The following is a list of policy addendum and references.

Controls and Procedures¶

Policies¶

This section contains our company policies and legal documents.

Policy Documents¶

• Privacy Policy - How we collect, use, and protect personal information
• Cookie Policy - Information about cookies used on our website
• Terms of Trade - Terms and conditions for our services
• Support Service Level Agreement (SLA) - Service level agreement for customer support

Overview¶

These policies outline our commitment to transparency, privacy protection, and clear communication with our clients and users. Each policy is regularly reviewed and updated to ensure compliance with applicable laws and regulations.

Privacy Policy¶

2025.1

Our Commitment to Privacy¶

The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust trading as Niche Studio ABN 24 177 491 674, its subsidiaries and affiliates are committed to managing personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth) (Privacy Act).

This document sets out our policies for managing your personal information and is referred to as our Privacy Policy.

In this Privacy Policy, “we” and “us” refers to Niche Studio and “you” refers to any individual about whom we collect personal information.

What information do we collect about you?¶

We obtain personal information about you when you visit our website, engage our services, or contact us.

Information you provide directly:

• Basic information such as your name, date of birth, phone number, postal address and email address
• Business information including company name, position, and business requirements
• Project-specific information including content, materials, and technical requirements
• Payment information including bank account details (where you pay for any products or services by electronic transfer or direct debit). Credit card payments are processed by Stripe/PayPal; we do not collect or store card numbers

Information we collect automatically:

• Website usage data through cookies and analytics tools
• Technical information including IP address, browser type, device information
• Server logs and security monitoring data

Information from third parties:

• Information from hosting providers and service partners
• Information from client project environments (where we provide hosting or development services)

If you elect to pay using a third-party platform such as PayPal or Stripe, your purchase will be processed externally by that third party and you should refer to their privacy policies to understand what information they collect and how they treat your personal information.

How do we collect your personal information?¶

Direct interactions: We collect information from you in a variety of ways, including when you:

• Interact with us electronically or in person
• Access our website or client portals
• Use contact forms or communicate with us
• Engage our web development and hosting services
• Provide content or materials for client projects

Automated technologies: We use cookies, web analytics tools (including Google Analytics) and similar tracking technologies to:

• Track activity on our website and client systems
• Monitor security and performance
• Provide better user experiences
• Conduct security monitoring and threat detection

To find out how Google Analytics processes your data please refer to their privacy policy here: www.google.com/policies/privacy/partners/.

You can use the settings in your browser to control how your browser deals with cookies. However, in doing so, you may be unable to access certain pages or content on our website.

Why do we collect and use your personal information?¶

We collect personal information as reasonably necessary to carry out our business, which may include (but is not limited to):

• delivery of our products and services;
• contacting and communicating with you including responding to queries, complaints and feedback from you;
• providing after-sale customer service;
• to ensure the proper functioning of our website, our business and operations;
• to assist us with marketing, product and service development and research requirements;
• to manage our employment or business relationship with you; or
• advertising and marketing our products and services.

Who do we disclose your personal information to?¶

• We may disclose personal information to third parties who we engage in order to help run our business or as necessary to provide the service or product that you have requested.
• We may from time to time need to disclose personal information where we believe it is necessary to comply with a legal requirement or law.
• If there is a change of control in our business (for example a sale of the business) your personal information could be disclosed to a potential purchaser under a confidentiality agreement.
• We may share your personal information with related and affiliated companies located in Australia and overseas.
• We may use and disclose your personal information for other purposes explained at the time of collection with your consent.

Do we use or disclose your personal information for direct marketing?¶

When you provide us with your contact details, you give your consent to us using your personal information to provide you with information about our services and things which we consider may be of interest to you, including by post, email, SMS, messaging applications and telephone (Direct Marketing Communications).

If at any time you do not wish to receive any further Direct Marketing Communications you may do this at any time by using the “unsubscribe” facility included in the Direct Marketing Communication or by contacting us at the details set out at the end of this document.

If you opt-out of receiving our Direct Marketing Communications, we may still contact you in relation to our ongoing relationship with you.

Do we disclose your personal information overseas?¶

Any personal information collected and held by us may be disclosed to, and held at, a destination outside Australia.

By submitting your personal information to us, you expressly consent to the disclosure, transfer, storing or processing of your personal information outside of Australia. In providing this consent, you understand and acknowledge that countries outside of Australia do not always have the same privacy protection obligations as Australia in relation to personal information.

You consent to us providing your personal information to recipients outside of Australia even though that recipient is not bound by the Privacy Act, will not be accountable to you or to us for breaches of the Privacy Act and you will not have the redress options available to you under the Privacy Act.

If you do not agree to the transfer of your personal information outside of Australia, please either do not provide us with your personal information or contact us via the details set out at the end of this document.

Can you deal with us anonymously?¶

Providing us with your personal information is optional and you may be able to remain anonymous or use a pseudonym when interacting with us. However, it may not always be possible for this to occur especially if we are providing you with products or services. We will inform you if you are unable to remain anonymous or use a pseudonym when dealing with us.

How do we hold your information?¶

We maintain comprehensive security measures to protect your personal information:

Technical Safeguards:

• Encryption of data at rest and in transit
• Secure server configurations and regular updates
• Network security controls and monitoring
• Access controls and authentication

Physical Safeguards:

• Secure data centers with physical access controls
• Australian data sovereignty where required
• Secure disposal of physical materials

Administrative Safeguards:

• Staff training on privacy and security
• Regular security assessments and audits
• Incident response procedures
• Data retention and disposal policies

To the extent permitted by law, we take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for its purpose of collection.

Data Breach Notification¶

In the event of a data breach that is likely to result in serious harm, we will:

• Assess within 30 days and notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable
• Take immediate steps to contain and remediate the breach
• Follow our comprehensive incident response procedures

Links¶

The website may contain links to third-party websites. We do not have any control over and are not responsible for the content or privacy practices of websites that are linked to our website. You access and use any linked website at your own risk. You should read the privacy policies on any linked website and only access and use the linked websites if you agree to the terms of those privacy policies.

How can you access or seek correction of your personal information?¶

Please let us know if there are any errors in your personal information and keep us up-to-date with changes to your personal information (such as your name or address).

You can request access to any personal information relating to you which we hold. You can also request that we correct information if it is inaccurate or incomplete.

Please contact us via the details set out at the end of this document if you wish to access or correct any personal information we have about you.

What if you have a complaint?¶

You may contact us at any time if you have any questions or concerns about this Privacy Policy or about the way in which your personal information has been handled using the contact details at the end of this document.

If you are not satisfied with our response to your complaint, you may contact the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.

How are changes made to this Privacy Policy?¶

We will review this policy regularly and we may update it from time to time. We recommend that you visit our website regularly to keep up to date with any changes.

How can you contact us?¶

Our contact details are:

Privacy Officer: Mikael Wedemeyer
Address: 258 Tingal Rd, Wynnum, Qld, 4178, Australia
Email: mikael@team.nichestud.io
Phone: (07) 3123 0214

For more information about our security practices, please visit our Security Policy.

Cookie policy¶

Updated:

We at Niche Studio (The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust and our subsidiaries and affiliates) are committed to protecting your privacy. We and our partners use cookies and similar technologies on our services, including our websites and mobile applications (the “Services”). This Cookie Policy explains these technologies, why we use them, and the choices you have.

By visiting or using our Services, you are consenting to us gathering and processing information (as defined in our Privacy Policy) about you in accordance with this Cookie Policy.

Technologies we use¶

Like many Internet-enabled services, we use technologies that place small files/code on your device or browser for the purposes identified in our Privacy Policy, primarily to remember things about you so that we can provide you with a better experience.

Cookies. A cookie is a small data file stored on your browser or device. They may be served by the entity that operates the website you are visiting (“first-party cookies”) or by other companies (“third-party cookies”).

