Governance

Governance

Last updated: 9 April 2026

Fenko Limited’s governance framework - Our commitment to security, privacy, ethical AI practices, transparency, and operational standards.

At Fenko Limited, we hold ourselves to high standards of corporate governance, security, and ethical conduct. As a company that builds and secures AI systems, we take these responsibilities seriously.

Corporate Structure

Company Details

Fenko Limited is a New Zealand company with its registered office in Auckland, New Zealand. The company operates globally with a remote-first team structure.

Fenko provides AI agent development, AI security, and penetration testing services. Its products include Foxhound and RiskyPlugins.com.

Leadership Team

Our leadership team combines expertise in cybersecurity, AI engineering, threat research, and business management to guide Fenko’s strategic direction and operations.

Security Governance

Security-First Culture

Security is embedded in our service delivery, data protection practices, incident response processes, and supplier management. Engagements follow secure delivery practices and responsible disclosure expectations. Systems and client data are protected through appropriate administrative, technical, and organisational safeguards.

Fenko maintains protocols for security incident management and disclosure. Suppliers and service providers are vetted according to the sensitivity of the systems, services, and information they may access.

Risk Management Framework

Fenko maintains a risk management programme covering operational risks, security risks, compliance risks, and reputational risks. This includes service availability, data integrity, system performance, threats to Fenko platforms and client data, regulatory obligations across relevant jurisdictions, and the trust placed in Fenko by clients and stakeholders.

Privacy & Data Protection

Privacy by Design

Fenko’s privacy approach is based on minimisation, transparency, user control, and compliance. We collect only the data reasonably necessary for service provision, communicate clearly about data usage and processing, and provide mechanisms for users to understand and manage their data where applicable.

Fenko operates in accordance with the New Zealand Privacy Act 2020 and considers relevant international privacy requirements where they apply to a product, client, or engagement.

Data Governance

Fenko applies data governance through classification, retention policies, access controls, and audit trails. Data is handled according to its sensitivity and purpose. Retention is managed according to legal, contractual, operational, and security requirements. Access is role-based and follows the principle of least privilege.

Where appropriate, Fenko maintains logs and monitoring records for data access and administrative activity.

Ethical AI & Analytics

Responsible Development

Fenko’s AI agent development and security assessment systems are built with attention to fairness, transparency, accountability, and continuous improvement. We test for bias and unintended outcomes where relevant to the system, document methodologies and limitations, and maintain human oversight for automated decisions where the impact requires it.

Models, tooling, and assessment methods are reviewed and improved as our research, operational evidence, and client requirements evolve.

Research Ethics

Fenko’s security research programme follows established ethical guidelines. Vulnerabilities are handled through appropriate reporting and coordination. Research activities consider consent, anonymisation, and proportionality. Public reporting of security findings is handled responsibly, with attention to user safety, affected vendors, and the wider security community.

Fenko may collaborate with security researchers, academic institutions, vendors, and other community participants where that collaboration supports responsible security outcomes.

Regulatory Framework

Fenko operates in compliance with applicable legal requirements and relevant industry practice. Relevant New Zealand legislation may include the Companies Act 1993, Privacy Act 2020, and Consumer Guarantees Act 1993. Fenko also applies information security management principles and appropriate data protection measures, including consideration of international privacy requirements where relevant.

Security and operational practices are reviewed against the needs of each product, system, and client engagement.

Licensing & Legal

Fenko respects intellectual property rights in its operations and applies appropriate attribution and licensing practices for open-source components. Where technology export controls or similar restrictions apply, Fenko takes those obligations into account.

Fenko uses clear terms of service, engagement agreements, statements of work, or other written agreements to define rights, responsibilities, deliverables, and commercial terms.

Transparency & Reporting

Public Transparency

Fenko is committed to appropriate public transparency through security reports, vulnerability disclosure, methodology documentation, and participation in security research communities. The level of detail disclosed depends on legal obligations, client confidentiality, responsible disclosure requirements, and the potential impact on affected users or systems.

Stakeholder Communication

Fenko communicates with clients about service improvements, security matters, and material issues affecting engagements or products. Fenko may also share insights and best practices with the broader security community and works constructively with regulatory authorities where required.

Internal Controls & Audits

Financial Controls

Fenko maintains financial controls appropriate to its size, operations, and legal obligations. This includes accounting in accordance with New Zealand requirements, internal review of financial controls and reporting, responsible allocation of resources, and fulfilment of applicable tax obligations.

Operational Controls

Fenko maintains operational controls for quality assurance, performance monitoring, change management, and business continuity. Service quality and operational performance are reviewed on an ongoing basis. System updates and material changes are managed through controlled processes. Disaster recovery and business continuity planning are maintained proportionate to the systems and services involved.

Contact for Governance Matters

For questions about our governance practices or ethical standards:

Email: [email protected]

General Inquiries: [email protected]

Strong governance is fundamental to earning and maintaining trust. We continuously improve our practices to meet appropriate standards of corporate responsibility and operational discipline.