Application Security
Every application we build follows secure development practices aligned with OWASP guidelines.
- OWASP Top 10 risk mitigation built into our development process
- Input validation and output encoding on all user-facing forms
- Parameterised queries — no raw SQL, no injection vectors
- HTTPS/TLS encryption on all connections
- Content Security Policy (CSP) headers on all web applications
- Secure authentication with hashed passwords, session management, and multi-factor support
- Role-based access control (RBAC) implemented at the database level
Infrastructure & Hosting
We host applications on industry-leading platforms with enterprise-grade security.
- Hosting on Vercel, AWS, and Azure — all SOC 2 Type II compliant
- Automatic SSL/TLS certificate management
- DDoS protection and WAF (Web Application Firewall) where applicable
- Environment variable management — secrets never stored in code repositories
- Automated deployment pipelines — no manual server access required
- Database hosting on Supabase (backed by AWS) with row-level security (RLS)
Data Protection
We implement GDPR-compliant data handling across all projects and internal operations.
- Data Protection by Design and by Default (GDPR Article 25)
- Data Processing Agreements (DPA) available for all client engagements
- Personal data minimisation — we only collect and process what's necessary
- Right to access, correction, and deletion implemented in all user-facing systems
- Data stored within the EU/UK unless explicitly agreed otherwise
- Regular review of data retention policies
Access Control
- Principle of least privilege — team members only access what they need
- Multi-factor authentication required on all production systems
- SSH key-based authentication — no password access to servers
- Regular access reviews and prompt offboarding of departing team members
- Separate development, staging, and production environments
Code Security
- Private GitHub repositories with branch protection rules
- Code reviewed by senior engineers before merge to production
- Dependency vulnerability scanning
- No secrets or credentials committed to version control
- Git commit signing where required
Incident Response
In the event of a security incident, we follow a structured response process:
- Immediate containment and assessment
- Client notification within 24 hours of confirmed breach
- ICO notification within 72 hours where personal data is affected (GDPR Article 33)
- Root cause analysis and remediation
- Post-incident review and documentation
Vendor & Supply Chain
We use trusted, well-established technology vendors and evaluate their security posture:
- Vercel — SOC 2 Type II, GDPR compliant
- Supabase — SOC 2 Type II, hosted on AWS
- GitHub — SOC 2 Type II, enterprise security
- Stripe — PCI DSS Level 1 certified
Contact
For security-related enquiries, vulnerability reports, or to request our security documentation for procurement purposes, contact us at info@candouritservices.com.
We're happy to provide Data Processing Agreements, security questionnaire responses, and additional compliance documentation as part of vendor assessment processes.