Trust Centre

    Security at Xharvoc

    We take the security and privacy of your data seriously. Here's how we protect it.

    Compliance & Certifications

    Our security posture is aligned with internationally recognised frameworks and standards.

    ISO 27001:2022

    Aligned

    Information Security Management System

    ISO 27701:2019

    Aligned

    Privacy Information Management

    ISO 22301:2019

    Aligned

    Business Continuity Management

    SOC 2 Type II

    Roadmap

    Trust Service Criteria (Security, Availability, Confidentiality)

    UK GDPR

    Compliant

    Data Protection Act 2018 & UK General Data Protection Regulation

    OWASP Top 10

    Implemented

    Web Application Security Risks Coverage

    NIST CSF 2.0

    Aligned

    Cybersecurity Framework — Govern, Identify, Protect, Detect, Respond, Recover

    Encryption & Access Control

    Industry-standard cryptographic protections at every layer.

    Data in Transit

    All data transmitted between your browser and our servers is protected with TLS 1.2+ encryption. HSTS is enforced with preload to prevent downgrade attacks.

    Data at Rest

    All database records are encrypted at rest using AES-256 encryption. Backups are encrypted with the same standard.

    Authentication

    Passwords are hashed using bcrypt with a minimum cost factor of 12. Multi-factor authentication (TOTP) is enforced for all administrative access.

    Access Control

    Row-Level Security (RLS) is enforced on every database table. The principle of least privilege governs all data access.

    Data Residency

    All data is processed and stored within the European Union and United Kingdom, ensuring compliance with UK GDPR cross-border transfer requirements.

    European Union

    Frankfurt, Germany (eu-central-1)

    Primary database, authentication, and backend functions

    United Kingdom / EU

    Cloudflare Edge Network

    CDN, WAF, DDoS mitigation, and SSL termination

    Europe

    Hostinger EU Data Centres

    Static frontend assets and web hosting

    Security Practices

    Proactive measures to detect, prevent, and respond to threats.

    Web Application Firewall

    Cloudflare WAF with OWASP Core Ruleset blocks common attack vectors including SQL injection, XSS, and CSRF.

    Rate Limiting

    All API endpoints and forms are protected with IP-based rate limiting to prevent abuse and credential stuffing.

    Audit Logging

    All security-relevant events — logins, failures, admin actions, and configuration changes — are logged with immutable audit trails.

    Dependency Scanning

    Automated vulnerability scanning of all software dependencies. Critical and high-severity CVEs are patched before deployment.

    Responsible Disclosure

    If you discover a security vulnerability, we encourage responsible disclosure. We commit to:

    • Acknowledge your report within 48 hours
    • Assess severity within 5 business days
    • Patch critical issues within 24 hours, high within 7 days
    • No legal action against good-faith researchers

    Report vulnerabilities to:

    [email protected]

    See our full policy at /.well-known/security.txt