Cybersecurity & Data Protection Policy

MNH Planning Administration Pty Ltd ABN: 76 166 906 789 | ACN: 166 906 789 Document Owner: Matthew Hibbins, Managing Director & Privacy Officer Contact: security@mnh.expert | +61 478 669 918 Effective Date: 10 April 2026 Review Cycle: Annual (next review due April 2027) Classification: Client-Facing -- Confidential

Purpose & Scope
Compliance Framework Alignment
Definitions
Governance & Accountability
Authentication & Access Control
Data Encryption
Network & Infrastructure Security
Application Security
AI Security & Responsible Use
Monitoring, Logging & Audit
Data Isolation & Multi-Tenancy
Session Management
Data Retention & Disposal
Personnel Security
Incident Response
Business Continuity & Disaster Recovery
Third-Party & Supply Chain Risk
Continuous Improvement & Known Gaps
Policy Acceptance & Version History

1. Purpose & Scope

1.1 Purpose

This policy establishes the cybersecurity and data protection standards governing MNH Expert, a cloud-based SaaS platform operated by MNH Planning Administration Pty Ltd. MNH Expert provides CRM, AI-assisted paraplanning, research data warehouse, email/calendar synchronisation, and Data-as-a-Service (DaaS) API capabilities to Australian financial planning practices.

This document is intended to:

Demonstrate to Australian Financial Services Licence (AFSL) holders that MNH Expert maintains security controls commensurate with the sensitivity of financial planning data.
Provide transparency regarding the specific technical and organisational controls in place.
Satisfy due-diligence requirements under APRA CPS 234 for outsourced information asset management.
Serve as the authoritative reference for MNH Expert's security posture.

1.2 Scope

This policy applies to:

The MNH Expert web application, background worker infrastructure, and DaaS API.
All data processed, stored, or transmitted by the platform, including client personal information, financial planning documents, and advisory records.
All personnel with access to MNH Expert systems, including directors, employees, contractors, and authorised offshore staff.
All third-party services integrated into the platform (Supabase, Vercel, Fly.io, Anthropic).

1.3 Audience

This document is provided to AFSL holders, compliance managers, and information security officers conducting due diligence on MNH Expert as a technology service provider.

2. Compliance Framework Alignment

MNH Expert's security controls are designed and assessed against the following frameworks:

Framework	Alignment Target	Status
ACSC Essential Eight	Maturity Level 2+	Active -- controls mapped below
ISO/IEC 27001	Information security management framework	Aligned -- not certified
APRA CPS 234	Information security expectations for financial services supply chain	Active -- controls documented
Privacy Act 1988 (as amended 2024)	Australian Privacy Principles (APPs)	Active -- Privacy Officer appointed
ASIC regulatory expectations	Technology provider obligations for financial planning	Active -- record-keeping and audit controls
Notifiable Data Breaches scheme	Mandatory breach notification	Active -- incident response procedures

2.1 Essential Eight Mapping

Essential Eight Control	MNH Expert Implementation
Application control	Managed platform (Vercel/Fly.io) -- no arbitrary application execution
Patch applications	Automated dependency management; managed infrastructure patching by Vercel, Supabase, Fly.io
Configure Microsoft Office macros	Not applicable -- web-based SaaS platform
User application hardening	Content Security Policy (Planned); React built-in XSS escaping; strict input validation
Restrict administrative privileges	CASL-based role hierarchy; 6 defined roles with least-privilege enforcement
Patch operating systems	Managed infrastructure -- OS patching handled by Vercel, Fly.io, Supabase
Multi-factor authentication	Supabase Auth MFA capability available; enforcement planned for admin roles
Regular backups	Supabase managed backups with point-in-time recovery

3. Definitions

Term	Definition
AFSL	Australian Financial Services Licence
CASL	Code Access Security Library -- attribute-based access control framework used for permission definitions
DaaS	Data-as-a-Service -- MNH Expert's API offering for financial planning research data
HMAC	Hash-based Message Authentication Code
JWT	JSON Web Token -- used for session authentication and tenant scoping
MFA	Multi-Factor Authentication
OAIC	Office of the Australian Information Commissioner
OTP	One-Time Password
PII	Personally Identifiable Information
RLS	Row Level Security -- PostgreSQL feature enforcing data isolation at the database level
TLS	Transport Layer Security

4. Governance & Accountability

4.1 Privacy Officer

Matthew Hibbins, Managing Director, serves as the appointed Privacy Officer under the Australian Privacy Principles. The Privacy Officer is responsible for:

Overseeing this policy and its implementation.
Receiving and responding to privacy complaints and data breach notifications.
Conducting annual security control reassessments.
Liaising with the OAIC on notifiable data breaches.

