Brandkit ISMS - Self Attestation Statement
Information Security Management System Self-Attestation Statement
Company: Brandkit Limited
Address: Auckland, New Zealand
Website: https://brandkit.com
Date of Attestation: 1 Dec 2025
Attestation Period: 1 Dec 2025 to 1 Dec 2026
Next Review Date: 1 November 2026
Statement of Commitment
Brandkit Limited (“Brandkit”) is committed to maintaining the highest standards of information security to protect our customers’ data, digital assets, and our business operations. This self-attestation confirms that Brandkit has established and maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022 standards.
Scope of ISMS
Our Information Security Management System covers:
Systems and Services:
- Brandkit platform (multi-tenant digital asset management and content management system)
- Cloud infrastructure (AWS and Fly.io)
- Customer data and digital assets
- Business operations and supporting systems
- Third-party services: SendGrid (email), Plausible (analytics), OpenAI (AI tagging, descriptions, semantic search)
Locations:
- Headquarters: Auckland, New Zealand
- Office: Warkworth, New Zealand (used by some team members)
- Remote-first organization with team members working from various locations
- Primary Data Centers: Virginia USA, Sydney Australia, and London UK
- Disaster Recovery Data Centers: Oregon USA, Singapore, and Dublin Ireland
- Cloud infrastructure hosted on AWS and Fly.io
Personnel:
- 6 team members (mix of full-time, part-time, employees and contractors)
- Located across New Zealand, Italy, and Spain
- Mix of company-issued devices and BYOD
ISO 27001 Compliance Statement
Brandkit attests that we have implemented information security controls and management practices consistent with the requirements of ISO/IEC 27001:2022. While we have not pursued formal third-party certification at this time, we have established comprehensive policies, procedures, and controls that align with ISO 27001 framework.
Our ISMS includes:
1. Information Security Policies ✓
- Information Security Policy
- Acceptable Use Policy
- Access Control Policy
- Data Classification and Handling Policy
- Data Retention and Deletion Policy
2. Risk Management ✓
- Comprehensive risk assessment completed (16 risks identified and documented)
- Risk treatment plans documented
- Regular risk reviews (quarterly)
- Continuous risk monitoring
3. Asset Management ✓
- Information asset inventory maintained
- Asset classification system implemented
- Asset ownership defined
- Acceptable use policies enforced
4. Access Control ✓
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) required for all critical systems
- Regular access reviews (quarterly)
- Least privilege principle enforced
- Access logging and monitoring
5. Cryptography ✓
- Encryption at rest (AES-256 for customer data)
- Encryption in transit (TLS 1.2+)
- Secure key management (AWS KMS)
6. Physical and Environmental Security ✓
- Remote-first security controls
- Device encryption requirements (full disk encryption)
- Secure home office guidelines
- Office security (Warkworth location)
- Cloud provider physical security (AWS, Fly.io)
7. Operations Security ✓
- Change management procedures
- Backup and recovery processes (tested monthly)
- Malware protection
- Logging and monitoring
- Vulnerability management
8. Communications Security ✓
- Network security controls
- Secure data transmission
- Secure email practices
9. System Acquisition, Development and Maintenance ✓
- Secure development practices
- Code review requirements
- Security testing
- Change management
10. Supplier Relationships ✓
- Vendor security assessment
- Data Processing Agreements with vendors processing customer data
- Regular vendor reviews
- Supply chain security management
- Third-party AI vendor management (OpenAI)
11. Incident Management ✓
- Incident Response Plan documented and tested
- Incident reporting procedures
- 24/7 incident response capability
- Post-incident reviews
12. Business Continuity ✓
- Business Continuity and Disaster Recovery Plan
- Recovery Time Objectives (RTO): 4 hours
- Recovery Point Objectives (RPO): 24 hours
- Multi-region disaster recovery (6 global data center locations)
- Regular BC/DR testing (quarterly)
13. Compliance ✓
- GDPR compliance (data protection)
- CCPA compliance (California privacy)
- Regular compliance reviews
- Legal and regulatory monitoring
- AI processing transparency and disclosure
Security Controls Implementation
Brandkit has implemented security controls across the following categories:
Organizational Controls
- Security governance structure
- Information security roles and responsibilities
- Security policies and procedures
- Employee security awareness and training
- Disciplinary process for policy violations
People Controls
- Background verification for employees
- Confidentiality agreements
- Security awareness training (annual)
- Secure onboarding and offboarding procedures
Physical Controls
- Device security requirements (encryption, screen locks)
