Security Disclosure
- Version
- v0.4
- Status
- founder_draft
- Effective date
- TBD
- Last updated
- 2026-06-20
Full legal content
Security Disclosure
Closed-beta legal boundary: Founder-prepared draft for closed-beta readiness. Lawyer/CA review required before paid/public production. PGI Hub has no approved live payments, GST invoicing, vendor payouts, escrow, public marketplace launch, automated supplier award, or production legal approval under this pack.
1. Master Overview and Boundary
This Protocol governs security disclosure within PGI's closed-beta procurement intelligence and RFQ workflow environment. It binds the users, organizations, vendors, buyers, support operators, and implementation teams identified in the document metadata and allocates PGI's role as a workflow and decision-support platform, not as a seller, buyer, broker, payment intermediary, escrow provider, customs broker, freight forwarder, insurer, legal advisor, tax advisor, or guarantor.
This document does not activate live payments, vendor payouts, public production claims, supplier performance guarantees, GST/tax guarantees, or verified marketplace status.
2. Operational Definitions
- PGI means PGI Hub — Procurement Global Intelligence.
- Closed Beta means controlled no-payment platform access for invited users and readiness review.
- Workflow Record means the relevant account, buyer, vendor, RFQ, quote, supplier, AI, data, support, security, or admin record governed by this document.
- Data Quality Warning means a visible or internal warning that a field or output is stale, incomplete, inferred, conflicting, unverified, or low confidence.
- Governed Access means access controlled by eligibility, UI notice, acceptance, permissioning, rate limits, audit logs, and escalation rules.
- Professional Review Pending means lawyer/CA/payment-provider/founder approval is still required before paid/public production.
3. Core Compliance Architecture
| Control area | Rule |
|---|---|
| Platform role | PGI provides procurement intelligence, workflow support, data organization, supplier discovery support, RFQ workflow support, quote comparison support, and decision-support outputs. |
| User responsibility | Users remain responsible for authority, accuracy, independent validation, commercial decisions, legal/tax review, technical review, logistics, and contract terms. |
| PGI boundary | PGI does not guarantee supplier performance, price, availability, stock, delivery, quality, certification, tax/GST treatment, or suitability. |
| Evidence | Material actions should be associated with source, timestamp, version/hash where applicable, user/org context, and audit record. |
| Data quality | Stale, unsupported, conflicting, inferred, or low-confidence data must be labelled, downgraded, hidden, corrected, or routed for review. |
| Closed beta | Payment, payout, escrow, public launch, and production claims remain blocked. |
4. Risk Boundary
Security/support documents define controls and intake routes; they do not guarantee incident prevention or complete compliance.
5. PGI-Specific Operational Examples
| Scenario | Required treatment |
|---|---|
| User reports vulnerability | Acknowledge intake and route to security review. |
| RFQ spam detected | Rate-limit, suspend, and preserve audit evidence. |
| Grievance filed on vendor profile | Classify, review evidence, communicate bounded status. |
| Unauthorized admin access suspected | Revoke session, preserve logs, escalate P0/P1. |
6. Breach, Misuse, and Operational Response
Misuse includes unauthorized access, inaccurate submissions, false authority, misleading supplier claims, contact-control bypass, data scraping, RFQ spam, unsupported certification, stale commercial data presented as current, reliance on decision-support outputs as final professional advice, or attempts to activate blocked payment/public-production workflows.
PGI may restrict access, suspend accounts, hide records, correct fields, remove outputs, queue records for human review, preserve audit logs, escalate to internal SOP owners, notify affected parties where appropriate, and require professional review before reinstatement.
7. Product UI and Acceptance Mapping
| Item | Required mapping |
|---|---|
| Public/footer page | true |
| Product-screen linked | false |
| Internal-only | false |
| Route | /security-disclosure |
| Blocking acceptance | No |
| Acceptance recorded | No |
| Backend context | policy_view |
| Version/hash | Store document version and content hash where acceptance is recorded. |
Related Documents
terms-and-conditionsprivacy-policyclosed-beta-termsacceptable-use-policy
Review Status
Founder-prepared draft. Lawyer/CA review required before paid/public production.
Paid/public production readiness: Not approved. Lawyer/CA/payment-provider/founder review required.