• For example, we partner with third-party analytics providers, like Google, which set cookies when you visit our websites. This helps us understand how you are using our Services so that we can improve them.

Pixels (Clear Gifs/Web Beacons/Web Bugs/Embedded Pixels). These are small images on a web page or in an email. They collect information about your browser or device and can set cookies.

Local Storage. Local storage allows data to be stored locally on your browser or device and includes HTML5 local storage and browser cache.

Software development kits (“SDKs”). SDKs are blocks of code provided by our partners that may be installed in our mobile applications. SDKs help us understand how you interact with our mobile applications and collect certain information about the device and network you use to access the application.

Our use of these technologies¶

Below are the ways that we and our partners use these technologies on our Services.

Your choices¶

You have a number of options to control or limit how we and our partners use cookies and similar technologies, including for advertising. Please note that Niche Studio websites and our Services do not respond to Do Not Track signals because we do not track our users over time and across third-party websites to provide targeted advertising. However, we believe that you should have a choice regarding interest-based ads served by our partners, which is why we outline the options available to you here below.

You can set your device or browser to accept or reject most cookies, or to notify you in most situations that a cookie is offered so that you can decide whether to accept it. However, if you block cookies, certain features on our Services may not function. Additionally, even if you block or delete Cookies, not all tracking will necessarily stop.

• To prevent your data from being used by Google Analytics, you can install Google’s opt-out browser add-on.
• For information on how our advertising partners allow you to opt out of receiving ads based on your web browsing history, please visit http://optout.aboutads.info/.
• To opt out of ads on Facebook, Pinterest, Google or other sites that are targeted to your interests, use your Facebook, Pinterest, Google Ads, or the other site settings.
• Check your mobile device for settings that control ads based on your interactions with the applications on your device. For example, on your iOS device, enable the “Limit Ad Tracking” setting, and on your Android device, enable the “Opt out of Ads Personalization” setting.

As an additional step, these advertising companies may participate in one of the following advertising industry self-regulatory programs for online behavioral advertising, with corresponding user opt-outs:

• Networking Advertising Initiative (http://www.networkadvertising.org/choices/) (US Only)
• Digital Advertising Alliance (http://www.aboutads.info/choices/) (US Only)
• European Interactive Digital Advertising Alliance (http://www.youronlinechoices.eu/) (EU Only)
• Digital Advertising Alliance - Canada (http://youradchoices.ca/choices) (Canada Only)
• DAA App Choices Mobile App (Mobile Devices Only) - For mobile devices (e.g., smartphone, tablets), you may consider downloading the DAA AppChoices Mobile App to manage such technology.

Contact us¶

If you have questions about our use of cookies and similar technologies, please contact us at niche@team.nichestud.io.

Privacy Officer
The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust
258 Tingal Rd, Wynnum, Qld, 4178, Australia

Terms of Trade¶

2025.1

These Terms and Conditions (“Terms”) apply to, and are incorporated in, any quote, proposal or scope of works (“Scope of Works”) provided to you by The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust trading as Niche Studio ABN 24 177 491 674 (“We” or “us”).

If you ask us to perform work for you after receiving these Terms, you are agreeing to these Terms. If you do not agree with the Terms, please advise us before we start work to discuss and agree on any requested variations.

These Terms take effect from the date that you instruct us to proceed with the works set out in the Proposal (“Project”) and will finish on the date that the Project is complete (“Term”), unless cancelled or terminated in accordance with these Terms.

1. Scope of Works¶

• The Scope of Works has been prepared following initial discussions with you and based on:
• the inclusions and exclusions as listed in the Scope of Work; and
• the number of hours and feedback rounds that we have estimated in the Scope of Work.
• If you change your mind, vary the scope, add extra content, require further feedback rounds or the underlying assumptions used by us to form the fee estimate change, this will be treated as additional works and extra charges will apply.
• Additional works are governed by these Terms and will be charged on the basis of the hourly rates set out in the Scope of Works unless otherwise agreed. All changes to the scope and the fees will be agreed in writing prior to commencement.
• We will carry out the works with reasonable care and skill according to the standards customary in the industry.
• Any estimate of fees provided to you in the Scope of Work is valid for 30 days unless otherwise extended by us.

2. Fees¶

• If noted in the Scope of Works, a deposit may be required to confirm the timing of the commencement of our services.
• All fees for services must be paid within 7 days of the date of the invoice unless otherwise agreed.
• We are entitled to prompt reimbursement for all pre-approved expenses or expenses noted within the Scope of Works within 7 days of notification, including by provision of a tax invoice or receipt.
• You agree that we may stop providing you with our services and withhold all files, artwork, and content if you do not pay an invoice by the due date unless otherwise agreed.
• We may charge interest on all overdue amounts calculated daily from the due date for payment at the rate of 10% per annum unless otherwise agreed. We may also charge you for any costs that we incur in the event that the collection of unpaid monies is referred to a third-party collection agency or lawyer.
• We may allocate payments received to any outstanding invoice at our discretion.
• All fees are exclusive of GST unless otherwise agreed.

3. Your Responsibilities¶

You agree that:

• You will provide any written approvals and instructions in a timely manner.
• You will provide any information that we need to complete the project including draft text, content, and other information in the format that we ask for.
• Where you provide us with any content or materials for inclusion in the works, that those materials are: true, accurate, complete, not misleading, can be substantiated, do not breach any third-party rights, and comply with all laws and regulations.
• You are responsible for reviewing and approving work before each stage progresses. We are not liable for errors or omissions once work is approved/used.
• Risk for any physical or digital goods (including print materials, digital assets, and software) transfers to you upon delivery. You are responsible for insuring these items if necessary.

4. Delays or Disruption¶

• We will use our reasonable endeavours to complete the works within a reasonable timeframe or, if agreed, by a specified date.
• However, from time to time delays may occur including due to factors outside of our control. To the extent allowed by law, we will have no liability for delays in the completion of any of the works.
• If you delay the commencement of the work or the achievement of any agreed milestones by two weeks or more (for example by not providing instructions, information or materials), we may need to stop working on your Project or to reschedule it.

5. Cancellation and Changes¶

• If our Scope of Work specifies that there is a minimum term then you cannot cancel our services within that period. If you do cancel for change of mind within the minimum term then a cancellation fee may apply as set out in the Scope of Work. Once the minimum term is complete then you must provide us with at least 30 days notice to terminate our services.
• You may terminate the agreement formed by these Terms by providing us with 30 days notice. You must pay any amount owing to us, including any fees and expense incurred or committed, up to and including the date of termination.
• Either party may terminate the agreement formed by these Terms by notice in writing to the other party if:
• the other party commits a material breach of these Terms that is capable of remedy (including failure to pay any amount due under this agreement) and fails to remedy that breach within 14 days after receiving notice from the other party to do so;
• the other party commits a material breach of these terms that is not capable of remedy;
• the other party becomes insolvent bankrupt or enters into liquidation; or
• by mutual agreement.
• If we give you a termination notice under the dot point above, all sums then outstanding will become immediately due and payable to us and we may, in addition to terminating the agreement under these Terms:
• revoke any licence previously granted in respect of any works for which payment has not been made in full;
• retain any monies paid by you, and charge you for work performed and expenses incurred or committed for which we have not previously rendered an invoice;
• be regarded as discharged from any further obligations under these Terms; and
• pursue any alternative remedies provided by law.

6. Background Content¶

• You guarantee to us that any text, graphics, photos, designs, trademarks or other artwork (Content) that you provide us as part of the Project are either owned by you or that you have permission to use them. You remain the owner or licensee of your Content. You grant to us a non-exclusive, fee free, limited licence to use the Content for the purposes of providing the services under these Terms.
• Nothing in these Terms affects the ownership of any Content which is owned by us or which we have permission to use. We remain the owner or authorised user of our Content.

