Skip to main content

Security Policy

Last Updated: May 2026
Effective Date: May 6, 2026

1. Introduction

Security is a core value at Net-3.co.uk Ltd ("We", "Us", "Our"). This Security Policy outlines the security measures, standards, and practices we implement to protect customer data, maintain service integrity, and ensure compliance with industry best practices.

This Policy is intended to give customers and partners confidence in our commitment to security while setting clear expectations about our security practices.

2. Security Infrastructure

2.1 Data Center Security

Location: DigitalOcean, London (United Kingdom)

Physical Security:

  • 24/7 physical security and surveillance
  • Restricted access with biometric authentication
  • Perimeter fencing and access controls
  • Environmental monitoring (fire detection, HVAC, electrical)
  • Disaster recovery infrastructure and redundancy

Network Security:

  • Firewalls and intrusion detection systems
  • DDoS mitigation and rate limiting
  • Network segmentation and isolation
  • BGP hijacking protection

2.2 Server Architecture

Infrastructure:

  • Containerized deployment using Docker
  • Load balancing across multiple application servers
  • Database replication and redundancy
  • Automatic failover and disaster recovery
  • Regular backups (daily with 30-day retention)

Monitoring:

  • 24/7 infrastructure monitoring
  • Automated alerts for anomalies and failures
  • Real-time log aggregation and analysis
  • Performance monitoring and optimization

3. Data Encryption

3.1 Encryption in Transit

HTTPS/TLS:

  • All communication between your device and our servers is encrypted using TLS 1.2 or higher
  • Industry-standard cipher suites (AES-256, ECDHE)
  • Perfect Forward Secrecy (PFS) enabled
  • HSTS (HTTP Strict Transport Security) enforced
  • SSL/TLS certificate issued by trusted Certificate Authority

API Encryption:

  • All API requests and responses are encrypted over HTTPS
  • API authentication using bearer tokens or API keys
  • Rate limiting and request throttling

3.2 Encryption at Rest

Sensitive Data Encryption:

  • SSH keys and API tokens encrypted using AES-256
  • Encryption keys managed separately from encrypted data
  • Regular key rotation (annually or upon compromise)
  • Encrypted key storage with access controls

Database Encryption:

  • Database connections use SSL/TLS
  • Sensitive fields encrypted at application level
  • Encrypted backup storage

File Storage:

  • Uploaded files encrypted at rest
  • Access restricted to authenticated users only
  • Secure deletion protocols for removed files

4. Authentication and Access Control

4.1 User Authentication

Password Security:

  • Passwords hashed using bcrypt with salt
  • Minimum password requirements (8+ characters, complexity)
  • Password reset via email verification
  • Protection against brute force attacks (rate limiting, account lockout)
  • Optional two-factor authentication (2FA) available

Session Management:

  • Secure session tokens with expiration
  • Session invalidation on logout
  • Automatic timeout after 30 minutes of inactivity
  • Secure cookie flags (HttpOnly, Secure, SameSite)

4.2 API Authentication

API Key Security:

  • Unique API keys per user/application
  • Keys transmitted and stored securely (encrypted at rest)
  • Automatic key rotation recommended
  • Rate limiting by API key
  • Ability to revoke keys immediately

OAuth 2.0:

  • Support for OAuth 2.0 authentication (when integrated with external services)
  • Scoped permissions for third-party applications
  • Automatic token expiration and refresh

4.3 Access Control

Role-Based Access Control (RBAC):

  • Administrative roles with elevated permissions
  • User roles with limited access
  • Team member roles with configurable permissions
  • Principle of least privilege enforced

Audit Logging:

  • Logging of all administrative actions
  • Login attempt tracking
  • API access logs
  • Data access and modification logs (30-day retention)

5. Vulnerability Management

5.1 Security Testing

Penetration Testing:

  • Regular penetration tests by third-party security firms (planned post-GA)
  • Internal security audits and assessments
  • Responsible disclosure program for security researchers

Vulnerability Scanning:

  • Automated vulnerability scanning of infrastructure
  • Regular security patching and updates
  • Dependency scanning for third-party libraries
  • Code review processes for security issues

5.2 Vulnerability Response

Discovery and Assessment:

  • All vulnerabilities are assessed for severity and impact
  • Critical vulnerabilities remediated within 24 hours
  • High-priority vulnerabilities remediated within 1 week
  • Medium/low vulnerabilities addressed in regular maintenance cycles

Notification:

  • Affected customers are notified of security patches
  • Security advisories published in our status page
  • Transparency about vulnerabilities and fixes

6. Third-Party Security

6.1 Service Provider Assessment

Stripe & PayPal:

  • PCI DSS compliant payment processors
  • We do not store full payment card information
  • Third-party handles payment processing securely
  • We review security certifications and SOC 2 reports

GitHub:

  • Industry-standard security practices
  • Repository encryption and access controls
  • Two-factor authentication recommended
  • Security alerts for vulnerable dependencies

