Who decides what, with which authority.

1 · Purpose & authority

Tikoro nko agyina — one head does not hold council.

This charter establishes the cybersecurity and information-risk governance of EcoVent Africa Limited and its operating platform VPAY Genesis. It addresses the NIST Cybersecurity Framework 2.0 Govern function explicitly, and provides the structural underlay for SOC 2 Type II, ISO 27001:2022, and ISO 22301:2019 alignment.

The authority for this charter rests with the founder and is operationalised through the Chief Compliance Officer. Material amendments require co-signature from both. Versions are dated, sequentially numbered, and archived; the current version is always the one published at this URL.

Where the auditor's gap is: The 27 May 2026 institutional audit found that "EcoVent Africa has established a clear governance structure with a dedicated Chief Compliance Officer (CCO), which partially addresses the leadership and governance requirements" but flagged the absence of a published charter. This document closes that gap as publicly observable evidence.

2 · Governance structure

Sika Dwa Kofi — the stool the network can sit on.

The current governance structure is intentionally small, appropriate to the company's stage (founded 2024, pre-launch). It is designed to scale by adding seats around an existing council, not by re-architecting the council.

• Founder & Chief Executive. Ano Yoofi Agyei. Holds ultimate accountability for the protocol, the brand, and the capital base. Interim Chief Technology Officer and Head of AI until those roles are formally filled. Founder allocation of $SOV is held in SOVVesting with a 12-month cliff and 4-year linear release — irrevocable on-chain.
• Chief Compliance Officer. Ibilola Macaulay. Holds operational accountability for AML/CFT compliance, regulatory alignment (Article 114, GANRAP, FATF), the personal-data programme (Ghana DPA 2012 / EU GDPR), and the security and governance charter you are reading. The CCO is the named Incident Commander for Severity 1 and 2 incidents (see Information Security Policy §7).
• Safe co-signers (2-of-2 multisig today, migrating to 2-of-3). The two non-founder co-signers on the production Safe 0xFc93b70fAa2045e19CEae43d1b645b2137c68A67 constitute the operational check on founder authority for on-chain administrative actions. Any role grant, contract pause, or parameter change requires a co-signature beyond the founder's. Identities of co-signers held confidentially under Tier 4 classification.
• The protocol itself (Anokye orchestrator + NANANOM Council). Eleven specialist modules consolidate signals into a single verdict before any leveraged trade or capital decision is executed. This is the algorithmic governance layer — automated, observable on /leverage-live, and increasingly load-bearing as the operator surface scales.

Audit-noted growth path: An independent advisory board with at least one non-executive director (security/compliance specialist) and a board observer from a future institutional investor is in commissioning, sized to the funding round that follows the 24-month institutional maturation programme.

3 · Roles & responsibilities

Adwene di adanseɛ — the mind bears witness.

For each major decision class, the table below names who is Responsible (does the work), Accountable (single point of accountability), Consulted (input required), and Informed (notified after the fact).

• Smart-contract upgrades or pauses. Responsible: founder + Safe co-signer. Accountable: founder. Consulted: CCO + (when retained) external auditor. Informed: public via on-chain event + status post.
• Token economics changes. Responsible: founder. Accountable: founder. Consulted: CCO + Safe co-signers. Informed: public + waitlist via canonical channel.
• KYC/AML programme updates. Responsible: CCO. Accountable: CCO. Consulted: founder, external Ghana regulatory counsel. Informed: public summary at /aml-summary.html.
• Privacy policy updates. Responsible: CCO. Accountable: CCO. Consulted: founder. Informed: public at /privacy.html with dated version.
• Security incident response (Sev 1–2). Responsible: Incident Commander (CCO). Accountable: founder. Consulted: Safe co-signers (for any on-chain pause). Informed: affected parties + regulators per Information Security Policy §7.
• Strategic capital allocation (the 30/30/30/10 matrix). Responsible: founder. Accountable: founder. Consulted: CCO + external counsel for any single allocation over US$100k. Informed: future investors via diligence materials.
• External communications and brand. Responsible: founder. Accountable: founder. Consulted: CCO for regulator-adjacent statements. Informed: public.
• Hire / contractor decisions. Responsible: founder. Accountable: founder. Consulted: CCO for any role with access to Tier 3 or Tier 4 data. Informed: existing team.

The boundary between Responsible and Accountable matters: even when the founder is Accountable, the CCO (or operational specialist) is the Responsible party for execution. This is the institutional check against single-person-decision risk that the audit specifically flagged.

4 · Risk appetite

Nyansapɔ wɔsane no badwemma — the wise knot is untied only by the wise.