7. Intellectual Property¶

• Upon payment in full of all amounts owing to us under this Agreement, we grant you a non-exclusive license to use, reproduce, and display the final works created under this Agreement in accordance with any limitations on usage as outlined in the Scope of Works.
• Any additional uses will require separate pricing. All other rights, including copyright, are reserved by us.
• You may alter, adapt, change, edit, cut, take from, add to, or carry out any other activity in relation to the final works, where such activities would otherwise infringe the moral rights of the author of the works, but only to the extent necessary to give effect to the licence.
• We reserve the right to withhold access to work or files until all outstanding invoices are paid.

8. Sub-Contractors¶

You acknowledge and agree that we may engage sub-contractors to perform work.

9. Security and Data Protection¶

Our Security Measures:

• We maintain comprehensive security policies and procedures
• All data is encrypted in transit and at rest where technically feasible
• We use secure hosting providers with Australian data sovereignty where required
• Regular security updates and monitoring are implemented
• Access controls and authentication are enforced

Your Security Responsibilities:

• You are responsible for maintaining the security of any login credentials we provide
• You must notify us immediately of any suspected security breaches
• You must comply with any security requirements we specify for your project
• You are responsible for the security of any third-party integrations you request

Data Breach Notification:

• In the event of a data breach, we will notify you as soon as practicable
• We will comply with Australian Notifiable Data Breaches (NDB) scheme requirements
• We will take immediate steps to contain and remediate any security incidents

10. Complaints¶

If our work does not meet your expectations, you should tell us in writing within 14 days of the issue arising. We will respond to any complaint promptly to attempt to resolve the complaint.

If we cannot agree on a resolution, we agree to attend a mediation conducted by an independent mediator we each agree to appoint, or, if we can’t agree on a mediator, you will select one from a list of three mediators proposed by us.

You agree to first try to resolve any complaints through this process, and to give us time to respond to your complaint before taking any other steps, except in cases of genuine urgency.

11. Liability¶

Certain laws such as the Australian Consumer Law contain warranties that protect the purchasers of goods and services in certain circumstances (“non excludable consumer warranties”). Nothing in these terms alters any protection available to you under the Australian Consumer Law.

Our liability to you under or in connection with these Terms, or a breach of any non-excludable consumer warranties is limited, at our option, to resupplying the goods or re-performing the services or the cost of resupplying the goods or performing the affected part of the services again. Where the Australian Consumer Law applies and there is a major failure in the goods or services, we will provide you with another remedy as required by the Australian Consumer Law. To the extent permitted by law, we will not be responsible for any consequential or indirect loss suffered by you in connection with the receipt of the goods or services.

12. Confidentiality¶

We each must take all reasonable steps to ensure that we do not, disclose or use the confidential information of the other party, other than for the purpose for which it was disclosed. This does not apply if one of us is required to comply with any law or regulation or with the other party’s prior written consent.

13. Force Majeure¶

A party will not be liable for any failure of or delay in the performance of its obligations under these Terms (other than the obligation to make payments for services performed) for the period that such failure or delay is: beyond the reasonable control of a party; materially affects the performance of any of its obligations under these Terms; and could not reasonably have been foreseen or provided against.

14. Other¶

This Agreement is intended as a contract for the provision of services. Nothing in this Agreement creates a partnership, joint venture, relationship of employment, agency, or similar relationship between us. This Agreement is the entire agreement between us and supersedes any other agreements, whether or not in writing. This Agreement can’t be varied except when we both agree in writing to do so.

These Terms are governed by the laws of Queensland and any dispute will be heard in the courts of that place.

Contact Information¶

Niche Studio
Address: 258 Tingal Rd, Wynnum, Qld, 4178, Australia
Phone: (07) 3123 0214
Email: niche@team.nichestud.io

For more information about our security practices, please visit our Security Policy.

Support Service Level Agreement (SLA)¶

2025.1

Guaranteed response times and proactive support for retainer and time block clients.

How to get support¶

Submit issues through these channels for SLA to apply. For urgent issues also call/SMS to avoid delays.

Issue priority & response times¶

We triage requests by severity to fix the most urgent problems first.

Response commitment¶

• Business hours – 9 AM – 5 PM AEST, Mon–Fri (excluding public holidays).
• Response = action – We acknowledge, assign resources, and start investigating.
• After-hours support – May be charged at double time or deferred to business hours.
• Guarantee – If we miss a response deadline, you get 2 free support hours.

Contact Information¶

Niche Studio
Address: 258 Tingal Rd, Wynnum, Qld, 4178, Australia
Phone: (07) 3123 0214
Email: niche@team.nichestud.io

For more information about our security practices, please visit our Security Policy.

Templates¶

This section contains templates and reference documents used throughout our organization.

Employee Resources¶

• Employee Handbook - Comprehensive guide for all employees
• Key Definitions - Glossary of security and compliance terms

Approved Resources¶

• Approved Software - List of approved software and tools
• Approved Vendors - List of approved vendors and service providers

Legal Templates¶

• HIPAA Business Associate Agreement - Template for HIPAA business associate agreements
• GDPR Data Processing Agreement - Template for GDPR data processing agreements
• Vendor Security Response Template - Template for vendor security questionnaires

Overview¶

These templates and reference documents provide standardized approaches to common business processes, ensuring consistency and compliance across all operations.

Employee Handbook and Policy Quick Reference¶

2025.1

This is an abridged version of Niche Studio’s security policy that all workforce members are required to be familiar with and comply with.

You are assumed to have read and fully understood the corporate security and privacy policies, standards, guidelines, controls and procedures even if you haven’t. So, it’s probably best you still go through the whole thing at some point.

• You are required to follow detailed procedures defined in certain policies related to your job role.

Security is everyone’s responsibility. If this is not your first job, don’t do anything that might get you in trouble at your previous workplace. When in doubt, stop and ask.

4:

Training¶

You will be prompted as part of onboarding, and periodically going forward, to complete the following security training:

• General security policy and procedures training, including

  • Roles, Responsibilities and Training
  • HR and Personnel Security
  • Data Classification and Handling

• Ongoing security awareness training (a monthly series, currently provided by Cyber Wardens)

• Role-based security training

  • all members of the Development/Engineering team must carefully review the following policies and procedures

    • Product Security and Secure Software Development
    • Data Management
    • Data Protection
    • Configuration and Change Management

  • all members of the Administrative, Marketing and Procurement teams must review the following policies and procedures

    • Third Party Security, Vendor Risk Management and Systems/Services Acquisition

  • all members of the Administrative and Senior Leadership/Executive teams must review the following policies and procedures

    • Business Continuity and Disaster Recovery
    • Compliance Audits and External Communications
    • Risk Management

  • all members of the HR and Facilities teams must review the following policies and procedures

    • HR and Personnel Security
    • Facility Access and Physical Security

  • all team members responsible for Product Management and Business Development must review the following policies and procedures

    • Privacy and Consent

  • all members of the Security, Compliance and IT teams must review all policies and procedures in its entirety

Acceptable use policy for end-user computing¶

Niche Studio policy requires that:

(a) Per Niche Studio security architecture, all workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

(b) Use of Niche Studio computing systems is subject to monitoring by Niche Studio IT and/or Security team.

(c) Employees may not leave computing devices (including laptops and smart devices) used for business purpose, including company-provided and BYOD devices, unattended in public.

(d) Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

(e) Use only legal, approved software with a valid license. Do not use personal software for business purposes and vice versa.

(f) Encrypt all email messages containing sensitive or confidential data.

(g) Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

(h) Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that are commonly affected by malware, including workstations, laptops and servers.

(i) All data storage devices and media must be managed according to the Niche Studio Data Classification specifications and Data Handling procedures.

