The control posture, made observable.

1 · Scope & purpose

Nyansapɔ wɔsane no badwemma — the wise knot is untied only by the wise.

This policy applies to EcoVent Africa Limited (registration CS274771225) and its operating platform VPAY Genesis, including: the public website at ecoventafrica.com, the smart-contract stack on Polygon Mainnet, the Gold Sovereign Unit (GSU) hardware fleet, the off-chain API surfaces (current and planned), and all employee and contractor access to company systems.

The policy is intentionally structured to address the auditor-prioritised gaps from the 27 May 2026 institutional audit while remaining honest about pre-launch posture. Where a control is implemented in code or hardware, the implementation is stated. Where a control is in the commissioning queue, the queue position and target date are stated.

This is a public summary. The full internal policy with vendor lists, key custody procedures, and incident playbooks is held under restricted access and is available to qualified diligence parties under NDA via ecoventafrica.com/diligence.

2 · Asset classification

Sankɔfa — what was lost can be retrieved if its name is known.

All information assets are classified into four tiers. Handling requirements escalate with tier. The classification is conservative by design: when in doubt, assets are placed at the higher tier.

• Tier 1 · Public. Marketing copy, public addresses of deployed smart contracts, the audit-published $SOV mint formula, this policy itself. No confidentiality requirement; integrity controls apply (no unauthorised modification).
• Tier 2 · Internal. Operational dashboards, internal runbooks, non-public roadmap items. Restricted to EcoVent employees and contracted operators on a least-privilege basis. Encrypted at rest and in transit.
• Tier 3 · Confidential. Hardware Bill of Materials, vendor contracts, customer KYC records (when collected), the full institutional API specification, GSU calibration data. Access requires named authorisation and is logged. Encrypted at rest and in transit. Travels only over encrypted channels.
• Tier 4 · Restricted. Cryptographic keys (Safe signer keys, GSU device private keys, engine relayer keys), founder personal information, identifiable beneficial-ownership data, criminal-justice-adjacent records. Held in hardware security modules or equivalent. Access requires two-person authorisation for any export or transfer.

Public blockchain data (transaction history, smart contract state on Polygon Mainnet) is by definition Tier 1 — its publicity is the source of verification value. The architecture deliberately reduces Tier 3 and Tier 4 surface area by writing as much as possible to the public ledger.

3 · Access control

Adwene di adanseɛ — the mind bears witness.

Access to systems is granted on a least-privilege basis, scoped to job function, and revoked on role change or termination. Three control surfaces deserve specific mention.

• On-chain admin (the highest-stakes surface). All ten production contracts on Polygon Mainnet are administered by a Gnosis Safe multisig (2-of-2 today, migrating to 2-of-3) at 0xFc93b70fAa2045e19CEae43d1b645b2137c68A67. The deployer EOA has renounced DEFAULT_ADMIN_ROLE on every contract — on-chain verifiable via hasRole(0x0, deployerEOA) == false. No single individual can perform administrative actions; any role grant, pause, or parameter change requires co-signature.
• Engine relayer keys. The Ananse REASONER key, ORACLE key, and Opɛ relayer key are held off the Safe in hot wallets with strictly bounded permissions (e.g. only openWitness/closeWitness on MasieBridge). These keys can incur transaction costs but cannot grant roles, mint tokens, or change protocol parameters. Compromise would degrade the witness signal but cannot affect the canonical state.
• Workstation and account access. All founder and contractor accounts on third-party services (Netlify, GitHub, Polygon RPC providers) use hardware-key-bound multi-factor authentication where supported, and TOTP elsewhere. Password-only authentication is prohibited for any account that can deploy code or modify production.

Audit-noted gap: A formal personnel onboarding/offboarding checklist with access-provisioning gates is in commissioning under Phase 1 of the audit roadmap. Target: Q3 2026.

4 · Cryptographic standards

Sika di adanseɛ — the gold bears witness.

The protocol's verification claims rest on cryptographic integrity. Standards used:

• Transport. TLS 1.3 enforced on ecoventafrica.com via Netlify's edge. Older TLS versions are not negotiated. HSTS is set with one-year max-age.
• On-chain hashing. keccak-256 across all VPAY contracts for attestation hashes, candle hashes, model commit hashes. Matches Ethereum/Polygon EVM canonical hash.
• GSU hardware signatures. ECDSA on secp256k1, matching the EVM key curve, so the same signature primitive verifies hardware origin on-chain. Private keys are generated inside the hardware secure element and never exit the device.
• Wallet custody. The Safe multisig uses ECDSA on secp256k1 with co-signer keys held in hardware wallets (Coinbase Wallet self-custody and equivalent).
• Code integrity. Git tags on production releases are GPG-signed by the founder. Build artefacts on Netlify are content-addressed; the SHA of every deployed asset is reproducible from the git commit.

Audit-noted gap: A formal data-at-rest encryption standard for off-chain databases (e.g. paper-trade SQLite, COT cache) is in commissioning. Current state: filesystem-level encryption on operator workstations; documented standard under Phase 1.

5 · Vendor & supply-chain security

Wofa di adanseɛ — the uncle bears witness, too.

VPAY Genesis depends on a deliberately small set of vendors. Each one is selected with security and continuity criteria, and each is documented in the internal vendor register.

