Effective Date: 1 January 2025
Version: 2.0 — Ultra-Final (Djenie Edition)

1. PURPOSE

This Policy outlines the security controls, governance practices, and protection measures used by In Delay There Lies No Plenty Pty Ltd ACN 162 881 138 ATF Future Thinking Family Trust t/a Djenie ABN 98 399 797 036 (“Djenie”) to safeguard data processed, stored, or transmitted across its systems.
It aligns with:

  • ISO/IEC 27001:2022
  • ISO/IEC 27701
  • NIST Cybersecurity Framework
  • SOC 2-aligned controls
  • Australian Privacy Act (APPs)
  • GDPR/UK GDPR
  • CPRA, PIPL, LGPD

2. SCOPE

This Policy applies to:

  • Djenie’s membership-management system (SMS v2)
  • all cloud infrastructure and hosting environments
  • internal applications, tools, and corporate systems
  • all data storage, processing, and transmission activities
  • engineering, development, support, and operational teams
  • third-party suppliers and subprocessors handling Djenie data

3. SECURITY GOVERNANCE

  • Accountable Executive: Chief Executive Officer
  • Security Lead: Oversees operational security and ISMS alignment
  • Data Protection Lead: Ensures privacy law compliance and cross-border safeguards
  • Technology Leadership: Ensures secure architecture and development

Governance frameworks include: ISO 27001 Annex A, NIST CSF, OWASP.

4. INFORMATION SECURITY OBJECTIVES

Djenie’s security objectives:

  • protect confidentiality, integrity, and availability of all data
  • prevent unauthorised access or loss
  • maintain secure cloud operations and resilient infrastructure
  • detect, respond to, and remediate threats promptly
  • ensure regulatory and contractual compliance

5. RISK MANAGEMENT

Djenie maintains:

  • an enterprise risk register
  • annual risk assessments
  • treatment plans prioritised by criticality
  • continuous monitoring for new risks
  • senior-leadership review cycles

6. DATA CLASSIFICATION

Data is classified into:

  • Public — approved for external release
  • Internal — for Djenie personnel
  • Confidential — customer and operational data
  • Restricted — authentication secrets, encryption keys, privileged logs

7. ACCESS CONTROL & AUTHENTICATION

  • role-based access control (RBAC)
  • least-privilege enforcement
  • multi-factor authentication for admin access
  • automated deprovisioning on exit or role change
  • privileged access monitoring and review
  • enforced session timeouts and reauthentication

8. ENCRYPTION STANDARDS

  • TLS 1.2+ encryption for all data in transit
  • AES-256-equivalent encryption at rest
  • key-management controls including rotation and restricted access

9. NETWORK & INFRASTRUCTURE SECURITY

  • segmented networks and isolated cloud environments
  • hardened operating systems and containers
  • firewalling and network ACL enforcement
  • anomaly and intrusion detection
  • redundant and scalable cloud infrastructure

10. OPERATIONAL SECURITY CONTROLS

  • secure configuration baselines
  • patch and update management
  • permission and configuration reviews
  • separate dev/staging/production environments
  • anti-malware controls where applicable
  • automated vulnerability scans

11. SECURE DEVELOPMENT LIFECYCLE (SDLC)

  • secure coding standards
  • mandatory peer code reviews
  • dependency scanning and SCA tools
  • secrets-management controls
  • separated testing and production environments
  • review of AI-assisted development for data-exposure risks

12. VULNERABILITY MANAGEMENT

  • continuous scanning
  • CVE monitoring
  • prioritised remediation
  • patch tracking
  • immediate action on critical vulnerabilities

13. LOGGING & MONITORING

  • authentication and access logs
  • privileged-account monitoring
  • infrastructure-event logging
  • automated SIEM alerting
  • tamper-resistant log retention

14. INCIDENT RESPONSE & BREACH NOTIFICATION

Djenie’s incident response covers:

  • identification, containment, eradication, recovery
  • root-cause analysis and corrective action
  • compliance with APPs, GDPR, CPRA, PIPL breach-notification rules
  • prompt Customer notification where required

15. DATA LIFECYCLE MANAGEMENT

  • data minimisation and purpose limitation
  • secure storage using encryption
  • retention based on legal and contractual requirements
  • secure deletion or anonymisation

16. BACKUPS & BUSINESS CONTINUITY

  • encrypted backups of critical data
  • periodic restoration testing
  • business continuity and disaster recovery aligned with ISO 22301
  • defined RPO/RTO targets

17. THIRD-PARTY & SUPPLIER SECURITY

  • supplier risk assessments
  • security questionnaires and due diligence
  • contractual safeguards including privacy and security clauses
  • periodic monitoring and review
  • termination of suppliers failing security obligations

18. PHYSICAL SECURITY

  • physical security provided by certified cloud vendors
  • controlled access and surveillance
  • prohibition on local storage of customer data unless encrypted and justified

19. USER RESPONSIBILITIES

All users must:

  • protect credentials
  • use secure devices
  • report incidents immediately
  • comply with Djenie’s policies and guidelines

20. CONTINUOUS IMPROVEMENT

Djenie will:

  • monitor security-control effectiveness
  • update this Policy in response to threats, regulations, or audits
  • integrate lessons learned into future practices

ANNEX A — DEFINITIONS

CIA Triad, Personal Data, RBAC, RPO/RTO, Subprocessor, Incident, Encryption Key, Cloud Provider.

VERSION CONTROL & GOVERNANCE

Version: 2.0 — Djenie Edition
Effective Date: 1 January 2025
Approval: Chief Executive Officer, Djenie
Change Summary: Full rewrite of Cushi version for Djenie; expanded cloud architecture controls, ISO alignment, supplier governance, incident-response integration.
Review Cycle: Annual or earlier if required.