Contact: security@mnh.expert | +61 478 669 918

4.2 Security Governance Cycle

Activity	Frequency
Security control reassessment	Quarterly
Full policy review	Annual
Staff security training	Annual
Incident response procedure review	Annual
Access privilege audit	Quarterly
Third-party vendor security review	Annual

5. Authentication & Access Control

5.1 Authentication Methods

MNH Expert authenticates users through Supabase Auth, which supports the following methods:

Email and password -- passwords enforced through Supabase's built-in strength requirements.
Magic link / OTP -- passwordless authentication via email-delivered one-time codes.
OAuth 2.0 -- federated authentication via Google and Microsoft identity providers.

5.2 Multi-Factor Authentication

Supabase Auth supports MFA (TOTP-based). MFA is available to all users and planned for mandatory enforcement on owner and admin roles. See Section 18 for the implementation roadmap.

5.3 Role-Based Access Control

MNH Expert implements a six-tier role hierarchy with granular permissions defined through CASL ability definitions:

Role	Description	Privilege Level
Owner	Organisation owner with full administrative control	Highest
Admin	Administrative access including user management and approval	High
Manager	Team management and oversight capabilities	Medium-High
Advisor	Financial adviser with client and document access	Medium
Paraplanner	Paraplanning staff with document preparation access	Medium
Support	Limited support-oriented access	Lowest

Each role is bound to specific action-resource permission pairs enforced at both the application layer (CASL) and database layer (RLS). Permissions follow the principle of least privilege -- users receive only the access required for their function.

5.4 Organisation-Scoped Multi-Tenancy

Authentication tokens carry JWT custom claims that inject the user's org_id and org_role. These claims are:

Set at authentication time and embedded in the access token.
Validated on every API request.
Used by both the application layer and database RLS policies to enforce tenant isolation.

5.5 User Approval Workflow

New user registrations are not automatically granted access. All new accounts require manual approval by an organisation administrator before the user can access any data or functionality. This prevents unauthorised self-registration and ensures that only vetted personnel gain access.

5.6 Service Account Controls

Backend service operations use a dedicated service role client configured with persistSession: false. This service client:

Is never exposed to browser environments.
Does not maintain persistent sessions.
Is used exclusively for server-side operations (background workers, CRON jobs, API processing).

6. Data Encryption

6.1 Encryption in Transit

All data transmitted to and from MNH Expert is encrypted using TLS 1.2 or higher. This applies to:

All web application traffic (user browser to Vercel edge).
All API connections (DaaS API consumers to MNH Expert endpoints).
All database connections (application to Supabase PostgreSQL).
All inter-service communication (web application to background worker).

6.2 Encryption at Rest

All persistent data is encrypted at rest using AES-256 encryption, managed by Supabase:

PostgreSQL database -- AES-256 encryption on all stored data, including client records, financial documents, and audit logs.
Supabase Storage -- AES-256 encryption on all uploaded files (SOAs, ROAs, supporting documents).

6.3 API Key Security

DaaS API keys issued to client organisations are:

Hashed using bcrypt before storage -- plaintext keys are never persisted.
Retrieved via a prefix-based O(1) lookup mechanism, avoiding full-table scans.
Revocable immediately by organisation administrators.

6.4 Service-to-Service Authentication

Inter-service communication (e.g., web application to background worker) is secured using HMAC-SHA256 signature verification:

Each request includes a cryptographic signature computed over the request body and timestamp.
Replay protection is enforced with a 5-minute timestamp window -- requests older than 5 minutes are rejected.
This prevents request forgery and replay attacks against internal service endpoints.

7. Network & Infrastructure Security

7.1 Hosting Architecture

MNH Expert operates on managed cloud infrastructure with no self-managed servers:

Component	Provider	Region	Purpose
Web application	Vercel	Global edge / Australian origin	Next.js application hosting
Background worker	Fly.io	Australian region	Async task processing (AI agents, document extraction)
Database	Supabase Cloud	Australian region	Managed PostgreSQL + Auth + Storage

7.2 Network Isolation

No direct internet access to the database -- all database queries are routed through the Supabase SDK/API layer, which enforces authentication and RLS.
The Fly.io background worker runs inside a Docker container based on Node.js Alpine, providing a minimal attack surface with only the packages required for operation.
Graceful shutdown handlers are implemented on the worker to prevent data loss or corruption during deployments and container restarts.

