We Take Security Seriously.
Every line of code. Every server. Every packet. Protected.
Security is not an afterthought at Phytoventures — it is embedded in every layer of our infrastructure. From the moment data leaves your browser to the moment it reaches our servers, every byte is encrypted, validated, and monitored. We build with a security-first mindset because your trust depends on it.
Our Security Stack
12 layers of protection. Zero compromise.
HTTPS Everywhere
TLS 1.3 encryption on every connection. All traffic encrypted in transit. HSTS enforced. No mixed content.
Cloudflare WAF
Enterprise-grade Web Application Firewall. DDoS protection, bot management, and threat intelligence from millions of websites.
Helmet.js Security Headers
Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more. Every response hardened.
Rate Limiting
Intelligent rate limiting on all authentication endpoints. Brute force protection on login, 2FA, and API routes.
Session Security
Encrypted sessions with secure, httpOnly cookies. 8-hour expiry. Session regeneration on authentication. No session fixation.
Two-Factor Authentication
TOTP-based 2FA with QR code setup. Time-based one-time passwords via authenticator apps. Optional but strongly encouraged.
Passwordless Authentication
Magic link login eliminates password vulnerabilities entirely. No passwords stored, no passwords to steal. Links expire in 15 minutes.
Input Sanitisation
Every user input sanitised and validated. Parameterised SQL queries prevent injection. XSS protection on all outputs.
File Upload Security
Strict MIME type validation. File size limits. Path traversal protection on all downloads. No executable uploads.
Audit Logging
Every authentication event logged with IP, user agent, and timestamp. Full accountability trail. Anomaly detection.
Data Encryption
Passwords hashed with bcrypt (12 rounds). Magic link tokens hashed. Sensitive data encrypted at rest. Webhook signatures verified.
CORS Policy
Strict origin restriction. No wildcard access. Credentials require explicit origin match. API locked to our domain.
Responsible Disclosure
## Responsible Disclosure Policy
Found a vulnerability? We want to hear about it.Email: [email protected] PGP: Available on request Rules of engagement: Do not access or modify other users' data Do not perform denial of service attacks Do not use automated scanning tools without permission Give us reasonable time to fix before disclosure Do not publicly disclose without our agreement We will: Acknowledge your report within 48 hours Keep you updated on our progress Credit you (if desired) when the fix is deployed Not take legal action against good-faith researchers
Security by Design
Built into every stage of our development lifecycle.
Code Review
Every change reviewed. No direct pushes to production. Security-focused code review on all pull requests.
Dependency Auditing
Regular npm audit. Known vulnerability monitoring. Automated alerts for compromised packages.
Server Hardening
Dedicated server (not shared hosting). SSH key-only access. Firewall rules. Regular OS patches. PM2 process management with auto-restart.
Backup & Recovery
Database backups. Configuration versioned. Disaster recovery procedures tested.
Incident Response
Documented incident response plan. Immediate containment, investigation, notification, and remediation.
Regulatory Compliance
Meeting legal obligations across data protection and payments.
UK GDPR
Full compliance with the UK General Data Protection Regulation. Data minimisation, purpose limitation, storage limitation.
Data Protection Act 2018
Registered data controller. Processing lawful, fair, and transparent.
PCI Considerations
We never store card data. Payments processed by GoCardless and Revolut (both PCI DSS Level 1 certified).
Late Payment of Commercial Debts Act 1998
Compliant invoicing and interest calculation.