Security Policy
How we protect your data and what we expect from you
Our Security Measures
| Layer | Measure |
|---|---|
| Transport | TLS 1.2+ enforced on all connections; HSTS with 1-year max-age; certificate pinning for API clients |
| Authentication | PBKDF2-SHA256 (600,000 iterations) password hashing; TOTP 2FA available to all users; JWT tokens expire in 1 hour; refresh tokens expire in 30 days |
| Authorisation | Role-based access control (RBAC) with per-user permission overrides; institution data isolation enforced at query level |
| Application | CSRF tokens on all forms; Content-Security-Policy headers; X-Frame-Options: SAMEORIGIN; X-Content-Type-Options: nosniff; input sanitisation via bleach |
| Rate limiting | Login: 10 req/min; registration: 5 req/min; API global: 200/day, 50/hour; stored in Redis |
| Data at rest | Database encrypted at rest (AES-256 via cloud provider); S3 bucket server-side encryption enabled |
| Backups | Daily encrypted database backups retained for 30 days; off-site replication |
| Monitoring | Failed login attempt tracking; IP-based anomaly detection; comprehensive audit logging |
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue:
- Email security@vettrackpro.com with a detailed description
- Do not exploit the vulnerability or access data belonging to other users
- Do not disclose publicly for at least 90 days to allow us time to fix it
- We will acknowledge receipt within 5 working days and provide a resolution timeline
We do not offer a formal bug bounty programme, but we publicly acknowledge responsible disclosures where the researcher permits.
Your Security Responsibilities
- Enable two-factor authentication (2FA) on your account — especially for institution admins
- Use a strong, unique password (minimum 8 characters, mixed case, digits, and special characters)
- Never share your credentials, API keys, or 2FA backup codes with others
- Log out from shared or public devices
- Report suspicious activity to security@vettrackpro.com immediately
Incident Response
In the event of a data breach affecting your personal data, we will: notify affected users and the Kenya ODPC within 72 hours of becoming aware (as required by GDPR Art. 33 and Kenya DPA s.43); provide details of what was affected, likely consequences, and remediation steps; cooperate fully with regulatory investigations.
Contact
Security: security@vettrackpro.com