- Secure disposal procedures
- Office security (Warkworth location)
- Cloud provider physical security
Technological Controls
- Access control systems
- Encryption technologies
- Logging and monitoring systems
- Backup and recovery systems (primary + DR locations)
- Malware protection
- Network security
- Vulnerability management
Data Protection and Privacy
Brandkit is committed to protecting customer data and privacy:
- Data Classification: Four-tier classification system (Restricted, Confidential, Internal, Public)
- Data Protection: Encryption, access controls, monitoring
- Data Retention: Defined retention periods with automatic deletion
- Data Subject Rights: Support for access, deletion, and portability requests
- Privacy Compliance: GDPR and CCPA compliant practices
- Breach Notification: 72-hour notification procedures (GDPR requirement)
- AI Processing Transparency: Customer disclosure and opt-out for OpenAI processing
Geographic Redundancy and Disaster Recovery
Brandkit maintains a robust multi-region infrastructure:
Primary Data Centers:
- Virginia, USA
- Sydney, Australia
- London, UK
Disaster Recovery Data Centers:
- Oregon, USA (DR for Virginia)
- Singapore (DR for Sydney)
- Dublin, Ireland (DR for London)
This architecture ensures:
- Geographic redundancy across three continents
- Rapid failover capabilities in case of regional outages
- Data residency options for customers
- Low-latency global content delivery
Third-Party Service Providers
Brandkit has assessed and manages the following critical third-party vendors:
Tier 1 Vendors (Access to Customer Data):
- AWS (infrastructure, storage, database)
- Fly.io (application hosting)
- GitHub (source code repository)
- OpenAI (AI processing for tagging, descriptions, semantic search)
- Google (Authentication, AI processing for video tagging, descriptions services)
- hCaptcha for Authentication services (Captcha)
- Microsoft for Authentication services (EntraID)
Tier 2 Vendors (Limited Data Access):
- SendGrid (email delivery)
- Plausible.ai (privacy-focused analytics)
- Basecamp (internal project management)
All vendors with access to customer data have:
- Signed Data Processing Agreements (DPAs)
- SOC 2 Type 2 or equivalent certifications
- Annual security reviews
- Documented security assessments
OpenAI Specific Controls:
- Customer content not used for model training (per OpenAI API terms)
- 30-day data retention for abuse monitoring only
- Customer opt-out option available
- Transparent disclosure in Privacy Policy and customer FAQ
Testing and Verification
Brandkit regularly tests and verifies our security controls:
| Activity | Frequency | Last Performed | Next Scheduled |
|---|---|---|---|
| Backup Restoration Test | Quarterly | [Date] | [Date] |
| Access Control Review | Quarterly | [Date] | [Date] |
| Incident Response Drill | Quarterly | [Date] | [Date] |
| Disaster Recovery Test | Annually | [Date] | [Date] |
| Risk Assessment Review | Annually | [Date] | [Date] |
| Security Awareness Training | Annually | [Date] | [Date] |
| Policy Review | Annually | 1 Dec 2025 | 1 Dec 2026 |
| Vendor Security Review | Annually | 1 Dec 2025 | 1 Nov 2026 |
Continuous Improvement
Brandkit is committed to continuous improvement of our information security:
- Regular monitoring and measurement of security performance
- Internal audits and reviews
- Management review of ISMS effectiveness
- Corrective and preventive actions
- Lessons learned from incidents
- Industry best practice adoption
- Monitoring of emerging threats (including AI-specific risks)
Management Commitment
Brandkit’s management is committed to:
- Maintaining and improving the ISMS
- Providing adequate resources for information security
- Setting information security objectives
- Ensuring compliance with legal and regulatory requirements
- Promoting security awareness across the organization
- Regular review of security policies and procedures
- Transparent communication about AI and third-party data processing
Attestation
I, David Vaassen, Chief Executive Officer of Brandkit Limited, hereby attest that:
- Brandkit has established an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022 standards
- The ISMS covers the scope defined in this document
- Information security policies and procedures have been documented and implemented
- A comprehensive risk assessment has been conducted (16 risks identified) and risk treatment plans are in place
- Security controls are operating effectively across 6 global data center locations
- Third-party vendors (including AI service providers) have been assessed and are managed appropriately
- The ISMS is subject to regular review and continuous improvement
- All personnel are aware of their information security responsibilities
- Customers are transparently informed about data processing, including AI features
- This attestation is accurate and complete to the best of my knowledge
This attestation is valid for the period specified above and will be reviewed annually.
