1. Our Commitment
At Elementary Digital, security is not an afterthought — it is embedded in our engineering culture, infrastructure choices, and operational processes. We build technology solutions for regulated industries including finance, government, and utilities, and we hold ourselves to the standards our clients expect.
We are committed to protecting the confidentiality, integrity, and availability of all data entrusted to us by our clients, partners, and users.
2. Infrastructure Security
Hosting
Our web applications are hosted on Vercel, a platform that provides enterprise-grade infrastructure with:
- Global edge network with automatic DDoS protection
- SOC 2 Type II certified infrastructure
- Automatic HTTPS/TLS for all traffic
- Isolated serverless function execution
- Automated deployment with immutable builds
Backend Services
Our authentication and data services are powered by Supabase (via the Route Royal platform), which provides:
- SOC 2 Type II certified infrastructure
- Row-level security (RLS) for database access control
- Encrypted database connections
- Automated backups with point-in-time recovery
- Network isolation and firewall rules
Media Delivery
Static media assets are served through Cloudinary, a dedicated content delivery network. No personal data is stored in or transmitted through Cloudinary.
3. Data Encryption
In Transit
All data transmitted between your browser and our services is encrypted using TLS 1.2 or higher. This applies to:
- Website and portal page loads
- API requests (enquiry submissions, authentication)
- Communication between our services and third-party processors
At Rest
Data stored in our database (via Supabase) is encrypted at rest using AES-256 encryption. This includes:
- User account information and profile data
- Enquiry submissions
- Authentication credentials (passwords are hashed using bcrypt, never stored in plain text)
4. Authentication and Access Control
We implement robust authentication controls to protect user accounts:
- OAuth 2.0: Support for Google OAuth with PKCE (Proof Key for Code Exchange) for secure authorisation flows
- Secure session management: HTTP-only cookies with secure and SameSite attributes for session tokens
- Password security: Passwords are hashed using bcrypt with appropriate salt rounds before storage
- Server-side validation: All API endpoints validate and sanitise input data before processing
- Principle of least privilege: API keys and service credentials are scoped to the minimum required permissions
5. Application Security
Our development practices incorporate security at every stage:
- TypeScript: Strict type checking across the entire codebase to prevent common vulnerability classes
- Input validation: Server-side validation on all API routes, including the enquiry submission endpoint
- Dependency management: Regular auditing of third-party dependencies for known vulnerabilities
- Environment isolation: Strict separation of development, staging, and production environments
- Secret management: API keys and credentials stored as environment variables, never committed to source code
- Immutable deployments: Each deployment is a complete, immutable build — no runtime modifications
6. Data Handling
We follow strict data handling principles:
- Data minimisation: We only collect personal information that is necessary for the stated purpose
- Purpose limitation: Data is used only for the purpose for which it was collected
- Retention limits: Data is retained only as long as necessary and securely deleted when no longer required
- Consent-based analytics: Analytics and advertising cookies are only set with explicit user consent via Google Consent Mode v2
- No data selling: We never sell, rent, or trade personal information to third parties
For full details on our data practices, see our Privacy Policy.
7. Incident Response
In the event of a security incident, we follow a structured response process:
- Detection and containment: Identify the scope of the incident and take immediate steps to contain it
- Assessment: Evaluate the impact on data and affected users
- Notification: Notify affected users and relevant authorities within the timeframes required by applicable law (72 hours under GDPR, as soon as reasonably possible under POPIA)
- Remediation: Implement fixes to prevent recurrence
- Post-incident review: Conduct a thorough review and update security measures as needed
8. Security Roadmap
We are actively working towards the following industry-recognised security certifications and standards. These represent our commitment to continuous improvement in security practices:
| Standard | Description | Status |
|---|---|---|
| ISO 27001 | International standard for information security management systems (ISMS) | Planned — aligning practices |
| SOC 2 Type II | Service organisation controls for security, availability, processing integrity, confidentiality, and privacy | Planned — leveraging certified infrastructure |
| Cyber Essentials | UK government-backed scheme for protection against common cyber threats | Planned — implementing controls |
While we pursue these certifications, our infrastructure providers (Vercel and Supabase) already hold SOC 2 Type II certification, providing a strong security foundation for our services.
9. Responsible Disclosure
We value the security research community and welcome responsible disclosure of potential vulnerabilities. If you discover a security issue, please:
- Email us at hello@elementary.co.za with a detailed description of the vulnerability
- Allow us reasonable time to investigate and address the issue before public disclosure
- Do not access, modify, or delete data belonging to other users
- Do not perform actions that could degrade the availability of our services
We commit to acknowledging receipt of your report within 48 hours and providing regular updates on our progress towards resolution.
10. Contact Us
If you have questions about our security practices or wish to report a security concern, please contact us:
Elementary Digital (Pty) Ltd
Email: hello@elementary.co.za