7.3 Infrastructure Patching

Operating system and runtime patching is managed by the infrastructure providers (Vercel, Fly.io, Supabase) under their respective security SLAs. MNH Expert maintains application-level dependency updates through regular review.

8. Application Security

8.1 Input Validation

All user input is validated using Zod schemas applied to:

Every tRPC procedure (the primary application RPC layer).
Every REST API endpoint (DaaS API).
All form submissions and file upload metadata.

Zod provides runtime type checking and constraint enforcement, rejecting malformed or unexpected input before it reaches business logic.

8.2 SQL Injection Prevention

Database queries are constructed exclusively through Drizzle ORM with parameterised queries. No raw SQL is executed except for a single, sanitised RLS configuration setter (SET LOCAL app.org_id), which validates the input as a UUID before execution.

8.3 Cross-Site Scripting (XSS) Prevention

React's built-in output escaping prevents injection of executable content in rendered HTML.
Explicit HTML escaping is applied to any user-generated content that may be rendered outside React's default escaping context.

8.4 Cross-Site Request Forgery (CSRF) Protection

Origin validation is enforced on all form submissions, verifying that requests originate from the expected application domain.

8.5 File Upload Security

File uploads are restricted by:

MIME type whitelist -- only the following types are accepted: PDF, JPEG, PNG, Microsoft Word (.doc/.docx), Microsoft Excel (.xls/.xlsx), CSV, and plain text (.txt).
File size limit -- 50 MB maximum per upload.
Content-Disposition header sanitisation -- filenames are stripped of quotes, newline characters, and non-ASCII characters to prevent header injection attacks.

8.6 Bot Detection

Public-facing forms implement honeypot fields to detect and reject automated bot submissions without impacting legitimate users.

8.7 Rate Limiting

Rate limiting is applied across multiple layers:

Scope	Limit	Purpose
Public forms (per IP)	5 requests per 10 minutes	Prevent abuse of unauthenticated endpoints
DaaS API (per API key)	Hourly quota (configurable per plan)	Fair use and capacity management
Internal services	1,000 requests per minute	Protect backend services from runaway processes
AI agent runs (per org)	2 concurrent executions	Prevent resource exhaustion from AI workloads

9. AI Security & Responsible Use

9.1 AI Processing Model

MNH Expert uses the Anthropic Claude API for AI-assisted paraplanning. Under Anthropic's enterprise data policy:

Client data sent for AI processing is not retained by Anthropic after the response is generated.
Data is not used for model training.
Processing occurs via API -- no client data is stored in Anthropic's systems beyond the duration of the request.

9.2 Prompt Injection Detection

A dedicated prompt injection scanner analyses all AI inputs against 25+ regex patterns designed to detect:

Instruction override attempts -- prompts attempting to alter the AI's system instructions.
Data exfiltration directives -- prompts attempting to extract system information or other tenants' data.
Deception directives -- prompts designed to make the AI produce misleading outputs.
Invisible Unicode injection -- use of zero-width or invisible characters to hide malicious instructions.

Requests matching these patterns are blocked before reaching the AI model.

9.3 Human-in-the-Loop Requirement

All AI-generated outputs are marked as drafts and require explicit human review and approval before being used in any client-facing document. The AI does not autonomously produce final advice documents -- a qualified human must review and accept every output.

9.4 AI Concurrency Controls

AI agent processing is limited to 2 concurrent agent runs per organisation, preventing any single tenant from monopolising shared compute resources and ensuring consistent performance across the platform.

10. Monitoring, Logging & Audit

10.1 Audit Trail Architecture

MNH Expert maintains five append-only audit tables providing comprehensive activity tracking:

Audit Table	Purpose	Retention
`audit_log`	General compliance audit trail covering user actions, permission changes, and system events	7 years (indexed)
`mw_crm_audit`	CRM data change tracking from document extractions, recording before/after values	7 years
`mr_api_usage`	DaaS API call logging including endpoint, HTTP status, and timestamps	Retained for billing and audit
`mw_activity_log`	Organisation-level activity tracking for operational visibility	7 years
`mw_advice_validation_log`	Compliance-grade immutable validation records for advice documents	7 years

10.2 Immutability Controls

The mw_advice_validation_log table is protected by database triggers that prevent UPDATE and DELETE operations. Once a validation record is written, it cannot be modified or removed, ensuring an immutable compliance trail for advice document validation.

10.3 API Usage Logging

Every DaaS API call is logged using a fire-and-forget append pattern, recording:

The API key (prefix only -- not the full key).
The endpoint called.
Response status code.
Request and response timestamps.