(j) Mobile devices are not allowed to connect directly to Niche Studio production environments.

Your responsibilities for computing devices¶

Niche Studio provides company-issued laptops and workstations to all employees. Niche Studio currently does not require or support employees bringing their own computing devices.

The laptops and/or workstations assigned to you are yours to configure and manage according to company security policy and standards. You are responsible to

• configure the system to meeting the configuration and management requirements, including password policy, screen protection timeout, host firewall, etc.;

• ensure the required anti-malware protection and security monitoring agent is installed and running; and

• install the latest security patches timely or enable auto-update.

IT and Security provides automated scripts for end-user system configurations and/or technical assistance as needed.

You are also responsible for maintaining a backup copy of the business files local on your laptop/workstation to the appropriate location on Niche Studio file sharing / team site (e.g. Google Drive, Notion). Examples of business files include, but are not limited to:

• Documents (e.g. product specs, business plans)
• Presentations
• Reports and spreadsheets
• Design files/images/diagrams
• Meeting notes/recordings
• Important records (e.g. approval notes)

Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as iCloud if and only if the data is both encrypted and password protected (passwords must meet Niche Studio requirements).

Getting help¶

Support for most of our business applications are self-service, such as password reset via Google Workspace.

If needed, users may use our internal service desk to request IT and Security support. Common requests include:

• Password reset and access requests
• Request new software and hardware
• Technical support
• Recommend changes to policies and processes

How to report an incident or suspicious activity¶

You are responsible to report all suspicious activities and security-related incidents immediately to the Information Security team, by one of the following channels:

• (preferred) “Report a security incident” by creating an issue on Notion and/or via the internal help desk

• If access to JIRA is not available, employees may send an email to niche@team.nichestud.io

• For non-sensitive, non-confidential security issues and concerns, employees may post questions on Niche Studio’s #developers Slack channel.

• Additionally, employees may report the incident to their direct manager.

• To report a concern under the Whistleblower Policy, you may first discuss the concerns with your immediate manager, or report it directly to the CEO or COO. See the Whistleblower Policy section in the HR Security Policy for additional details.

Key Definitions¶

2025.1

• Application: An application hosted by Niche Studio, either maintained and created by Niche Studio, or maintained and created by a Customer or Partner.

• Application Level: Controls and security associated with an Application. In the case of PaaS Customers, Niche Studio does not have access to and cannot assure compliance with security standards and policies at the Application Level.

• Audit: Internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a patient complaint, or suspicion of employee wrongdoing.

• Audit Controls: Technical mechanisms that track and record computer/system activities.

• Audit Logs: Encrypted records of activity maintained by the system which provide: 1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.

• Access: Means the ability or the means necessary to read, write, modify, or communicate data/ information or otherwise use any system resource.

• BaaS: Backend-as-a-Service. A set of APIs, and associated SDKs, for rapid mobile and web application development. APIs offer the ability to create users, do authentication, store data, and store files.

• Backup: The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.

• Backup Service: A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all Niche Studio Add-ons and as an option for PaaS Customers.

• Breach: A data breach is the intentional or unintentional release of secure or sensitive information to an untrusted environment or individual. A data breach often involves an incident where information is stolen or taken from a system without the knowledge or authorisation of the system’s owner.

• De-identification: The process of removing identifiable information so that data is rendered to not be personally identifiable .

• Disaster Recovery: The ability to recover a system and data after being made unavailable.

• Disaster Recovery Service: A disaster recovery service for disaster recovery in the case of system unavailability. This includes both the technical and the non-technical (process) required to effectively stand up an application after an outage. Offered with all Niche Studio Add-ons and as an option for PaaS Customers.

• Disclosure: Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

• Customers: Contractually bound users of Niche Studio Platform and/or services.

• Environment: The overall technical environment, including all servers, network devices, and applications.

• Event: An event is defined as an occurrence that does not constitute a serious adverse effect on Niche Studio, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:

• A hard drive malfunction that requires replacement;
• Systems become unavailable due to power outage that is non-hostile in nature, with redundancy to assure ongoing availability of data;

• Accidental lockout of an account due to incorrectly entering a password multiple times.

• Hardware (or hard drive): Any computing device able to create and store sensitive data .

• IaaS: Infrastructure-as-a-Service.

• Individually Identifiable Health Information: That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

• Indication: A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:

• The network intrusion detection sensor alerts when a known exploit occurs against an FTP server. Intrusion detection is generally reactive, looking only for footprints of known attacks. It is important to note that many IDS “hits” are also false positives and are neither an event nor an incident;
• The antivirus software alerts when it detects that a host is infected with a worm;
• Users complain of slow access to hosts on the Internet;
• The system administrator sees a filename with unusual characteristics;
• Automated alerts of activity from log monitors like OSSEC;

• An alert from OSSEC about file system integrity issues.

• Intrusion Detection System (IDS): A software tool use to automatically detect and notify in the event of possible unauthorized network and/or system access.

• IDS Service: An Intrusion Detection Service for providing IDS notification to customers in the case of suspicious activity. Offered with all Niche Studio Add-ons and as an option for PaaS Customers.

• Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

• Logging Service: A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all Niche Studio Add-ons and as an option for PaaS Customers.

• Messaging: API-based services to deliver and receive SMS messages.

• Minimum Necessary Information: Protected health information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard applies to all protected health information in any form.

• Off-Site: For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.

• Organization: For the purposes of this policy, the term “organisation” shall mean Niche Studio.

• PaaS: Platform-as-a-Service.

• Partner: Contractual bound 3rd party vendor with integration with the Niche Studio Platform. May offer Add-on services.

• PMP or Platform: Niche Studio Precision Medicine Platform and its overall technical environment.

• Role: The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

• Sanitization: Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.

• Trigger Event: Activities that may be indicative of a security breach that require further investigation (See Appendix).

• Restricted Area: Those areas of the building(s) where protected health information and/or sensitive organisational information is stored, utilized, or accessible at any time.

• Role: The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

• Precursor: A sign that an Incident may occur in the future. Examples of precursors include:

• Suspicious network and host-based IDS events/attacks;
• Alerts as a result of detecting malicious code at the network and host levels;
• Alerts from file integrity checking software;

• Audit log alerts.

• Risk: The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of sensitive data, other confidential or proprietary electronic information, and other system assets.

• Risk Management Team: Individuals who are knowledgeable about the Organization’s Privacy, Security and Compliance policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures outlined below.

• Risk Assessment:

• Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place;

• Prioritizes risks; and

• Results in recommended possible actions/controls that could reduce or offset the determined risk.

• Risk Management: Within this policy, it refers to two major process components: risk assessment and risk mitigation.

• Risk Mitigation:

A process that prioritises, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organisation given its mission and available resources.

• SaaS: Software-as-a-Service.

• Security Incident (or just Incident): A security incident is an occurrence that exercises a significant adverse effect on people, process, technology, or data. Security incidents include, but are not limited to:

• A system or network breach accomplished by an internal or external entity; this breach can be inadvertent or malicious;
• Unauthorized disclosure;
• Unauthorized change or destruction of sensitive data (i.e. deletion or alterations not following Niche Studio’s procedures);
• Denial of service not attributable to identifiable physical, environmental, human or technology causes;
• Disaster or enacted threat to business continuity;
• Information Security Incident: A violation or imminent threat of violation of information security policies, acceptable use policies, or standard security practices. Examples of information security incidents may include, but are not limited to, the following:
• Denial of Service: An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources;
• Malicious Code: A virus, worm, Trojan horse, or other code-based malicious entity that infects a host;
• Unauthorized Access/System Hijacking: A person gains logical or physical access without permission to a network, system, application, data, or other resource. Hijacking occurs when an attacker takes control of network devices or workstations;
• Inappropriate Usage: A person violates acceptable computing use policies;

• Other examples of observable information security incidents may include, but are not limited to:

  • Use of another person’s individual password and/or account to login to a system;
  • Failure to protect passwords and/or access codes (e.g., posting passwords on equipment);
  • Installation of unauthorized software;
  • Terminated workforce member accessing applications, systems, or network.