Signed:
_
David Vaassen
Chief Executive Officer
Brandkit Limited
Date: 1 December 2025
Supporting Documentation
The following documentation supports this attestation and is available for review by customers and authorized parties (subject to confidentiality restrictions):
- Information Security Policy
- Risk Assessment and Treatment Plan (16 identified risks)
- Security control implementation evidence
- Testing and audit reports
- Incident response records
- Training records
- Policy acknowledgments
- Vendor security assessments (including OpenAI)
- Data Processing Agreements
Note: Detailed security documentation contains confidential information and is provided under Non-Disclosure Agreement upon request.
Contact Information
For questions about Brandkit’s information security practices or to request additional information:
Security Contact:
David Vaassen, Chief Executive Officer
Email: ceo@brandkit.com
Phone: +64 21 648 962
Company Information:
Brandkit Limited
39 McCallum Drive, Auckland 0982, New Zealand
https://brandkit.com
Verification and Updates
Current Version: 1.0
Effective Date: 1 Dec 2025
Next Review Date: 1 Nov 2026
Document Classification: Public
Notes for Customers and Partners
What This Attestation Means
- Brandkit has implemented comprehensive information security controls
- Our practices align with international standards (ISO 27001)
- We operate a global, redundant infrastructure (6 data center locations)
- We take security seriously and have documented, tested procedures
- We are transparent about third-party data processing (including AI)
- We are committed to continuous security improvement
Self-Attestation vs. Formal Certification
- Self-Attestation: Brandkit has implemented ISO 27001 controls and attests to compliance (this document)
- Formal Certification: Independent third-party audit and certification (not currently pursued)
- Both approaches use the same ISO 27001 framework and controls
- Self-attestation is appropriate for organizations of our size and provides strong security assurance
Our Infrastructure
- 3 primary data centers across Americas, APAC, and EMEA
- 3 dedicated disaster recovery data centers
- Geographic redundancy for business continuity
- Multi-region failover capabilities
AI Features Transparency
- We use OpenAI for optional AI features (tagging, descriptions, search)
- Customer content is not used to train AI models
- AI features can be disabled at any time
- Full transparency in our Privacy Policy and FAQ
Future Plans
Brandkit may pursue formal ISO 27001 certification through an accredited certification body as our business grows and customer requirements evolve. This self-attestation provides a solid foundation for potential future certification.
Questions or Concerns?
We welcome questions about our security practices. Please contact our security team using the contact information above.
Document Control:
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.1 | 01 May 2026 | CEO | Initial attestation - includes 6 global data centers, OpenAI vendor management, 16 risk assessment |
This attestation is provided in good faith based on Brandkit’s current implementation of information security controls and management practices. While Brandkit has not undergone formal third-party ISO 27001 certification audit, we are committed to maintaining security standards consistent with ISO 27001 requirements.