Effective Date: 1 December 2025
Version: 2.0
Issuing Entities:
- Strategic Global Holdings Pty Ltd (ACN 693 256 503)
- Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app
Governance Oversight: Group CEO, Strategic Global Holdings Pty Ltd
Review Cycle: Annual or earlier if required by law or operational change
1. Purpose
This Policy outlines the information security controls, governance structures, and protection measures used by Superspeed.ai Pty Ltd (Cushi.ai / Cushi.app) to safeguard data processed, transmitted, or stored across its systems. The Policy aligns with ISO/IEC 27001:2022, ISO/IEC 27701, NIST CSF, OWASP, and applicable global laws.
2. Scope
- Cloud infrastructure and hosting
- Cushi web and mobile applications
- Internal systems and tools
- Data storage, transfer, and processing activities
- Development, support, and operational teams
- Third-party service providers and subprocessors
3. Security Governance
- Accountable Executive: CEO
- Operational Security: Security Lead
- Privacy Compliance: Data Protection Lead
- Security frameworks: ISO 27001, SOC2-aligned controls, NIST CSF
4. Information Security Objectives
- Ensure confidentiality, integrity, availability (CIA triad)
- Prevent unauthorised access or data loss
- Maintain secure cloud operations
- Rapid detection and response to threats
- Enable business continuity and legal compliance
5. Risk Management
- Annual risk assessment and ongoing monitoring
- Formal risk register with owners and treatments
- Mitigation plans prioritised by criticality
- Periodic review and improvement
6. Data Classification
- Public – permitted for public disclosure
- Internal – organisational use only
- Confidential – customer and sensitive operational data
- Restricted – authentication secrets, keys, privileged logs
7. Access Control and Authentication
- RBAC and least-privilege
- Multi-factor authentication for internal systems
- Passwordless or strong passwords
- Automated deprovisioning on exit or role change
- Privileged access oversight and monitoring
- Session timeouts and reauthentication
8. Encryption Standards
- TLS 1.2+ for all traffic
- AES-256-equivalent encryption at rest
- Strict key management, rotation, and access control
9. Network and Infrastructure Security
- Network segmentation and isolated environments
- Hardened OS and container configs
- Firewall and network ACLs
- Monitoring for anomalous behaviour
- Redundant and scalable cloud infrastructure
10. Operational Security Controls
- Secure configuration and hardening
- Patch and update management
- Review of permissions and configs
- Dev/staging/production separation
- Anti-malware controls where applicable
- Automated vulnerability scanning
11. Secure Development Lifecycle
- Secure coding standards
- Peer code review requirements
- Dependency scanning and SCA tools
- Secrets management controls
- Separated test/production environments
- AI feature reviews for misuse and data-exposure risk
12. Vulnerability Management
- Regular scans + prioritised remediation
- Monitoring CVEs and vendor advisories
- Patch timelines tracking
- Critical vulnerabilities patched promptly
13. Logging and Monitoring
- Authentication and access logs
- Privileged activity monitoring
- Key infrastructure events logged
- Alerting on anomalies
- Tamper-resistant log storage
14. Incident Response and Breach Notification
- Identification, containment, eradication, recovery
- Root-cause analysis and improvement
- Compliance with Notifiable Data Breaches (Australia), GDPR, CPRA, PIPL
- Prompt notification to Customers where required
15. Data Lifecycle Management
- Collection/use per Privacy Policy
- Secure storage using encryption
- Retention based on legal/contractual requirements
- Secure deletion or anonymisation
16. Backups and Business Continuity
- Encrypted backups of critical data
- Restoration testing
- Documented BCP and DRP aligned to ISO 22301
- Defined RPO/RTO targets
17. Third-Party and Supplier Security
- Risk-based supplier assessment
- Security questionnaires & due diligence
- Contractual safeguards for subprocessors
- Supplier monitoring and periodic reviews
18. Physical Security
- Cloud provider physical security controls
- Controlled access, surveillance, environmental protections
- No customer data stored locally unless encrypted and necessary
19. User Responsibilities
- Protect credentials
- Use secure devices
- Report incidents promptly
- Follow organisational policies
20. Continuous Improvement
- Monitoring effectiveness of controls
- Adapting to threats
- Updating policy and procedures
- Lessons-learned integration
Annex A – Definitions
CIA Triad: Confidentiality, Integrity, Availability.
PII/Personal Data: Information relating to an identifiable individual.
RBAC: Role-Based Access Control.
RPO/RTO: Recovery Point/Time Objectives.
Subprocessor: Third-party processor handling Customer Data.
Version Control, Review & Governance
© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.ai / Cushi.app.
Part of the Strategic Global Holdings Pty Ltd Group (ACN 693 256 503). All rights reserved.
Privacy: privacy@cushi.ai | Security: security@cushi.ai | Support: support@cushi.ai