• Threat: The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:

• Environmental - external fires, HVAC failure/temperature inadequacy, water pipe burst, power failure/fluctuation, etc.
• Human - hackers, data entry, workforce/ex-workforce members, impersonation, insertion of malicious code, theft, viruses, SPAM, vandalism, etc.
• Natural - fires, floods, electrical storms, tornados, etc.
• Technological - server failure, software failure, ancillary equipment failure, etc. and environmental threats, such as power outages, hazardous material spills.

• Other - explosions, medical emergencies, misuse or resources, etc.

• Threat Source: Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organisation’s ability to protect sensitive data.

• Threat Action: The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).

• Unrestricted Area: Those areas of the building(s) where protected health information and/or sensitive organisational information is not stored or is not utilized or is not accessible there on a regular basis.

• Vendor: External individuals or organisations marketing or selling products or services, or providing services to Niche Studio.

• Vulnerability: A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.

• Workstation: An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, used to create, receive, maintain, or transmit sensitive data. Workstation devices may include, but are not limited to: laptop or desktop computers, smart phones, tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.

• Workforce: Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Approved Software¶

2025.1

Software approved for use at Niche Studio includes, but is not limited to:

• Adobe suite
• Atlassian suite
• Code editors (Atom, Emacs, Vim, VS Code, etc)
• Bitwarden/Vaultwarden
• Docker
• Node/NPM
• Google Workspace
• Postman
• Slack
• Figma
• Crisp
• Google Meet
• Tailscale

Reputable and well documented open source / free software may be used for development purposes at the discretion of the Engineering team. Wazuh agents must be active to monitor the behavior of all application processes. Native macOS security controls and Wazuh agents provide endpoint protection; no third-party EDR solutions are deployed on endpoints. Additional periodic audit may be conducted to review the usage of open source tools. Examples of such software include, but are not limited to:

• Chrome and various browser extensions
• Firefox and various browser extensions
• Homebrew
• GraphQL/GraphiQL
• Keybase
• Skitch
• Spectacle
• etc.

Software not in the list above may be installed if it is necessary for a business purpose, legal, with a valid license, and approved on a case-by-case basis by your manager or the Security Officer.

Approved Vendors¶

2025.1

For confidentiality reasons, the list of approved vendors is maintained internally at company Wiki / Notion site.

Niche Studio HIPAA Business Associate Agreement (“BAA”)¶

2025.1

Introduction¶

This document includes sample business associate agreement provisions to help covered entities and business associates more easily comply with the business associate contract requirements. This sample is created by Office for Civil Rights (OCR), available online at the HHS website.

While these sample provisions are written for the purposes of the contract between a covered entity and its business associate, the language may be adapted for purposes of the contract between a business associate and subcontractor.

This is only sample language and use of these sample provisions is not required for compliance with the HIPAA Rules. The language may be changed to more accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition, these or similar provisions may be incorporated into an agreement for the provision of services between a covered entity and business associate or business associate and subcontractor, or they may be incorporated into a separate business associate agreement. These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract. Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.

Sample Business Associate Agreement Provisions¶

Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions.

Definitions¶

Catch-all definition:

The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.

Specific definitions:

(a) Business Associate. “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Business Associate].

(b) Covered Entity. “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean [Insert Name of Covered Entity].

(c) HIPAA Rules. “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.

Obligations and Activities of Business Associate¶

Business Associate agrees to:

(a) Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law;

(b) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the Agreement;

(c) Report to covered entity any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware;

[The parties may wish to add additional specificity regarding the breach notification obligations of the business associate, such as a stricter timeframe for the business associate to report a potential breach to the covered entity and/or whether the business associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the covered entity.]

(d) In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), if applicable, ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information;

(e) Make available protected health information in a designated record set to the [Choose either “covered entity” or “individual or the individual’s designee”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.524;

[The parties may wish to add additional specificity regarding how the business associate will respond to a request for access that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to provide the requested access or whether the business associate will forward the individual’s request to the covered entity to fulfill) and the timeframe for the business associate to provide the information to the covered entity.]

(f) Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526;

[The parties may wish to add additional specificity regarding how the business associate will respond to a request for amendment that the business associate receives directly from the individual (such as whether and in what time and manner a business associate is to act on the request for amendment or whether the business associate will forward the individual’s request to the covered entity) and the timeframe for the business associate to incorporate any amendments to the information in the designated record set.]

(g) Maintain and make available the information required to provide an accounting of disclosures to the [Choose either “covered entity” or “individual”] as necessary to satisfy covered entity’s obligations under 45 CFR 164.528;

[The parties may wish to add additional specificity regarding how the business associate will respond to a request for an accounting of disclosures that the business associate receives directly from the individual (such as whether and in what time and manner the business associate is to provide the accounting of disclosures to the individual or whether the business associate will forward the request to the covered entity) and the timeframe for the business associate to provide information to the covered entity.]

(h) To the extent the business associate is to carry out one or more of covered entity’s obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s); and

(i) Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.

Permitted Uses and Disclosures by Business Associate¶

(a) Business associate may only use or disclose protected health information

[Option 1 – Provide a specific list of permissible purposes.]

[Option 2 – Reference an underlying service agreement, such as “as necessary to perform the services set forth in Service Agreement.”]

[In addition to other permissible purposes, the parties should specify whether the business associate is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c). The parties also may wish to specify the manner in which the business associate will de-identify the information and the permitted uses and disclosures by the business associate of the de-identified information.]

(b) Business associate may use or disclose protected health information as required by law.

(c) Business associate agrees to make uses and disclosures and requests for protected health information

[Option 1] consistent with covered entity’s minimum necessary policies and procedures.

[Option 2] subject to the following minimum necessary requirements: [Include specific minimum necessary provisions that are consistent with the covered entity’s minimum necessary policies and procedures.]

(d) Business associate may not use or disclose protected health information in a manner that would violate Subpart E of 45 CFR Part 164 if done by covered entity [if the Agreement permits the business associate to use or disclose protected health information for its own management and administration and legal responsibilities or for data aggregation services as set forth in optional provisions (e), (f), or (g) below, then add “, except for the specific uses and disclosures set forth below.”]

(e) [Optional] Business associate may use protected health information for the proper management and administration of the business associate or to carry out the legal responsibilities of the business associate.

(f) [Optional] Business associate may disclose protected health information for the proper management and administration of business associate or to carry out the legal responsibilities of the business associate, provided the disclosures are required by law, or business associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(g) [Optional] Business associate may provide data aggregation services relating to the health care operations of the covered entity.

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions¶

(a) [Optional] Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information.

(b) [Optional] Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information.

(c) [Optional] Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information.

Permissible Requests by Covered Entity¶

[Optional] Covered entity shall not request business associate to use or disclose protected health information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by covered entity. [Include an exception if the business associate will use or disclose protected health information for, and the agreement includes provisions for, data aggregation or management and administration and legal responsibilities of the business associate.]

Term and Termination¶

(a) Term. The Term of this Agreement shall be effective as of [Insert effective date], and shall terminate on [Insert termination date or event] or on the date covered entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner.

(b) Termination for Cause. Business associate authorizes termination of this Agreement by covered entity, if covered entity determines business associate has violated a material term of the Agreement [and business associate has not cured the breach or ended the violation within the time specified by covered entity]. [Bracketed language may be added if the covered entity wishes to provide the business associate with an opportunity to cure a violation or breach of the contract before termination for cause.]

(c) Obligations of Business Associate Upon Termination.