This logging does not add latency to API responses while maintaining a complete audit trail.

10.4 CRON Job Security

All 8+ automated scheduled routes (background tasks, cleanup jobs, synchronisation processes) are secured with a CRON_SECRET bearer token. Requests to CRON endpoints without a valid bearer token are rejected, preventing unauthorised triggering of scheduled operations.

11. Data Isolation & Multi-Tenancy

11.1 Defence-in-Depth Tenant Isolation

MNH Expert enforces tenant data isolation through three independent layers, any one of which would prevent cross-tenant data access:

Layer 1 -- Database Row Level Security (RLS)

RLS policies are applied to all 35+ database tables.
Each policy extracts the authenticated user's org_id from the JWT custom claims via the mw_org_id() database function.
Queries that do not match the authenticated organisation's ID return zero rows -- the data is invisible at the database engine level.

Layer 2 -- Application-Level Tenant Scoping

Every database query passes through the scopedTable() function, which appends an orgId filter to the query.
This provides a secondary enforcement layer independent of RLS.

Layer 3 -- Request-Level Context Setting

On every request, SET LOCAL app.org_id is executed with the authenticated user's organisation ID.
The organisation ID is validated as a UUID before being set, preventing SQL injection through the context variable.
This value is available to RLS policies and database functions for the duration of the transaction.

11.2 Storage Bucket Isolation

Files stored in Supabase Storage are isolated using org-scoped path validation. The storage path structure enforces the pattern:

{org_id}/{task_id}/{filename}

Supabase Storage bucket policies validate that the authenticated user's organisation ID matches the path prefix, preventing cross-tenant file access.

12. Session Management

12.1 Session Security Controls

Control	Implementation
Cookie security	`httpOnly` and `Secure` flags set via Supabase SSR
Token refresh	Automatic refresh on every request
Access token lifetime	1-hour default (short-lived)
Service sessions	`persistSession: false` for backend service role

12.2 Cookie Configuration

Session cookies are configured with:

httpOnly -- cookies are inaccessible to client-side JavaScript, preventing theft via XSS.
Secure -- cookies are transmitted only over HTTPS connections.
Supabase SSR integration ensures cookies are managed server-side with proper security attributes.

12.3 Token Lifecycle

Access tokens have a 1-hour default lifetime. Tokens are automatically refreshed on each request, providing a seamless user experience while limiting the window of exposure if a token is compromised.

13. Data Retention & Disposal

13.1 Retention Schedule

Data Category	Retention Period	Basis
Client working files (SOAs, ROAs, supporting documents)	7 years	ASIC record-keeping requirements
Audit logs (`audit_log`, `mw_crm_audit`, `mw_activity_log`, `mw_advice_validation_log`)	Minimum 7 years	ASIC compliance; indexed for retention queries
API usage logs (`mr_api_usage`)	Retained for billing and audit	Operational and contractual
OAuth tokens	Revoked and deleted on user disconnection	Privacy minimisation
Redis queue data	Ephemeral -- processed and cleared	No PII persisted in queue

13.2 Secure Disposal

Upon client request, data is irreversibly purged following a defined procedure:

Written confirmation received from an authorised representative of the client organisation.
All data associated with the organisation is identified across database tables and storage buckets.
Data is permanently deleted (not soft-deleted) from all storage locations.
Written confirmation of deletion is provided to the client.

13.3 OAuth Token Handling

When a user disconnects an integrated service (Google, Microsoft), the associated OAuth tokens are immediately revoked and deleted from MNH Expert's systems.

14. Personnel Security

14.1 Staff Composition & Location

MNH Expert is operated by Australian directors with authorised offshore staff located in the Philippines and Laos.

14.2 Offshore Access Controls

All offshore staff access MNH Expert systems exclusively through Microsoft 365 with the following controls enforced:

Multi-factor authentication (MFA) -- mandatory for all offshore accounts.
Device compliance policies -- only compliant devices can access organisational resources.
Data Loss Prevention (DLP) controls -- policies prevent unauthorised download, forwarding, or exfiltration of sensitive data.

14.3 Security Training

All staff receive annual security training covering:

Data privacy obligations under the Australian Privacy Principles.
Phishing awareness and social engineering defence.
Secure document handling procedures.
Incident reporting procedures.

14.4 Least Privilege Enforcement

Staff access is governed by the same CASL-based role definitions as client users. Internal personnel are assigned roles appropriate to their function and do not receive elevated privileges unless operationally required and approved.

