Official Trust Document for Inkstone NZ Ltd (The English Farm)
Executive Summary
Inkstone NZ Ltd (trading as The English Farm) provides an enterprise-grade online English language education platform utilizing proprietary video technology. This document outlines our commitment to security, legal transparency, and operational resilience.
- Verified History: Operating with full legal and regulatory compliance since 2008.
- Proven Security: Zero reportable data breaches or security incidents in the last five years.
- Framework Alignment: Formally aligned with CIS Controls v8.1 (IG1) and ISO 27001:2022 organizational controls.
- Infrastructure: Built on a cloud-native AWS architecture with mandatory MFA and AES-256 encryption.
- Global Standards: Fully compliant with GDPR/CCPA, the UK Bribery Act, and US FCPA.
1. Corporate Profile and Legal Standing
Inkstone NZ Ltd (est. 2008) is a New Zealand-registered operating company (Company Number: 2052075) headquartered at 1/53 Davis Crescent, Newmarket, Auckland 1023, New Zealand. Since 2016, the organization has specialized in providing enterprise-grade online English language education via proprietary video chat technology delivered 1-to-1 with a qualified, trained English language teacher.
Legal Standing and Verified Compliance
Inkstone NZ Ltd has maintained a continuous, compliant operational history since 2008. The organization’s legal standing is built upon five pillars of verified adherence to New Zealand and international law:
- General Commercial Governance: Consistent execution of domestic and international business contracting.
- Employment and Labor: Full compliance with labor, health and safety, and employment regulations.
- Privacy and Data Protection: Verified alignment with global data protection mandates.
- Dispute Resolution: A proven track record of professional contractual resolution.
- Financial Markets Regulation: Strict adherence to corporate governance and financial markets legislation.
Independent Data Controller Status
Inkstone NZ Ltd operates as an Independent Data Controller within enterprise ecosystems. This designation reflects the organization’s autonomy in determining processing methodologies required to deliver specialized language services while ensuring direct accountability for regulatory compliance.
2. Security Architecture and Infrastructure
Inkstone utilizes a resilient, cloud-native architecture designed to meet the availability and security requirements of Fortune 500 & global procurement teams.
Infrastructure and Data Repositories
| Category | Component |
|---|---|
| Cloud Infrastructure | Amazon Web Services (AWS) - RDS, S3, Dynamo, EC2 |
| Productivity Suite | Google Workspace |
| Proprietary Platform | Incorporating TEFTalk (Proprietary WebRTC Video Chat Tool), CMS, user management & teaching tools |
Technical Security Controls
- Malware Protection: Inkstone enforces environment-specific endpoint protection. This includes Windows Defender and Malwarebytes for Windows-based server environments and Sophos Antivirus for Mac-based systems. All infrastructure is continuously monitored by Amazon GuardDuty.
- Encryption Standards: All data in transit and at rest is protected using industry-standard cryptography. Configuration integrity is persistently validated through automated infrastructure audit tools.
- Malicious Code Prevention: Inkstone warrants that all software components and deliverables undergo rigorous checks for viruses, worms, backdoors, and Trojan horses.
3. Compliance Frameworks and Audit History
CIS Controls Alignment
Independent, formal gap analysis verifies that Inkstone is currently aligned with the Center for Internet Security (CIS) Controls v8.1 Implementation Group 1 (IG1), providing a robust defensive baseline for small-to-medium enterprises.
ISO 27001:2022 Organizational Controls
Inkstone maintains documented alignment with the ISO 27001:2022 framework, specifically:
- Policy Governance: A formal Information Security Policy is reviewed and approved by senior management every 12 months.
- Third-Party Oversight: A standard process is implemented for onboarding, reviewing, and monitoring the security posture of all suppliers and external partners.
- Independent Verification: External security reviews are conducted regularly..
4. Operational Security Controls
Identity and Access Management (IAM)
Inkstone enforces the principle of Least Privilege and Segregation of Duties across all systems:
- MFA Enforcement: Multi-Factor Authentication is mandatory for all Administrative and Cloud access.
- Termination Protocol: All access rights for personnel and contractors are revoked within 2 calendar days of termination.
- Access Reviews: User access rights for systems containing sensitive data are reviewed semi-annually.
Vulnerability Management
The environment is subject to weekly internal and external vulnerability scans, including the checking of firewall ports to identify and block unauthorized access points.
| Risk Severity | Remediation Window |
|---|---|
| Critical Risk | Within 14 days |
| High Risk | Within 30 days |
| Medium Risk | Within 90 days |
5. Data Privacy and Governance (GDPR/CCPA)
Privacy by Design
Inkstone implements "Privacy by Design" and data minimization as core engineering principles. To support GDPR data portability requirements, the platform provides a JSON export format on request for all user profile and lesson data.
Data Retention and Minimization
Personal data is retained only until a deletion request is received or after 5 years of user inactivity.
Third-Party Subprocessor Management
Data sharing is strictly limited to the following essential subprocessors:
- Infrastructure: Amazon (receives mailing addresses only for the delivery of physical textbooks when required for language instruction).
- Analytics: Google Analytics (Processes technical metadata and IP addresses for service optimization).
- Instructional Staff: Teachers are granted access only to learner names, job titles, and profile pictures. Technical controls prevent teacher access to broader learner datasets.
6. Incident Management and Resilience
Security Incident History
Inkstone maintains a pristine security record, with zero reportable incidents to Supervisory Authorities and zero confirmed data breaches within the past five years.
Notification and Escalation
In the event of a suspected Security Incident, Inkstone utilizes AWS GuardDuty triggers for detection and Jira Service Management for enforcement of escalation policies. Inkstone commits to notifying clients within 24 hours of identifying a breach.
Business Continuity and Disaster Recovery (BCDR)
Inkstone maintains a high-availability solution with recovery nodes across geographically distributed data centers.
- Recovery Time Objective (RTO): 24 hours for critical function restoration.
- Recovery Point Objective (RPO): 12-hour maximum data loss threshold.
7. Implementation Framework and Service Standards
Platform Requirements
To maintain the security integrity of proprietary TEFTalk sessions, users must utilize the latest versions of Microsoft Edge, Firefox, Google Chrome, or Safari. Cookies and JavaScript must be enabled to facilitate secure session handshakes.
Supplier Standards of Conduct
Inkstone operates in full alignment with global ethical standards. This includes:
- Anti-Corruption: Strict compliance with the UK Bribery Act 2010 and the US Foreign Corrupt Practices Act (FCPA).
- Trade Compliance: Adherence to international trade controls and sanctions.
- Personnel Security: All staff undergo privacy and security training upon induction and annually thereafter. Training specifically covers Modern Threat Vectors including Phishing, Deepfake, Whaling, Smishing, and Business Email Compromise (BEC).
Personnel Vetting
While the standard risk profile does not mandate universal background checks for all staff, Inkstone complies with enterprise requirements allowing clients to request background checks for assigned personnel at the client’s expense. Inkstone guarantees that only personnel cleared through such checks, where requested, will be assigned to client-specific work.