Risk appetite is the standing decision about which risks the company will accept, which it will mitigate, which it will transfer, and which it will avoid. Stated explicitly so future hires, investors, and the founder's future self can hold the present founder to it.

• Zero tolerance: Any action that allows $SOV to mint without a valid on-chain attestation from a sealed GSU reading. This is the core integrity claim; any compromise of this rule destroys the product. The architecture enforces this in code (AttestationBridge holds MINTER_ROLE; nobody else can mint). The governance posture reinforces it.
• Zero tolerance: Any KYC/AML breach that creates a path for laundered or smuggled gold to be tokenised. The hardware-rooted attestation chain is the structural defence; the CCO programme is the procedural reinforcement.
• Zero tolerance: Founder-only administrative actions on the production Safe. The multisig co-signature requirement is non-negotiable; any temptation to "just for this one transaction" is a forbidden category.
• Low tolerance: Service disruption on the consumer-facing surfaces (deploy-flagship website, waitlist form). Target: 99.5% availability through Netlify's edge.
• Medium tolerance: Operator-surface friction (engine latency, dashboard bugs, internal tool churn). These are expected during pre-launch iteration; they are tracked and prioritised but do not block release.
• Higher tolerance: Cost-of-capital experiments within the Lee Allocation Matrix bounded by the Fire fund. Bounded downside; experiments are explicitly time-boxed and capital-capped.

Capital allocation discipline. The 30/30/30/10 capital allocation matrix (reinvest / asset acquire / liquidity reserve / personal development) is phase-adjusted to current stage and automated via Safe-administered splitter as soon as revenue arrives. The architecture is the discipline; the percentages migrate as the company's stage warrants.

5 · Escalation procedure

Mate Masie — what I hear, I keep.

Escalation is the path a concern travels when it cannot be resolved at the level it surfaces at. The path is short by design.

• Level 0 · Operator. Engine telemetry, hardware fleet health, routine support inquiries. Resolved by the on-duty operator within the normal workflow.
• Level 1 · Function lead. Compliance concerns escalate to the CCO. Technical concerns escalate to the founder (in their CTO interim capacity). Operational concerns escalate to the operations lead (interim founder).
• Level 2 · Founder + CCO joint review. Any concern that crosses functions, has regulatory implications, or has unclear ownership. Resolved within one business week unless extraordinary.
• Level 3 · External counsel / Safe co-signers. Any matter requiring on-chain administrative action, regulator notification, or material capital commitment. The Safe multisig is the structural backstop; external regulatory counsel is the substantive one.
• Level 4 · Public + regulator notification. Severity 1 incidents or any matter required by law to be disclosed. Triggers the public status protocol in Information Security Policy §7.

Any party — employee, contractor, vendor, external researcher, regulator, or member of the public — may initiate escalation by contacting Ano@ecoventafrica.com or cco@ecoventafrica.com. Retaliation for good-faith escalation is prohibited by founder commitment.

6 · Decision cadence

Nkrabea — the appointed time.

Decisions of different stakes travel at different speeds. The cadence below is the standing rule; emergency exceptions are made for Severity 1 incidents.

• Daily. Engine telemetry review, attestation stream health, treasury balance sanity. Founder.
• Weekly. Sprint review, incident-near-miss review, KYC/AML caseload review, vendor health check. Founder + CCO.
• Monthly. Risk register review, policy drift check against operational reality, capital allocation review. Founder + CCO.
• Quarterly. This charter reviewed. Information Security Policy reviewed. Aggregate metrics published (where possible without compromising operational security). External-counsel touch-base.
• Annually. Full third-party institutional audit (the inaugural audit was 27 May 2026 with composite 3.1/5.0; next scheduled 27 May 2027). NIST CSF 2.0 maturity score updated. ISO 27001 readiness reviewed. Risk appetite re-stated against current stage.

7 · Charter review & versioning

Sankɔfa — return and fetch.

This charter is reviewed quarterly by the CCO with founder co-signature, and immediately after any Severity 1 incident or material organisational change (new senior hire, capital round, regulator action). Each version is dated; the current version supersedes all prior versions at the same URL.

Version 1.0 · Effective 27 May 2026 · Supersedes informal practice. Next scheduled review: 27 August 2026.

8 · Contact

Wofa di adanseɛ — the uncle bears witness.

Founder (Ano Yoofi Agyei): Ano@ecoventafrica.com

Chief Compliance Officer (Ibilola Macaulay): cco@ecoventafrica.com

Security disclosures: security@ecoventafrica.com or /.well-known/security.txt

Postal: EcoVent Africa Limited, 40 Nii Nortei Nyanchi Street, Dzorwulu, Accra, Greater Accra, Ghana.

Version 1.0 · Effective 27 May 2026