14.5 Access Reviews

Access privileges are reviewed quarterly as part of the security control reassessment cycle. Accounts belonging to departed staff are disabled immediately upon separation.

15. Incident Response

15.1 Incident Response Framework

MNH Expert follows the ACSC incident response guidelines, structured across five phases:

Phase	Activities
Detect	Monitoring of audit logs, API usage patterns, authentication anomalies, and error rates
Contain	Isolate affected systems or accounts; revoke compromised credentials; disable affected API keys
Eradicate	Identify and remove the root cause; patch vulnerabilities; update security controls
Recover	Restore affected services from backups; verify data integrity; resume normal operations
Report	Document the incident; notify affected parties; report to regulators as required

15.2 Breach Notification

In the event of a notifiable data breach:

Affected clients are notified within 72 hours of MNH Expert becoming aware of the breach.
The Office of the Australian Information Commissioner (OAIC) is notified as required under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988).
Notifications include the nature of the breach, the types of information involved, and recommended steps for affected individuals.

15.3 Security Contact

All security concerns, vulnerability reports, and incident notifications should be directed to:

Email: security@mnh.expert Phone: +61 478 669 918

16. Business Continuity & Disaster Recovery

16.1 Database Backup & Recovery

Supabase managed backups with point-in-time recovery (PITR) -- enabling restoration to any point within the backup retention window.
Backups are managed by Supabase's infrastructure, inheriting their encryption and access controls.

16.2 Application Resilience

Component	Recovery Mechanism
Web application (Vercel)	Automatic rollback capability; rolling deployments with zero-downtime
Background worker (Fly.io)	Health check endpoint; automatic restart on failure
Queue data (Redis)	Ephemeral by design -- no PII persisted; jobs processed and cleared

16.3 Deployment Safety

Rolling deployments ensure that the application remains available during updates.
Automatic rollback capability on Vercel allows immediate reversion if a deployment introduces issues.
Graceful shutdown handlers on the Fly.io worker prevent data loss during container restarts and deployments.

17. Third-Party & Supply Chain Risk

17.1 Critical Service Providers

Provider	Service	Data Access	Security Posture
Supabase	Database, Auth, Storage	Full data access (managed PostgreSQL)	SOC 2 Type II; encryption at rest and in transit
Vercel	Application hosting	Application code; environment variables	SOC 2 Type II; edge network security
Fly.io	Background worker hosting	Processing data in transit	Infrastructure security; container isolation
Anthropic	AI processing (Claude API)	Data in transit only (not retained)	Enterprise data policy; no training on customer data

17.2 Vendor Assessment

Third-party service providers are assessed annually against:

Data handling and encryption practices.
Compliance certifications (SOC 2, ISO 27001).
Data residency and sovereignty (preference for Australian region).
Incident response and breach notification commitments.

18. Continuous Improvement & Known Gaps

MNH Expert is committed to transparency regarding its security posture. The following items are acknowledged as areas for improvement and are tracked in the security roadmap:

18.1 Planned Improvements

Item	Current State	Target State	Status
MFA enforcement	Available via Supabase Auth but not mandatory	Mandatory for owner and admin roles	Planned
Content Security Policy (CSP) headers	Not explicitly configured	Strict CSP via `next.config.ts`	Planned
Formal penetration testing	Not yet conducted	Annual external penetration test	Planned

18.2 Under Review

Item	Current State	Consideration
Geographic access restrictions	Not implemented	Evaluating IP-based or geo-based access restrictions for sensitive roles
SOC 2 certification	Not held	Evaluating cost-benefit for formal SOC 2 Type II certification

18.3 Commitment

These items are reviewed quarterly as part of the security control reassessment cycle. Progress is tracked and communicated to clients upon request.

19. Policy Acceptance & Version History

19.1 Version History

Version	Date	Author	Changes
1.0	10 April 2026	Matthew Hibbins	Initial policy release

19.2 Review & Approval

This policy is reviewed annually by the Managing Director and Privacy Officer. Material changes are communicated to affected clients.

19.3 Enquiries

For questions about this policy or MNH Expert's security controls, contact:

Matthew Hibbins Managing Director & Privacy Officer MNH Planning Administration Pty Ltd Email: security@mnh.expert Phone: +61 478 669 918

This document is the property of MNH Planning Administration Pty Ltd. Distribution to third parties is permitted for the purpose of due diligence assessment of MNH Expert as a technology service provider. Redistribution beyond this purpose requires written consent.

Cyber Security Policy