Security & Privacy

How ShiftScript protects your data

Factual disclosure of our architecture, data handling practices, and alignment with New Zealand information security standards. No marketing language.

NZISM v3.9 (November 2025) ISO 27001 aligned Cloudflare infrastructure NZ-routed by default
Contents
  1. Infrastructure & Architecture
  2. Data Handling & Storage
  3. Access Controls & Authentication
  4. Encryption
  5. Audit & Logging
  6. NZISM v3.9 Alignment
  7. Risk Appetite Statement
  8. Privacy & Data Rights
  9. Incident Response
  10. Contact

1. Infrastructure & Architecture

ShiftScript is built entirely on Cloudflare's global edge network. There are no owned or leased servers. All compute, storage, and routing is managed by Cloudflare.

  • Compute: Cloudflare Workers (serverless, runs at the network edge)
  • Storage: Cloudflare R2 (documents), KV (session/config data)
  • Database: Cloudflare KV for workspace and user records
  • DNS & Routing: Cloudflare Proxy — all traffic passes through Cloudflare's DDoS protection and WAF before reaching any application logic
  • Email: Cloudflare Email Routing → Resend API for transactional email
  • Payments: Stripe — no payment card data touches ShiftScript systems

Data residency: Cloudflare routes requests to the nearest point of presence. R2 storage is configured without a specific geographic restriction, but Cloudflare's infrastructure includes NZ-region routing. ShiftScript does not replicate customer data offshore intentionally.

2. Data Handling & Storage

What we store:

  • Organisation name and workspace configuration
  • User handles, bcrypt-hashed passwords, email addresses
  • Documents uploaded by administrators (policies, SOPs, procedures) — stored in R2
  • Query logs: handle, timestamp, question asked, workspace ID — no document content is stored in logs
  • Session tokens (expiry-bound, stored in KV)

What we do not store:

  • Payment card data (handled exclusively by Stripe)
  • Staff member personal details beyond email address
  • AI model outputs are not retained beyond the active session
  • Your documents are never used to train AI models — retrieval-only, per-query

Data deletion: Administrators can delete documents and workspaces at any time. Deletion removes the object from R2 immediately. KV records are purged within 24 hours of workspace deletion.

3. Access Controls & Authentication

NZISM 16.1, 16.7
Implemented
Password hashing: All passwords are hashed using bcrypt before storage. Plain-text passwords are never stored or logged.
NZISM 16.1 — Authentication controls
Implemented
Session management: Session tokens are time-bounded, stored server-side in Cloudflare KV, and invalidated on logout. Tokens are transmitted via HTTP-only cookies.
NZISM 16.7 — Session controls
Implemented
Role-based access: Workspaces use role-based access control. Admin users can manage documents and members. Standard users can query only. No cross-workspace data access is possible by design.
NZISM 16.1 — Least privilege
Implemented
Rate limiting: Login attempts are rate-limited to 10 per 5-minute window per IP address. Chat queries are rate-limited to 10 per minute per IP.
NZISM 16.1 — Brute force protection
Implemented
Admin portal protection: The admin interface is served with Cache-Control: no-store, X-Frame-Options: DENY, and Strict-Transport-Security headers. API endpoints require valid session cookies for all admin operations.
NZISM 16.7
Planned
Multi-factor authentication: MFA for admin accounts is on the development roadmap. Currently mitigated by strong password requirements and session rate limiting.
NZISM 16.1 — MFA for privileged access

4. Encryption

Implemented
Encryption in transit: All traffic is encrypted via TLS 1.2+ enforced by Cloudflare. HTTP is not served — all requests redirect to HTTPS. HSTS headers are set.
Implemented
Encryption at rest: Cloudflare R2 encrypts all stored objects at rest using AES-256. KV data is encrypted at rest on Cloudflare's infrastructure.
Implemented
API security: All external API calls (AIML API, Stripe, Resend) are made server-side from Workers using secrets stored in Cloudflare's encrypted secrets store. API keys are never exposed to the client.

5. Audit & Logging

NZISM 5.3.1

Every query made through ShiftScript is logged with the following data points:

  • Workspace ID
  • User handle (anonymised identifier, not personal name)
  • Timestamp (UTC)
  • Query text
  • Document sources retrieved
  • Response model used

Logs are accessible to workspace administrators via the admin portal. They can be exported and presented to regulatory auditors (HealthCERT, ERO, WorkSafe, Privacy Commissioner) as evidence of staff compliance activity.

Logs are retained for a minimum of 90 days. Administrators can request extended retention.

6. NZISM v3.9 Alignment (November 2025)

NZISM v3.9

ShiftScript is designed for use by NZ government agencies, Crown entities, local government, and regulated private sector organisations. The following table maps platform controls to relevant NZISM v3.9 sections.

NZISM Section Requirement Status
5.3.1Security risk identification and treatmentImplemented
7.1Incident detection and reportingImplemented
16.1Authentication — passwords, rate limiting, least privilegeImplemented
16.1 (MFA)Phishing-resistant MFA for privileged accessPlanned
16.7Session controls and audit loggingImplemented
11.1Encryption in transit (TLS 1.2+)Implemented
18.2WPA3 / secure network communicationsN/A (cloud-hosted)

This mapping reflects the November 2025 release of NZISM v3.9. ShiftScript is a private sector SaaS platform — NZISM compliance is voluntary but maintained as a baseline for government-sector customers.

7. Risk Appetite Statement

NZISM 5.3.6.R.01

Formal Risk Appetite — ShiftScript Platform

ShiftScript accepts low residual risk for confidentiality and integrity of customer data, managed through Cloudflare's enterprise-grade infrastructure, encryption at rest and in transit, and strict access controls.

ShiftScript accepts zero risk of storing payment card data — this is fully delegated to Stripe's PCI-DSS-compliant systems.

ShiftScript accepts zero risk of using customer documents for AI model training — documents are retrieved per-query and not persisted in AI model context between sessions.

ShiftScript accepts medium residual risk on MFA for admin accounts, currently mitigated by rate limiting and strong session management, pending full MFA implementation.

Risk appetite is reviewed annually or following any material change to the platform architecture. The designated Risk Owner is the platform operator (Cam Lock, ShiftScript). This statement satisfies the requirements of NZISM 5.3.6.R.01.

8. Privacy & Data Rights

ShiftScript collects and processes personal information in accordance with the Privacy Act 2020 (NZ).

  • Right of access: Users can request a copy of their personal data by emailing cam@shiftscript.nz
  • Right to correction: Personal data can be corrected via account settings or by request
  • Right to deletion: Account deletion removes all personal data and workspace documents within 24 hours
  • Data portability: Workspace administrators can export query logs and document lists from the admin portal

Third-party processors:

  • Cloudflare — infrastructure, compute, storage (Cloudflare Privacy Policy)
  • Stripe — payment processing (Stripe Privacy Policy)
  • Resend — transactional email delivery (Resend Privacy Policy)
  • AIML API / underlying AI providers — query inference only, no training use

9. Incident Response

NZISM 7.1

In the event of a security incident affecting customer data:

  • Affected workspace administrators will be notified within 72 hours of discovery
  • If the incident constitutes a notifiable privacy breach under the Privacy Act 2020, the Privacy Commissioner will be notified as required
  • A post-incident report will be provided to affected organisations on request

To report a suspected vulnerability or security concern: cam@shiftscript.nz

10. Contact

Risk Owner & Platform Operator: Cam Lock, ShiftScript

Security enquiries: cam@shiftscript.nz

Privacy Officer: Same contact as above

This policy was last reviewed May 2026. It will be reviewed annually or following material changes to the platform.