Giyaent Logo

Data Security Policy

Last updated: February 26, 2026

1. OVERVIEW

At Gi Yamo Enterprise ("Giyaent"), protecting the integrity and confidentiality of the data entrusted to us on the ma'kuu platform is our highest priority. Dealing with cultural heritage and research data requires a security posture that goes beyond standard compliance; it requires a commitment to custodianship and zero-trust architecture.

This Data Security Policy outlines the technical and organisational measures we implement to secure your data, complying with:

  • Kenya Data Protection Act
  • African Union Convention on Cyber Security and Personal Data Protection
  • African Union Data Policy Framework
  • General Data Protection Regulation (GDPR)
  • NIST AI Risk Management Framework

We maintain a security posture built on global industry standards. Our internal security management system is fully aligned with the ISO 27001 framework and SOC 2 Trust Services Criteria. While we do not currently pursue external third-party certifications, we actively apply these rigorous policies and controls to ensure the highest level of data integrity and protection for our users and organisations.

2. INFRASTRUCTURE SECURITY

Our infrastructure is built on world-class, ISO 27001-certified cloud providers. We do not maintain physical servers, reducing the risk of physical security breaches.

2.1 Cloud Providers

  • Supabase (Database & Backend): Our core database and authentication services are hosted by Supabase, which runs on AWS (Amazon Web Services). Supabase adheres to SOC 2 Type II, HIPAA, and ISO 27001 standards.
  • Netlify (Frontend & Edge): Our application interface is hosted on Netlify, ensuring global availability and DDoS protection via their edge network.
  • Cloudflare (Network Security): We use Cloudflare for DNS management, Content Delivery Network (CDN), and Web Application Firewall (WAF) protection.

2.2 Network Security

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security) with strong cipher suites. We enforce HTTPS for all connections; insecure HTTP requests are automatically rejected.
  • DDoS Protection: Cloudflare provides unmetered mitigation against Distributed Denial of Service (DDoS) attacks, ensuring platform availability.
  • Firewall: strict firewall rules block unauthorised traffic at the edge.

3. DATA PROTECTION & ENCRYPTION

We employ a "Defence in Depth" strategy to protect data at every layer.

3.1 Encryption at Rest

All user data stored in our databases and file storage is encrypted at rest using industry-standard AES-256 encryption. This includes:

  • User profiles and authentication credentials.
  • Research data, project metadata, and comments.
  • Uploaded files (images, documents, audio/video).

3.2 Database Security

We utilise PostgreSQL, known for its reliability and security features, managed by Supabase.

  • Row-Level Security (RLS): We strictly enforce RLS policies on every database table. This strictly isolates data, ensuring that users can only access data they are explicitly authorised to view or edit. Even an authenticated user cannot query data belonging to another workspace unless granted permission.
  • Point-in-Time Recovery (PITR): We maintain continuous backups allowing us to restore the database to any specific second in the last 7 days (Enterprise tiers extend this duration), protecting against accidental data loss or ransomware.

4. ACCESS CONTROL

We follow the Principle of Least Privilege for both internal operations and user access.

4.1 User Authentication

  • Secure Logins: We support secure sign-up via email/password and OAuth providers (Google, GitHub).
  • Password Handling: We never store plain-text passwords. Passwords are hashed and salted using bcrypt or Argon2id.
  • Session Management: JSON Web Tokens (JWTs) are used for stateless, secure session management with short expiration times.

4.2 Internal Access

  • Restricted Access: Only a strictly limited number of authorised Giyaent engineers have access to production infrastructure for maintenance purposes.
  • MFA Enforcement: Multi-Factor Authentication (MFA) is mandatory for all internal staff accessing administrative consoles (Supabase Dashboard, Netlify, Cloudflare).
  • Audit Logging: Internal access logs are retained to monitor for suspicious activity.

5. APPLICATION SECURITY

Security is integrated into our Software Development Life Cycle (SDLC).

5.1 Secure Development

  • Code Reviews: All code changes require peer review before being merged into the production branch.
  • Vulnerability Scanning: We use automated tools (like dependabot) to scan dependencies for known security vulnerabilities (CVEs) and patch them immediately.
  • Error Monitoring: We use Sentry to track application errors in real-time, allowing us to detect and respond to potential security anomalies or stability issues instantly.

5.2 AI Safety

For features utilising Artificial Intelligence:

  • Data Privacy: User data sent to AI models (e.g., for summarisation) is processed via secure APIs.
  • No Training: We have agreements in place ensuring that your private research data is NOT used to train public foundation models by third-party providers.

6. INCIDENT RESPONSE

In the event of a security breach, Giyaent has a defined Incident Response Plan.

  1. Detection: Identifying the breach through monitoring tools (Sentry, PostHog, Infrastructure logs).
  2. Containment: Immediately revoking access, isolating affected systems, and patching vulnerabilities.
  3. Investigation: Determining the scope, cause, and impact of the breach.
  4. Notification:
    • Regulatory: We will notify the Office of the Data Protection Commissioner (ODPC) in Kenya within 72 hours of becoming aware of a notifiable breach.
    • Users: Affected users will be notified without undue delay if there is a high risk to their rights and freedoms.
  5. Remediation: Implementing long-term fixes to prevent recurrence.

7. PHYSICAL SECURITY

Giyaent is a remote-first, cloud-native enterprise. We do not own or operate physical data centres.

  • Cloud Facilities: Our cloud providers (AWS) employ military-grade physical security, including 24/7 armed guards, biometric scanning, and video surveillance at their data centre locations.
  • Office Security: Staff devices are required to be encrypted (BitLocker/FileVault) and secured with strong passwords and biometrics.

8. SUBPROCESSORS

Giyaent utilises third-party infrastructure and service providers ("Subprocessors") to provide the ma'kuu platform. We conduct security assessments of all subprocessors and ensure they maintain industry-standard security certifications (SOC 2, ISO 27001).

SubprocessorService ProvidedData Security Standard
SupabaseBackend infrastructure & DatabaseSOC 2 Type II, ISO 27001
NetlifyFrontend hosting & Edge computeSOC 2 Type II, ISO 27001
CloudflareNetwork security, WAF, & CDNSOC 2 Type II, ISO 27001
PostHogProduct analytics & Usage trackingSOC 2 Type II
ResendTransactional email deliverySOC 2 Type II
PaystackPayment processingPCI-DSS Level 1

9. CONTACT US

For any security concerns, bug reports, or questions regarding this policy, please contact our Security Team directly: privacy@giyaent.com or hello@giyaent.com