Google Analytics:

  • Server-side analytics (non-PII data only)
  • Anonymized tracking
  • User can opt out of analytics tracking
  • Google's privacy and security policies apply

DigitalOcean:

  • ISO 27001 certified infrastructure
  • SOC 2 Type II compliant
  • Regular security audits
  • Industry-leading DDoS protection

6.2 Vendor Management

  • Contracts with third-party vendors include security requirements
  • Vendors maintain appropriate certifications and security practices
  • Regular vendor security audits
  • Incident reporting requirements

7. Data Protection and Privacy

7.1 Data Classification

Sensitive Data:

  • Account credentials (usernames, passwords, API keys)
  • SSH keys and deployment credentials
  • Payment information
  • Personal information (email, name, address)

Non-Sensitive Data:

  • Public deployment logs
  • Server telemetry (aggregated)
  • Usage analytics

Protection Measures:

  • Sensitive data encrypted in transit and at rest
  • Access restricted to authorized personnel only
  • Audit logging of sensitive data access
  • Regular access reviews

7.2 Data Retention and Deletion

Retention Policy:

  • Account data: Retained while account is active, deleted 30 days after termination
  • Billing records: Retained 7 years (tax compliance)
  • Logs: Retained 90 days, then archived
  • Backups: Retained for 30 days
  • Analytics: Retained according to Google Analytics policy (26 months)

Secure Deletion:

  • Data deleted using industry-standard methods
  • Multiple overwrites to prevent recovery
  • Encryption keys destroyed when no longer needed
  • Physical destruction of equipment containing data

7.3 Compliance

GDPR / UK GDPR Compliance:

  • Data Processing Agreement (DPA) available for Studio+ customers
  • Data subject rights supported (access, deletion, portability)
  • Privacy by design principles
  • Regular compliance audits

UK Data Protection Act 2018:

  • Compliance with UK data protection requirements
  • Regular assessments of compliance

8. Incident Response

8.1 Incident Definition

Security Incident: Any confirmed or suspected unauthorized access, data breach, system compromise, or security event that could impact customer data or service availability.

8.2 Incident Response Process

Detection and Assessment (0–1 hour):

  • Security team investigates the incident
  • Severity determined (Critical, High, Medium, Low)
  • Root cause identified
  • Scope of compromise assessed

Containment (1–4 hours):

  • Affected systems isolated if necessary
  • Further access prevented
  • Evidence preserved for forensic analysis
  • Customer communication prepared

Eradication (4–24 hours):

  • Root cause addressed
  • Security patches deployed
  • Systems hardened
  • Malicious activity removed

Recovery (24–72 hours):

  • Services restored to normal operation
  • Customer access restored
  • Systems validated and monitored
  • Performance verified

Post-Incident (1–2 weeks):

  • Root cause analysis completed
  • Process improvements implemented
  • Security measures enhanced
  • Customers notified of outcomes and actions taken

8.3 Breach Notification

Notification Timeline:

  • Confirmed breaches affecting personal data notified without undue delay
  • Required by GDPR within 72 hours of discovery
  • Contact: support@expertweb.tools for incident reports
  • Customers provided with:
    • Description of the breach
    • Data affected
    • Measures taken to contain the breach
    • Recommended protective actions
    • Contact information for questions

Regulatory Reporting:

  • Breaches reported to supervisory authorities as required by law
  • Customer notification provided as legally required

9. Security Best Practices for Customers

9.1 Account Security

You should:

  • Use a strong, unique password (16+ characters, mix of letters/numbers/symbols)
  • Enable two-factor authentication (2FA) on your account
  • Keep your password confidential and never share it
  • Immediately notify us if you suspect account compromise
  • Regularly review your account activity and connected applications
  • Use a password manager to generate and store strong passwords

9.2 API Key Management

You should:

  • Treat API keys like passwords (keep them secret)
  • Never commit API keys to version control
  • Rotate API keys regularly (quarterly or upon concerns)
  • Revoke compromised or unused keys immediately
  • Use API key permissions/scopes to limit what each key can do
  • Implement monitoring on API key usage

9.3 Credential Management

You should:

  • Encrypt SSH keys and credentials before uploading to Reflex
  • Use SSH key passphrases to protect your keys
  • Regularly rotate SSH keys
  • Remove old/unused credentials
  • Monitor credential usage in deployment logs
  • Use credential management tools (LastPass, 1Password, etc.)