[Option 1 – if the business associate is to return or destroy all protected health information upon termination of the agreement]

Upon termination of this Agreement for any reason, business associate shall return to covered entity [or, if agreed to by covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any form. Business associate shall retain no copies of the protected health information.

[Option 2—if the agreement authorizes the business associate to use or disclose protected health information for its own management and administration or to carry out its legal responsibilities and the business associate needs to retain protected health information for such purposes after termination of the agreement]

Upon termination of this Agreement for any reason, business associate, with respect to protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, shall:

1. Retain only that protected health information which is necessary for business associate to continue its proper management and administration or to carry out its legal responsibilities;

2. Return to covered entity [or, if agreed to by covered entity, destroy] the remaining protected health information that the business associate still maintains in any form;

3. Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of the protected health information, other than as provided for in this Section, for as long as business associate retains the protected health information;

4. Not use or disclose the protected health information retained by business associate other than for the purposes for which such protected health information was retained and subject to the same conditions set out at [Insert section number related to paragraphs (e) and (f) above under “Permitted Uses and Disclosures By Business Associate”] which applied prior to termination; and

5. Return to covered entity [or, if agreed to by covered entity, destroy] the protected health information retained by business associate when it is no longer needed by business associate for its proper management and administration or to carry out its legal responsibilities.

[The agreement also could provide that the business associate will transmit the protected health information to another business associate of the covered entity at termination, and/or could add terms regarding a business associate’s obligations to obtain or ensure the destruction of protected health information created, received, or maintained by subcontractors.]

(d) Survival. The obligations of business associate under this Section shall survive the termination of this Agreement.

Miscellaneous [Optional]¶

(a) [Optional] Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended.

(b) [Optional] Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law.

(c) [Optional] Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules.

SIGNATURE FOLLOWS

GDPR Data Processing Agreement/Addendum (“DPA”)¶

Data Protection Addendum¶

This Data Protection Addendum (this “Addendum”) is made and entered into as of the date appearing on the signature page hereto (the “Effective Date”) by and between The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust (“Company”) and the Supplier named on the signature page hereto, and upon execution shall be incorporated by reference into each agreement for services (“Services Agreement”) pursuant to which Supplier may Process (as defined below) Personal Data (as defined below) for, from, or on behalf of Company.

A. Personal Data Protection¶

For the purposes of this Addendum, the terms “Controller”, “Data Subjects”, “Personal Data”, “Personal Data Breach”, “Processor” and “Process” shall have the meaning as defined in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) or any successor European Union data protection framework.

The parties agree that to the extent Supplier, in the context of performing the agreed services, processes any Personal Data of Company, Supplier shall be the Processor and Company shall be the Controller of such Personal Data. Notwithstanding any obligations of Company as Controller under applicable data protection law, Supplier undertakes the following as Processor:

(a) to process any Personal Data only on behalf and in accordance with Company’s documented instructions and not for any purposes other than those described in this Addendum, unless (i) Company has given its express prior consent or (ii) Supplier is strictly required to do so under applicable European Data Protection Law (as defined below); in such a case, Supplier shall inform Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects are further specified in Exhibit 1 to this Addendum.

(b) to comply with (i) the GDPR and any applicable European data protection laws and regulations (collectively “European Data Protection Law”), and (ii), in case Supplier is certified under the EU-U.S. and/or Swiss-U.S. Privacy Shield Framework, or any successor program recognised under European Data Protection Law to provide for an adequate level of data protection, the principles of such applicable Privacy Shield Framework or successor program, and (iii) all other applicable data protection and privacy laws and regulations ((i) to (iii) collectively “Data Protection Laws”).

(c) to implement appropriate technical and organisational measures in such a manner that the Processing, including by any Sub-Processors (as defined below), will meet the requirements under Data Protection Laws and ensure the protection of the rights of the Data Subjects, and to regularly test, assess and evaluate the effectiveness of and, as necessary, improve and update these measures. The measures shall ensure a level of data security appropriate to the risks for the rights and freedoms of the Data Subjects. In particular, Supplier shall protect the personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed.

(d) to keep Personal Data strictly confidential and to ensure, and be able to demonstrate on request, that (i) only those persons have access to the Personal Data who are authorized by Supplier and have a strict need to know the data for the purposes under this Addendum, and (ii) all persons with access to Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(e) to disclose Personal Data to third parties, including affiliated companies, and/or to engage another Processor for the Processing of Personal Data (“Sub-Processor”) only with Company’s express prior consent. Where Supplier is authorized to engage another Sub-Processor for carrying out Processing activities on behalf of Company, Supplier shall enter into a written contract with the Sub-Processor which (i) imposes on the Sub-Processor the same data protection obligations as set forth in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements under Data Protection Laws, and (ii) grants Company the right to directly audit the Sub-Processor as set forth under Section A(j). Supplier shall promptly send a copy of any sub-processor agreement it concludes under this Section A(e) to Company. Supplier shall select the Sub-Processor diligently, taking into account the technical and organisational measures it has implemented, and ensure, by carrying out audits before and regularly after the commencement of the data processing by such Sub-Processor, that it maintains appropriate technical and organisational measures to safeguard an adequate level of data protection within the meaning of European Data Protection Law. Supplier shall remain fully liable to Company for the performance of this Agreement and be responsible and liable for any act or omission of the Sub-Processor with respect to its data protection obligations.

(f) to assist Company, including by appropriate technical and organisational measures, insofar as this is possible and taking into the nature of the processing, in fulfilling its obligations in relation to requests from Data Subjects for exercising their Data Subject’s rights under Data Protection Laws, including, but not limited to, the Data Subject’s right of access, right to rectification and erasure, right to restriction of processing, right to data portability and right to object, as provided for under the GDPR.

(g) to assist Company, taking into account the nature of the processing and information available to Supplier, in ensuring compliance with the obligations under applicable Data Protection Laws, including, in particular, by providing all information and assistance to enable Company (i) to comply with applicable data security obligations, (ii) to carry out a data protection impact assessment or prior consultation with the supervisory authority, as required under European Data Protection Law, and (iii) to respond promptly and properly to any enquiries concerning the Processing of Personal Data and cooperate in good faith with the supervisory authorities, the Data Subjects or any third party within a reasonable time. Supplier shall not communicate with any supervisory authority, Data Subject or any third party in connection with the Processing of Company’s Personal Data without prior approval from Company, except as expressly permitted in this Section A.

(h) to notify Company, without undue delay, in writing or via e-mail (i) of any intended change of the locations currently set out in Exhibit 1 to this Addendum for the Processing of Personal Data, (ii) in case of a dispute, claim or request brought by a Data Subject directly against Supplier, (iii) in the event of any measure, request or other communication by a supervisory authority, including about any legally binding request for access or disclosure of Personal Data by a public authority (unless otherwise legally prohibited, in which case the Supplier will use its best efforts to obtain the right to waive this prohibition), and provide reasonable assistance if Company wishes to contest the request, and (iv) of any suspected or actual Personal Data Breach, any breach of applicable Data Protection Laws or of this Addendum. Supplier shall promptly remedy any breach and cooperate with Company in the investigation and remedy of such breaches and provide all reasonable assistance and information to enable Company to comply with, or, as applicable, to avoid, any data breach notification obligations vis-à-vis supervisory authorities and/or Data Subjects. Supplier shall further immediately inform Company if, in its opinion, an instruction infringes Data Protection Laws and/or Supplier becomes aware of the existence of any local laws that would have a substantial adverse effect on the guarantees and undertakings provided for under this Addendum.

