Attachment A — Foreign Ownership, Control or Influence (FOCI) Information Form — DRAFT
Transcribe into the DOCX template
../attachments/07-foci-information-form.docx.
Supplier Details
| Term | Definition |
|---|---|
| Legal entity name | Anuna Research Cooperative [confirm exact registered entity name before lodgement] |
| ABN / ACN | [insert — confirm before lodgement] |
| Country of Incorporation | Australia |
| Entity structure | Australian cooperative |
| Contact name / Position | Hugo O’Connor / Trust Engineering |
| Email / Phone | hugo@anuna.io / [insert before lodgement] |
FOCI Information Questions
1. Defence Industry Security Program (DISP) or Hosting Certification Framework (HCF) Status
Are you currently a member of the DISP or certified under the HCF?
☒ No — Anuna Research Cooperative is not currently a DISP member or HCF certified.
If a future procurement progresses to a stage requiring DISP membership, Anuna Research Cooperative will apply for DISP entry-level membership.
If the procurement involves hosting data for the ATO at a level requiring HCF certification of the underlying hosting provider, AWS Sydney (ap-southeast-2) holds the Certified Strategic Hosting Provider classification under the HCF.
2. Ultimate Ownership and Structure
Identify your organisation’s Ultimate Beneficial Owner(s) (UBOs).
Anuna Research Cooperative is an Australian cooperative. Under cooperative structure, member-practitioners hold equal voting rights (“one member, one vote”) regardless of capital contribution. Ultimate beneficial ownership in the standard corporate sense does not directly apply; for FOCI purposes the practitioner members of the cooperative are listed below.
| Member Full Legal Name | Role | Country of Citizenship |
|---|---|---|
| Hugo O’Connor | Trust Engineering | Australia |
| Mathew Mytka | Transformative Adaptation | [confirm before lodgement] |
| Claire Barnes | Systems Engineering | [confirm before lodgement] |
| Dave Factor | Automation Engineering | [confirm before lodgement] |
| Viveka Weiley | Strategic Design | [confirm before lodgement] |
Corporate structure: single-tier Australian cooperative — no parent company, no subsidiaries, no holding entity. A current corporate-structure diagram can be provided on request; under cooperative law, the structure is uncomplicated.
3. State Ownership or Control
Is your organisation or any of its UBOs state-controlled, majority funded by, or financially connected to a foreign government or sovereign entity?
No state ownership, no state control, no majority funding from any foreign government, no special relationship with a foreign government providing preferential contracts or state funding. All revenue is from commercial sources and (where applicable) Australian-government research grants.
4. Politically Exposed Persons (PEPs)
Are any of your organisation’s senior executives, directors or UBOs classified as PEPs?
☒ No — none of Anuna Research Cooperative’s member-practitioners or directors are Politically Exposed Persons per the standard FATF / AUSTRAC definitions (no senior political positions, no senior judicial / military / state-enterprise positions, in Australia or any foreign jurisdiction). [confirm before lodgement with each member]
5. Access to ATO Systems, Networks or Data
Will your organisation, or any personnel or systems involved in delivering the proposed goods or services, have access or connectivity to ATO systems, networks or data?