• Polygon Network. Public L2 blockchain. Decentralised consensus reduces single-vendor risk; the protocol's existence does not depend on Polygon Labs.
• Chainlink. XAU/USD oracle for the $SOV minting formula. Industry-standard decentralised oracle network with documented attack-resistance properties.
• Netlify. Static-site host with edge TLS termination, CSP enforcement, immutable asset caching. Strict Content Security Policy (no 'unsafe-inline') deliberately enforced; this constraint has surfaced inline-style bugs that the surface engineering team has been progressively eliminating.
• GitHub (org: ecovent-africa). Source control. Branch protection on main. Signed commits required for production-tagged releases.
• Plausible Analytics. Privacy-first traffic metrics. No cookies, no third-party identifiers, no cross-site tracking. EU-hosted under GDPR.
• Hardware vendors (GSU stack). XRF spectroscopy, mass measurement, GPS receivers, secure elements. Vendor selection criteria, country of origin disclosure, and integrity inspection procedures are documented in the internal Bill of Materials (Tier 3, available under NDA).

Audit-noted gap: A formal vendor risk review schedule with quarterly attestation requirements is in commissioning. Target: Phase 2 (6–12 months).

6 · Vulnerability disclosure

Asɛm a aba — only what has come.

VPAY Genesis welcomes coordinated disclosure of security vulnerabilities from any researcher acting in good faith. The disclosure pathway is intentionally simple.

• Primary channel. Email security@ecoventafrica.com (preferred) or the founder directly at Ano@ecoventafrica.com. PGP key fingerprint and full responsible-disclosure terms published at /.well-known/security.txt per RFC 9116.
• Scope. All ecoventafrica.com surfaces, the institutional API (when live), all production smart contracts on Polygon Mainnet (canonical addresses on /compliance.html#contracts), GSU hardware where deployed.
• Out of scope. Denial-of-service on production. Social-engineering of employees or contractors. Physical attacks against deployed hardware.
• Acknowledgement window. First acknowledgement within 48 hours. Status update within 5 business days. Public coordinated disclosure timed in good-faith negotiation with the reporter, typically 90 days from confirmed report.
• Smart-contract challenges. KommitBridge (IP #2) implements on-chain coordinated disclosure through the challenge mechanism. Any party may post a challenger bond and counter-hash; if the reasoner output diverges from independent replay, 50% of the bond is awarded to the challenger. This is bounty-style disclosure formalised into the protocol itself.

EcoVent Africa will not pursue legal action against good-faith researchers acting within scope. We commit to public acknowledgement of valid disclosures with the reporter's permission.

7 · Incident response

Mate Masie — what I hear, I keep.

Incident severity is classified into four tiers, with response procedures scaled to severity. The Chief Compliance Officer (Ibilola Macaulay) is the named Incident Commander for any Severity 1 or 2 incident; the founder is alternate commander.

• Severity 1 · Critical. Active compromise of admin keys, unauthorised mint of $SOV, smart-contract exploit in progress, custody breach of physical gold. Response: immediate CircuitBreaker pause (already deployed; available to Safe co-signers in seconds), public status post within 4 hours, regulator notification within 24 hours where applicable, full post-incident report within 30 days.
• Severity 2 · High. Data breach (e.g. waitlist email leak), oracle deviation requiring manual intervention, hardware fleet anomaly across multiple GSU devices. Response: investigation initiated within 4 hours, affected parties notified within 72 hours where personal data is involved (GDPR/Act 843 requirement), post-incident report within 30 days.
• Severity 3 · Moderate. Service disruption on non-critical surfaces (deploy-flagship website, analytics), individual hardware failure within redundant set, minor procedural deviation. Response: investigation within one business day, internal report.
• Severity 4 · Low. Cosmetic bugs, vendor service degradation that doesn't affect the canonical state, learnings from near-miss reviews. Response: queued for next sprint.

Audit-noted gap: A full Incident Response Plan with named playbooks per scenario type, communication templates, and tabletop exercise schedule is in commissioning under Phase 1 of the audit roadmap. The on-chain CircuitBreaker provides immediate technical containment capability; the surrounding paperwork is the in-flight piece. Target: Q3 2026.

8 · Review cadence & ownership

Nkrabea — the appointed time.

This policy is owned by the Chief Compliance Officer in consultation with the founder, and is reviewed on the following cadence:

• Quarterly review. Standing CCO review against operational reality. Material changes published with a new version number.
• Post-incident review. Any Severity 1 or 2 incident triggers a mandatory review of relevant sections.
• Annual external alignment. Once per year, the policy is checked against the current ISO 27001 Annex A control set and any updates from the NIST CSF and FATF Recommendations.
• Pre-funding-round review. Before any institutional capital raise, the policy is reviewed against the diligence requirements of the target investor class.

Version 1.0 · Effective 27 May 2026 · Supersedes informal practice. Next scheduled review: 27 August 2026.

9 · Contact

Wofa di adanseɛ — the uncle bears witness.

For security vulnerabilities: security@ecoventafrica.com or see /.well-known/security.txt.

For policy questions, compliance inquiries, or to request the full internal policy under NDA: Ano@ecoventafrica.com or ecoventafrica.com/diligence.

Postal: EcoVent Africa Limited, 40 Nii Nortei Nyanchi Street, Dzorwulu, Accra, Greater Accra, Ghana.

Version 1.0 · Effective 27 May 2026