(i) at the choice of Company, to return to Company (in a standard format facilitating portability) and/or to securely delete/destroy all Personal Data, including all existing copies thereof, in accordance with Company’s instructions, within thirty (30) days upon Company’s request or after the end of the provision of the services relating to Processing, and to certify to Company in writing that it has done so. Supplier shall not be obliged to delete/destroy all copies of the Personal Data where a longer storage by Supplier is required under European Data Protection Law, in which case Supplier shall inform Company accordingly, including about the legal grounds for, and the term of, any further storage;

(j) to make available to Company all information necessary to demonstrate compliance with the obligations under Data Protection Laws applicable to Company and to allow for and contribute to audits, including on-site inspections, conducted by Company or another auditor mandated by Company. (k) to enter into any further agreements that may be required under Data Protection Laws relating to Personal Data, and to provide all other assistance and support to Company.

B. Changes to this Addendum¶

The parties agree that, to the extent required under applicable Data Protection Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from the competent supervisory authorities or the European Commission, including, without limitation, the adoption of standards for contracts with processors according to Art. 28(7) or (8) GDPR or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission in relation to international data transfers on the basis of Art. 45(3) or Art. 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the EU Standard Contractual Clauses or similar transfer mechanisms, Company may request reasonable changes or additions to this Addendum to reflect applicable requirements.

C. Third party beneficiary clause¶

The parties agree that affiliates of the Company shall be entitled under and can enforce the terms of this Addendum against Supplier as third-party beneficiaries.

D. Termination¶

In the event of Supplier’s violation of any obligation under Data Protection Laws or this Addendum, Company, without prejudice to any other rights which it may have, shall be entitled to terminate any Services Agreement forthwith. Any terms of this Addendum that by their nature extend beyond the termination of the Services Agreement, including without limitation this Addendum, Section A(i), shall remain in effect.

E. Precedence¶

In the event of a conflict between this Addendum and other provisions of the Services Agreement, this Addendum shall prevail.

[Signature page follows.]

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed as of ________, ___, 20___ by their respective officers thereunto duly authorized.

COMPANY:
The Trustee for The Mussig Business Family Trust & The Trustee for The Wedemeyer Family Trust

By:
Name:
Title:

SUPPLIER:
________________________

By:
Name:
Title:

Exhibit 1 to Data Protection Addendum¶

Description of Processing

A. Subject-matter, nature and purpose of the Processing¶

Supplier provides certain services to Company, including [insert general description of services relating to processing of personal data], as further specified in the Services Agreement. In the context of performing the obligations under the Services Agreement, Supplier may Process certain of Company’s Personal Data as necessary for the purposes of [insert purposes of Processing], as further specified in the Services Agreement. Such processing may include:
[insert description of relevant data processing activities/operations].

B. Duration of the Processing¶

[insert duration of data processing, e.g.: “The agreed Processing of Personal Data shall commence upon the effective date of the Services Agreement and be carried out for the term of the Services Agreement. The services relating to Processing of Personal Data shall automatically end in case the Services Agreement is effectively terminated or expires, in which case the Personal Data shall be handled in accordance with Section A(i). To the extent the Processing of Personal Data by Supplier is necessary for the winding-up of the Services Agreement, e.g. with respect to returning the Personal Data, the provisions of Section A shall continue to apply until the completion of the winding-up.”]

C. Categories of Data Subjects¶

The Processing will concern the following categories of Data Subjects:
[insert categories of data subjects concerned, e.g.: a. Company employees and job candidates b. Managers, employees, agents or other contact persons at business partners c. Company customers that are natural persons d. Patients, research subjects or other customers of Company’s clients]

D. Types of Personal Data¶

The Processing will concern the following types of Personal Data [insert types of Personal Data concerned, e.g.:]

• a) Company employees and job candidates:
  name, contact details (address, phone number and direct line, e-mail address), birth date/ country, gender, education (e.g., highest education level, country, degree, certificates), job information about current and previous employment (position, kind of work, work location, salary, replacement, company, location, department, position, function, grade, supervisor, employee class, grade and labor start/ entry date, labor agreement, business title, full or part-time, shifts, working hours), professional skills, CV and resume, training, compensation and remuneration (e.g., compensation rate, salary, target bonus, incentives, benefits), individual development plan, performance goals and assessment, position in company, bank account number and corporate credit card number, national ID and social security number, information about an immigration background.

• b) Managers, employees, agents or other contact persons at business partners:
  contact details (name, address, phone number and direct line, e-mail address).

• c) Company customers that are natural persons:
  name, contact details (address, phone number and direct line, e-mail address), information regarding purchases of such customers, bank account details, credit information, information about such customers’ interest in Company products.

• d) Patients, research subjects or other customers of Company’s clients:
  [insert the type of data in this category that your service providers might handle]

The Processing will concern the following special categories of data[^1]:
[…]

The Processing will include Personal Data relating criminal convictions and offenses relating to:
[…]

[^1]: “Special categories of data” means any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Vendor Security Response Template¶

2025.1

This template provides a standardised approach for responding to client security questionnaires and vendor assessments. Use this template to ensure consistent, comprehensive responses that align with Niche Studio’s security policies and procedures.

Response guidelines¶

1. Always Include These Elements¶

• Policy Reference: Cite specific policy documents where applicable
• Technical Details: Provide specific technical implementation details
• Compliance Status: Clearly state compliance with relevant standards
• Evidence: Reference supporting documentation, certifications, or procedures
• Contact Information: Include relevant contact details for follow-up

2. Standard Response Format¶

Question: [Client's specific question]
Answer: [Yes/No/Partial with explanation]
Details: [Technical implementation details]
Policy Reference: [Specific policy document]
Evidence: [Supporting documentation or procedures]
Contact: [Relevant team member for follow-up]

Common response categories¶

Access Management¶

Standard Response Elements:

• Multi-factor authentication implementation
• Role-based access control (RBAC)
• Regular access reviews and audits
• Background check procedures
• Access provisioning and deprovisioning

Policy References:

• Access Control Policy
• HR Security Procedures
• User Access Management Procedures

Security Monitoring and Incident Response¶

Standard Response Elements:

• SIEM platform (Wazuh) implementation
• 24/7 monitoring and alerting
• Incident response procedures
• Breach notification compliance (Australian NDB scheme)
• Regular security assessments

Policy References:

• System Audit Policy
• Incident Response Policy
• Breach Investigation and Notification Policy

Data Protection and Privacy¶

Standard Response Elements:

• Australian Privacy Act 1988 compliance
• Data encryption (AES-256) at rest and in transit
• Data residency (Australian servers)
• Privacy impact assessments
• Data subject rights management

Policy References:

• Privacy and Consent Policy
• Data Management Policy
• Data Protection Procedures

Infrastructure Security¶

Standard Response Elements:

• Cloud-based infrastructure (Binary Lane, DigitalOcean)
• Automated security patching
• Network security controls (Cloudflare, fail2ban)
• Server hardening (CIS Benchmarks)
• Automated deployment and configuration management

Policy References:

• System Configuration Management
• Network Security Policy
• Change Management Procedures

Business Continuity and Disaster Recovery¶

Standard Response Elements:

• RPO: 24 hours maximum data loss
• RTO: 4 hours for critical systems
• Geographically separate backup locations
• Quarterly disaster recovery testing
• Business continuity planning

Policy References:

• Business Continuity and Disaster Recovery Policy
• Data Backup and Recovery Procedures

Compliance and Certifications¶

Current Status:

• Australian Privacy Act 1988 compliance
• Preparing for ISO 27001 certification
• SOC 2 Type 2 preparation
• PCI DSS SAQ A compliance (for payment processing)

Policy References:

• Compliance Management Policy
• Risk Management Policy

Vendor-specific information¶

Hosting Providers¶

• Primary: Binary Lane (NextDC Brisbane, Australia)
• Secondary: DigitalOcean
• Backups: Wasabi (Sydney, Australia)
• CDN: Cloudflare

