwahs.com.

/ 01 — Controls in production

Concrete controls, not adjectives.

Access control
  • · MFA + SSO mandatory on production systems (Supabase, Stripe, Cloudflare, GitHub, Google Workspace, Resend, OpenAI org).
  • · Role-based access via Supabase Row-Level Security and SECURITY DEFINER RPCs.
  • · Quarterly access reviews; annual full review; joiner/mover/leaver SLA 24 hours.
Cryptography
  • · TLS 1.2+ in transit; AES-256 at rest.
  • · Argon2id / bcrypt for passwords; never plaintext.
  • · Short-lived JWTs (1h access / 30d refresh); HMAC-SHA256 webhook signatures.
Network & edge
  • · Cloudflare WAF, DDoS mitigation, bot management, rate limiting, IP-reputation filtering.
  • · Restricted egress for backend processes — only documented Subprocessors.
  • · Stripe (PCI-DSS Level 1) handles all card data — GIWAHS never receives raw cards.
Application security
  • · Code review on every change touching auth, billing, RLS, or PII.
  • · Automated dependency scanning; critical patches ≤ 7 days.
  • · OWASP Top 10 review annually; CSRF + scoped CORS; webhook signature verification.
Data protection
  • · Tenant isolation via per-org RLS policies.
  • · Daily encrypted backups with ≥ 35-day retention; annual restore test.
  • · AI usage: no-training / zero-data-retention endpoints only. Currently disabled at platform level.
Logging & monitoring
  • · Application logs retained 13 months; PII redacted by default.
  • · Database audit log via audit_log table (migrations 015–020).
  • · Alerts on failed-login spikes, webhook signature failures, cron non-completion.
/ 02 — Business continuity & recovery

Recovery targets, in writing.

ComponentRTORPO
Public landing pages< 1 hour0 (static, redeployable)
Backend API< 4 hours< 5 min (managed DB streaming)
Database< 8 hours< 24 hours (worst case)
Email dispatch (Resend)< 4 hours; degraded logs-only without data loss0
Billing & subscription stateStripe-managed (99.99%+)0

Tabletop exercises run annually. Lessons-learned tracked to closure.

/ 03 — Incident response

When something goes wrong, this is what happens.

  • 4-tier severity model. SEV-1 (confirmed breach, prod down, active exploitation) through SEV-4 (informational).
  • 6-phase lifecycle. Identification → Containment → Eradication → Recovery → Notification → Lessons Learned.
  • 72-hour Customer notification of a Personal Data Breach affecting Customer Personal Data.
  • Regulatory paths: GDPR Articles 33–34 · NZ NotifyUs · AU NDB / OAIC · US state breach laws.
/ 04 — Vulnerability disclosure

Safe-harbour for good-faith research.

  • Report to security@giwahs.com.
  • Acknowledgement within 2 business days.
  • Triage within 5 business days.
  • Remediation target: Critical ≤ 7 days · High ≤ 30 days · Medium ≤ 90 days.
Open the Security & IR Policy (review draft)
/ 05 — Roadmap

Where we're going, transparently.

Year 1
Policies in force

Documented runbooks. Vendor SOC 2 reliance.

Year 1–2
SOC 2 Type I → II

Independent audit cycle initiated.

Year 2–3
ISO/IEC 27001

Gap analysis after SOC 2 Type I.

Continuous
Privacy compliance

GDPR · UK GDPR · NZ Privacy · AU Privacy · CCPA reviews led by counsel.

/ Companies Office verification

Verify us independently.

Whaitiri Black Limited (trading as GIWAHS) is a registered New Zealand company. Company details may be independently verified via the New Zealand Companies Office and the NZBN Register.

IdentifierValueVerify on
NZ Companies Office number6860633 Companies Office Aotearoa NZ
NZBN9429046803306 NZBN Register
NZ GST number125-955-886 Whaitiri Black Limited is NZ GST-registered. Tax invoices via Stripe Tax.

Registered office address: founder verification pending. NZ GST № 125-955-886. Director: Jay Elkington (100% shareholder).

© Whaitiri Black Limited · trading as GIWAHS. Registered in New Zealand.NZ Company № 6860633·NZBN 9429046803306·NZ GST 125-955-886·Companies Office NZBN Register

Made with Emergent