Legal

Security

Last updated: ·Summary overview — certifications are listed here only once formally awarded

Security is foundational to recruitment and safeguarding-adjacent workflows. Netvett implements layered technical and operational controls aligned with mainstream cloud-native best practice — but no online service can honestly claim unconditional "bank-grade" or "military-grade" security absent agreed scope, penetration testing, certifications, and your own deployment posture.

1. What we optimise for

  • Least-privilege APIs with explicit origins and hardened middleware.
  • Strong transport encryption and modern browser protections (HTTPS, CSP, HSTS).
  • Credential-resistant authentication pathways (including passkeys for sensitive actions).
  • Abuse-aware rate limits at authentication and high-risk mutations.
  • Structured audit logging around privileged behaviours.
  • Encryption for data at rest in managed cloud primitives.

2. Web application

The public site and dashboards ship with tightened headers (including Content Security Policy scaffolding, referrer controls, MIME sniff mitigation, iframe embedding bans, and — where production configuration enables it — Strict Transport Security with preload eligibility after soak testing). Powerful browser APIs remain disabled unless a feature clearly needs them.

3. API platform

The JSON APIs enforce body-size caps, validated DTOs, authorised CORS allow-lists when accessed from browsers, and optional edge-aware trusted proxy semantics so rate limits and audit records reflect real visitor networks when deployed behind authorised reverse proxies.

4. Sessions and cross-site abuse resistance

Where cookie-backed authentication is deployed, bearer-equivalent secrets are flagged httpOnly so typical cross-site-script exfiltration cannot read them directly. State-changing mutations pair with cookie plus synchroniser-token patterns comparable to mature financial SPAs — details sit in engineering hardening docs shared under NDA during diligence.

5. Incident response

Report suspected vulnerabilities or incidents to security@netvett.io. Include reproduction steps where safe — we honour coordinated disclosure when researchers act in good faith. Law enforcement or regulatory correspondence should copy both security and dpo@netvett.io when personal data might be impacted.

6. Your responsibilities

Customers must safeguard administrator credentials, manage device posture for staff with elevated rights, revoke departed users promptly, and configure identity providers responsibly. Shared-secret API keys belong in vaults — never repositories or ticketing systems.

7. Assurance artifacts

Assurance timelines are described under Compliance framework. Procurement teams requesting evidence packs should email trust@netvett.com; we tailor technical annexes rather than dumping raw repositories.