Security Tools and Services¶

• SIEM/XDR: Wazuh
• Network Protection: Cloudflare, fail2ban
• Configuration Management: Ansible (Trellis)
• Monitoring: Continuous monitoring with real-time alerting
• Backup: Automated daily backups with encryption

Service Level Commitments¶

• Uptime: 99.9% availability
• Response Times:
• Critical (Site down, purchases blocked, data loss): Within 4 hours
• Major (Issues impacting revenue or key functionality): Within 1 day
• Minor (Small fixes, cosmetic/admin issues): Within 2 days
• Enquiry (General questions, new features, quotes): Within 3 days
• Business Hours: 9 AM – 5 PM AEST, Mon–Fri (excluding public holidays)
• After-hours Support: May be charged at double time or deferred to business hours
• Guarantee: If we miss a response deadline, you get 2 free support hours
• Maintenance: Monthly/Quarterly/Annual packages available
• Reporting: Regular security and performance reports

Supporting Documentation¶

Available Upon Request¶

• Security Policy Framework
• Incident Response Procedures
• Business Continuity Plans
• Privacy Policy and Terms of Trade
• Service Level Agreements
• Insurance Certificates
• Third-party Assessment Reports

Contact Information¶

• Security Officer: Mikael Wedemeyer (mikael@team.nichestud.io)
• Privacy Officer: Mikael Wedemeyer (mikael@team.nichestud.io)
• Technical Contact: Michael Armstrong (michael@team.nichestud.io)
• General Inquiries: niche@team.nichestud.io

Response Checklist¶

Before submitting any vendor response:

• [ ] All questions answered completely
• [ ] Policy references included where applicable
• [ ] Technical details are accurate and current
• [ ] Compliance status clearly stated
• [ ] Supporting documentation identified
• [ ] Contact information provided
• [ ] Response reviewed by security team
• [ ] Client-specific requirements addressed

Notes¶

• Always tailor responses to the specific client’s requirements
• Highlight relevant certifications and compliance achievements
• Provide specific examples of security implementations
• Include relevant case studies or success stories where appropriate
• Ensure all technical details are current and accurate
• Follow up on any outstanding items promptly

This template should be updated regularly to reflect changes in Niche Studio’s security posture, policies, and procedures.

Controls¶

This section contains our security control mappings and compliance documentation.

Control Mappings¶

• Control Mapping Overview - Unified control matrix mapping ISO 27001:2022, SOC 2, APPs/NDB, and PCI DSS
• HIPAA Controls Mapping - Mapping of our security controls to HIPAA requirements
• NIST Controls Mapping - Mapping of our security controls to NIST framework
• Log Retention Schedule - Schedule for retaining various types of logs and data

Overview¶

These control mappings demonstrate our compliance with various security frameworks and standards. They provide detailed mappings of our security controls to specific requirements, helping auditors and stakeholders understand our security posture.

Unified Control & Evidence Matrix¶

This matrix maps ISO 27001:2022 Annex A controls, SOC 2 Trust Services Criteria, Australian Privacy Principles (APPs) & Notifiable Data Breach (NDB), and PCI DSS (SAQ A / A-EP). It provides control intent, owner, and expected evidence.

Usage¶

• Owner column: currently all CTO, but can be delegated (e.g., Dev Lead for SDLC, Ops Lead for backups).
• Evidence cadence: Access reviews (quarterly), vuln scans (monthly), backups (weekly + annual test), IR tabletop (annual), risk register (annual).
• Client pack: export rows with Owner + Evidence → becomes your “Trust Pack” appendix for assessments.

HIPAA Mappings to Niche Studio Policies and Controls¶

2025.1

Below is a list of HIPAA Safeguards and Requirements and the Niche Studio policies and controls in place to meet those.

NIST Mappings to Niche Studio Policies and Controls¶

2025.1

Below is a list of NIST SP 800-53 Controls Families and the mappings to Niche Studio policies and controls in place.

Log Retention Schedule¶

2025.1

Overview¶

This document defines the retention periods for all types of logs, audit trails, and security records maintained by Niche Studio. Retention periods are established based on business requirements, regulatory compliance obligations, and operational needs.

Log Categories and Retention Periods¶

Security and Audit Logs¶

Compliance and Regulatory Logs¶

Infrastructure and Application Logs¶

Physical Security Logs¶

Business and Administrative Logs¶

Storage Locations¶

Local Storage (30 days)¶

• Primary log servers
• Application servers
• Security appliances
• Network devices

Warm Storage - Wasabi (1-3 years)¶

• Encrypted log files
• Compressed and indexed
• Searchable and accessible
• Cost-optimized for frequent access

Wasabi Object Storage with Object Lock (1–7 years)¶

• Long-term archival with immutability controls
• Compressed and encrypted
• Rarely accessed
• Cost-optimized for long-term storage
• Immutable retention policies enforced through Object Lock

Log Processing and Archival¶

Automated Processes¶

1. Daily: Logs are collected from all systems
2. Weekly: Logs are compressed and encrypted
3. Monthly: Logs are moved from local to warm storage
4. Annually: Logs are moved from warm to cold storage
5. End of Retention: Logs are securely deleted

Manual Processes¶

1. Incident Response: Logs may be retained longer during investigations
2. Legal Hold: Logs may be preserved beyond normal retention periods
3. Compliance Audits: Logs may be retained longer during audit periods

Compliance Requirements¶

SOC 2 Type II¶

• Minimum 1 year retention for security logs
• Audit trail integrity requirements
• Immutable log storage

ISO 27001¶

• Minimum 1 year retention for security logs
• Risk management requirements
• Continuous monitoring

HIPAA¶

• Minimum 6 years for audit logs
• Business Associate Agreement requirements
• Breach notification timelines

PCI DSS¶

• Minimum 1 year for payment card logs
• Quarterly security assessments
• Incident response requirements

GDPR¶

• Minimum 1 year for processing logs
• Data subject rights requirements
• Privacy impact assessments

Australian Privacy Act 1988¶

• Minimum 7 years for privacy-related logs
• Notifiable Data Breaches scheme
• Privacy impact assessments

Log Integrity and Security¶

Encryption¶

• All logs encrypted in transit (TLS 1.2+)
• All logs encrypted at rest (AES-256)
• Separate encryption keys for each log type

Access Controls¶

• Role-based access to log systems
• Multi-factor authentication required
• Audit trail for all log access

Integrity Protection¶

• Digital signatures for log files
• Immutable storage for critical logs
• Regular integrity verification

Monitoring and Alerting¶

Retention Monitoring¶

• Automated alerts for retention policy violations
• Regular reports on log storage usage
• Cost monitoring for storage tiers

Compliance Monitoring¶

• Regular audits of retention compliance
• Quarterly reviews of retention policies
• Annual updates to retention schedule

Exceptions and Special Cases¶

Incident Response¶

• Logs related to security incidents may be retained longer
• Legal hold may extend retention periods
• Investigation requirements may override normal retention

Regulatory Changes¶

• Retention periods may be updated based on new regulations
• Compliance requirements may change
• Business requirements may evolve

Storage Limitations¶

• Emergency purging may be required for storage capacity
• Cost optimisation may require earlier deletion
• Technical limitations may affect retention periods

Review and Updates¶

Annual Review¶

• Review all retention periods for compliance
• Update based on regulatory changes
• Assess business requirements

Quarterly Monitoring¶

• Monitor storage usage and costs
• Review compliance with retention policies
• Update automated processes as needed

Ad Hoc Updates¶

• Immediate updates for regulatory changes
• Emergency updates for security incidents
• Business-driven updates for operational needs

Contact Information¶

For questions about log retention policies or procedures:

• Security Team: security@
• Compliance Team: compliance@
• IT Operations: it@
• Legal Questions: legal@

Document Control¶

• Last Updated: 2025.1
• Next Review: Annual
• Approved By: Security Officer
• Version: 1.0