☒ Yes (if a procurement progresses past the RFI stage and Anuna Research Cooperative is engaged)
5.1 Description of access / connectivity:
The proposed SABLE SaaS Verification Service connects to ATO systems via AWS PrivateLink (VPC Endpoint Service in ap-southeast-2). Specifically:
- ATO myID infrastructure (in the ATO AWS environment) sends ZK verification requests to the SABLE Verification API endpoint via PrivateLink
- No internet egress; no public endpoint; no transit through Transit Gateway
- Anuna Research Cooperative L2/L3 support engineers have read-only access to operational dashboards (Amazon CloudWatch metrics, structured logs) via federated SSO from Anuna Research Cooperative’s AWS account — no access to ATO’s underlying systems or any production PI
- Anuna Research Cooperative engineers do not have access to ATO’s production AWS account, to any ATO user data, or to any ATO operational systems beyond the SABLE Verification Service operational telemetry
5.2 ATO information accessed, stored, transformed or transmitted:
- Biometric data: never — by architectural design (Halo2 ZK proofs keep biometric data on the user’s device; only the proof + minimal metadata reach the SaaS)
- Personal Information: never — the SaaS receives no PI of any kind
- Operational telemetry (verification counts, latencies, error rates, ATO-account-ID-scoped metrics) — stored in
ap-southeast-2AWS region only, never replicated outside Australia - Audit logs (administrative actions, verification request metadata excluding PI) — stored in
ap-southeast-2with Object Lock for immutability
5.3 Access restriction and safeguards:
- Authentication: mTLS client-certificate authentication between ATO infrastructure and the SABLE Verification API; per-environment certificates; certificate lifecycle managed via AWS Certificate Manager Private CA
- Authorisation: IAM least-privilege; cross-account roles scoped to specific read-only operations
- Encryption: TLS 1.3 in transit; AES-256-GCM at rest (KMS customer-managed keys); envelope encryption for sensitive operational data
- Network segregation: AWS PrivateLink endpoint isolates the ATO–Anuna Research Cooperative data plane from the public internet
- Monitoring: Amazon GuardDuty + CloudTrail across the entire SABLE AWS account; alerting on any anomalous access pattern
- Personnel: all access by Anuna Research Cooperative staff logged, audited, and time-bound; named-engineer access for production troubleshooting only
6. Cloud / Hosting Providers and Data Flows
| Provider | Role | Region | Data flowing through |
|---|---|---|---|
| Amazon Web Services | Primary cloud infrastructure | ap-southeast-2 (Sydney) | All operational data (no PI) |
| CloudFlare (optional) | DNS for non-production status page only | Global edge | Public status page only — no ATO data |
| GitHub | Source code repository (open-source SABLE library) | US-based | Open-source code only — no ATO data |
| Codeberg | Source code repository (open-source SABLE library, mirror) | EU-based | Open-source code only — no ATO data |
| PagerDuty | On-call paging | Australia region | Alert metadata only — no ATO data |
| Atlassian / GitHub Issues | Internal ticket tracking | Australia / US | Internal Anuna Research Cooperative engineering tickets — no ATO data |
If the ATO requires a more restrictive provider list for any provider above (e.g. PagerDuty replacement with Australia-only on-call solution; private GitHub Enterprise instance), Anuna Research Cooperative will adapt to ATO requirements as part of a procurement-stage architecture review.
7. Subcontractors and Supply-Chain Risk
At the RFI stage, no subcontractors are named and no partner arrangements are in place. In a procurement stage involving a contract, Anuna Research Cooperative anticipates engaging the following classes of Australian subcontractor; partner identification, due diligence, and contracting would be a procurement-stage activity:
- Australian Security Vetting Agency–cleared support partner for NV1-cleared L2 / L3 support — required for OP-9 compliance
- Australian managed-SOC provider for managed insider-risk monitoring — for OP-6 if scale warrants
- ILAC-accredited PAD testing laboratory for ISO/IEC 30107-3 EAL-2 testing — one-off engagement for LV-5 / LV-6 evidence
- IRAP-assessed Australian incident management portal — for OP-9
- Accredited Australian accessibility audit firm — one-off engagement for UX-3
- Registered IRAP assessor — for SC-1 / SC-6 evidence
- Optionally, an Australian systems-integrator partner for delivery scale if the procurement scope warrants it
All subcontractors selected will be Australian-incorporated or hold Australian operating subsidiaries with Australian-cleared personnel for any ATO-data-touching work.
Declaration
I, Hugo O’Connor, in my capacity as authorised representative of Anuna Research Cooperative (Trust Engineering), declare that the information provided in this FOCI Form is, to the best of my knowledge and belief, true, accurate, and complete as at the date of this Response.
Signed: ____________________________ Hugo O’Connor — Trust Engineering, Anuna Research Cooperative Date: 4 June 2026
End of FOCI draft.