9.4 Deployment Security

You should:

  • Review deployment logs regularly
  • Enable alerts for failed deployments or errors
  • Implement code review before deployments
  • Use CI/CD security best practices
  • Scan dependencies for vulnerabilities
  • Keep frameworks and libraries updated

10. Compliance and Certifications

10.1 Current Status

Compliant With:

  • GDPR (General Data Protection Regulation) — General compliance
  • UK Data Protection Act 2018 — Full compliance
  • HTTPS/TLS encryption standards
  • Industry-standard password hashing (bcrypt)
  • Data protection best practices

In Progress:

  • SOC 2 Type II certification (planned)
  • ISO 27001 certification (planned)
  • External penetration testing (planned post-GA)

10.2 Future Plans

  • Q3 2026: SOC 2 Type II audit
  • Q4 2026: ISO 27001 certification
  • Ongoing: Regular penetration testing (annually)

11. Security Awareness and Training

11.1 Employee Training

  • All staff receive security awareness training upon hire
  • Annual security training for all employees
  • Training on secure coding practices for developers
  • Data protection and privacy training for support staff
  • Incident response training for security team

11.2 Security Updates

  • Security team stays current on latest threats and vulnerabilities
  • Threat intelligence monitoring
  • Participation in security communities and forums
  • Regular review of security advisories

12. Responsible Disclosure

12.1 Security Research

If you discover a security vulnerability in our Service, we appreciate you reporting it responsibly:

Please do NOT:

  • Publicly disclose the vulnerability before we have time to fix it
  • Access or modify other customers' data
  • Test vulnerabilities on production systems without authorization
  • Cause any disruption to the Service

Please DO:

  • Report the vulnerability to: security@expertweb.tools
  • Include detailed information about the vulnerability
  • Allow us 90 days to develop and deploy a fix
  • Avoid sharing the vulnerability details until we publicly disclose the fix

12.2 Responsible Disclosure Commitment

  • We will acknowledge receipt of your report within 24 hours
  • We will provide regular updates on remediation progress
  • We will publicly acknowledge your contribution (with your permission)
  • We will work transparently to resolve the issue

13. Disaster Recovery and Business Continuity

13.1 Backup Strategy

Backup Frequency:

  • Daily automated backups of all customer data
  • Backups retained for 30 days
  • Geographically distributed backup storage
  • Regular backup restoration tests

Recovery Time Objectives (RTO):

  • Critical services: Restore within 1 hour
  • Non-critical services: Restore within 4 hours
  • Full system recovery: Restore within 24 hours

Recovery Point Objectives (RPO):

  • Maximum data loss: 24 hours
  • Daily backups minimize data loss risk

13.2 Continuity Planning

  • Documented disaster recovery procedures
  • Regular disaster recovery drills
  • Redundant systems and failover capabilities
  • Alternative communication channels if primary systems are down

14. Security Monitoring and Logging

14.1 Logging

Logged Events:

  • All login attempts (successful and failed)
  • Account changes (password, email, permissions)
  • API access and usage
  • Administrative actions
  • Data access and modifications
  • Security events and alerts

Log Retention:

  • 90 days for operational logs
  • Longer retention for compliance and audit purposes
  • Encrypted log storage
  • Access restricted to authorized personnel

14.2 Monitoring

Real-Time Monitoring:

  • Network traffic analysis
  • Resource usage monitoring (CPU, memory, disk)
  • Application performance monitoring
  • Error rate monitoring
  • Security event monitoring
  • Intrusion detection systems

Alerting:

  • Automated alerts for suspicious activity
  • Threshold-based alerts for resource exhaustion
  • Escalation procedures for critical alerts
  • 24/7 monitoring (even though GA launch staff are not 24/7)

15. Contact and Reporting

15.1 Security Issues

Report security vulnerabilities: 📧 security@expertweb.tools

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested remediation (if any)

15.2 Security Questions

For general security questions or clarifications: 📧 support@expertweb.tools

15.3 Company Contact

Net-3.co.uk Ltd
41 Sandsend Road
Redcar, TS10 5DG
United Kingdom

📧 support@expertweb.tools
🌐 https://reflex.expertweb.tools

15.4 Compliance and assurance roadmap

Penetration testing — We run third-party application and infrastructure penetration tests on a planned cadence; summaries are available to customers under NDA on request.

SOC 2 — SOC 2 Type II readiness work is in progress; we maintain evidence packs aligned to Trust Services Criteria and can share status under procurement.

Bug bounty — A coordinated disclosure programme (HackerOne) is scheduled to move from private invite to public participation as scope stabilises.

GDPR / DPA — UK GDPR–aligned Data Processing Agreements are available for paying teams via procurement; subprocessors and retention are tracked in our operations documentation.

SCIM — Directory sync is available when SCIM is enabled for your tenancy; connection guidance lives in dashboard Settings → SCIM provisioning.

16. Policy Updates

We review and update this Security Policy regularly to reflect:

  • New security threats and risks
  • Changes to our infrastructure or practices
  • Regulatory requirements
  • Industry best practices

Updates will be posted on this page with a new "Last Updated" date.

17. Disclaimer

This Security Policy describes our current security practices and commitments. While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute protection against all threats.

Customers are responsible for:

  • Implementing their own security measures on servers and applications
  • Protecting their own credentials and API keys
  • Following security best practices
  • Reporting suspected security incidents immediately

This Security Policy is provided for informational purposes. For specific security questions or concerns, please contact support@expertweb.tools.