Data Security and Protection Policy

Effective Date: 1 December 2025

Version: 4.0

Issuing Entity
Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.app

Parent Governance Entity
Strategic Global Holdings Pty Ltd (ACN 693 256 503), Queensland, Australia

Governing Law
As specified in the main service agreement. For Australian customers, Queensland law applies.

Review Cycle
Reviewed at least annually or earlier where required by law or material operational change.

1. PURPOSE

This Policy describes the technical and organisational measures implemented by Superspeed.ai Pty Ltd to protect data processed through Cushi.app.

Cushi.app operates primarily under Australian law, including the Privacy Act 1988 (Cth), and implements security controls proportionate to the nature, scope, and risks of its processing activities.

This Policy does not constitute certification against any external security standard unless expressly stated in writing.

2. SCOPE

This Policy applies to:

• Cloud infrastructure supporting Cushi.app
• Web and mobile applications
• Internal operational systems
• Development and support environments
• Approved third party service providers engaged in service delivery

3. SECURITY GOVERNANCE

Accountability for information security rests with the Chief Executive Officer of Superspeed.ai Pty Ltd.

Operational security responsibilities are assigned to designated personnel.

Security governance includes:

• Documented policies and procedures
• Defined roles and responsibilities
• Risk based decision making
• Periodic review of control effectiveness

4. SECURITY OBJECTIVES

Cushi.app seeks to:

• Protect confidentiality of Personal Information
• Maintain integrity of governance and operational records
• Support availability of services
• Reduce the likelihood of unauthorised access, disclosure, or loss
• Comply with applicable legal obligations

No information system can guarantee absolute security. Cushi.app implements reasonable and proportionate safeguards designed to reduce risk.

5. RISK MANAGEMENT

Cushi.app applies a risk based approach to information security.

This includes:

• Identification of material risks
• Assessment of potential impact
• Implementation of mitigation measures proportionate to risk
• Periodic reassessment

Risk treatment decisions are made in light of business context and operational feasibility.

6. DATA CLASSIFICATION

Information handled by Cushi.app is categorised to guide appropriate protection:

6.1 Public

Information approved for public disclosure.

6.2 Internal

Operational information not intended for public release.

6.3 Confidential

Customer Data and sensitive operational information.

6.4 Restricted

Authentication credentials, encryption keys, and privileged access information.

7. ACCESS CONTROL

Access to systems and data is restricted to authorised individuals based on role and legitimate business need.

Controls may include:

• Role based access controls
• Multi factor authentication for privileged or administrative access
• Access approval and review processes
• Deprovisioning on termination or role change
• Monitoring of privileged activity

Customers are responsible for managing their own user access within the platform.

8. ENCRYPTION

Cushi.app uses encryption to protect data in transit and at rest where appropriate.

Encryption protocols and configurations are selected in accordance with industry practice and the capabilities of underlying infrastructure providers.

Encryption key access is restricted and controlled.

9. INFRASTRUCTURE AND NETWORK SECURITY

Infrastructure security measures may include:

• Logical separation of environments
• Secure configuration of services
• Network access controls
• Monitoring for anomalous activity

Cushi.app primarily utilises reputable cloud infrastructure providers that maintain their own physical and environmental safeguards.

10. SECURE DEVELOPMENT PRACTICES

Security considerations are incorporated into development activities.

Practices may include:

• Code review processes
• Dependency and vulnerability scanning
• Secure secrets management
• Separation of development and production environments
• Review of new features for data exposure and misuse risk

11. VULNERABILITY MANAGEMENT

Cushi.app monitors publicly disclosed vulnerabilities relevant to its technology environment.

Identified vulnerabilities are assessed and remediated in accordance with risk severity and operational feasibility.

Higher risk issues are prioritised.

12. LOGGING AND MONITORING

System activity may be logged for security and operational purposes.

Logs may include authentication events, administrative activity, and infrastructure level events.

Access to logs is restricted to authorised personnel.

Log retention is managed in accordance with internal policies and legal obligations.

13. INCIDENT RESPONSE

Cushi.app maintains documented incident response procedures.

In the event of a confirmed security incident affecting Personal Information:

• The incident will be assessed
• Containment and remediation measures will be implemented
• Customers will be notified where required by contract or applicable law

For Australian Customers, obligations under the Notifiable Data Breaches scheme apply where relevant.

14. DATA LIFECYCLE MANAGEMENT

Personal Information is:

• Collected and used in accordance with the Privacy Policy
• Stored using technical safeguards appropriate to sensitivity
• Retained only as long as necessary for contractual or legal purposes
• Deleted or de identified when no longer required

Customer Data retention and deletion are governed by applicable agreements.

15. BACKUPS AND BUSINESS CONTINUITY

Cushi.app maintains backup processes to support service continuity.

Backups may be encrypted and stored securely.

Business continuity and disaster recovery procedures are maintained proportionate to operational risk.

Specific recovery targets may be defined internally and may be disclosed under confidentiality where appropriate.

16. THIRD PARTY SERVICE PROVIDERS

Third party providers engaged in service delivery are assessed prior to engagement based on risk.

Where third parties process Customer Data, written agreements include confidentiality and data protection obligations consistent with applicable law.

17. PHYSICAL SECURITY

Cushi.app relies primarily on cloud based infrastructure.

Physical security controls are managed by relevant cloud infrastructure providers.

Customer Data is not routinely stored on local devices unless operationally required and appropriately protected.

18. USER RESPONSIBILITIES

Customers and authorised users are responsible for:

• Protecting authentication credentials
• Maintaining secure devices
• Reporting suspected security incidents promptly
• Using the Services in compliance with applicable law

19. CONTINUOUS IMPROVEMENT

Security controls are reviewed periodically and may be enhanced in response to:

• Risk assessments
• Incident analysis
• Changes in threat landscape
• Legal or regulatory developments

CONTACT

Security and privacy matters may be directed to:

Superspeed.ai Pty Ltd
Brisbane, Australia
privacy@cushi.app
security@cushi.app

VERSION CONTROL AND GOVERNANCE

Version 4.0
Effective 1 December 2025
Approved by Chief Executive Officer, Superspeed.ai Pty Ltd© 2025 Superspeed.ai Pty Ltd (ACN 660 530 090), trading as Cushi.app
Part of the Strategic Global Holdings Pty Ltd group (ACN 693 256 503)