Security Posture
Security is not a feature we bolt on — it is a discipline we practise at every layer of our work. Here is how we protect your data and our systems.
Platform Security
All data transmitted between your browser and our servers is encrypted using TLS 1.2+. We enforce HTTPS across all endpoints and redirect all HTTP traffic.
Our infrastructure is hosted on enterprise-grade cloud providers with SOC 2 Type II certification. Servers are isolated, access-controlled, and regularly patched.
We operate on a least-privilege principle. All internal access is role-based, requires multi-factor authentication, and is audited. No employee has unnecessary access to client data.
We run continuous monitoring for anomalous behaviour, failed authentication attempts, and infrastructure events. Alerts are triaged within 1 business hour.
We conduct periodic internal security reviews and engage third-party assessors for penetration testing on client-facing systems. Findings are remediated by severity within defined SLAs.
We collect and retain only the personal information necessary for service delivery. Client data is not used for advertising, profiling, or shared with third parties beyond what is required.
Client Engagement Security
All client engagements are covered by mutual non-disclosure agreements. Client codebases, data, and business information are treated as strictly confidential.
We deliver code through private, access-controlled repositories. Sensitive credentials are never committed to version control — we use secrets management tooling exclusively.
We use automated dependency scanning (Dependabot, Snyk, or equivalent) on all projects to identify and patch known vulnerabilities in third-party packages.
Development, staging, and production environments are fully separated. Production data is never used in non-production environments.
All secrets, API keys, and credentials are managed through dedicated secrets management systems (e.g. AWS Secrets Manager, Vault). Keys are rotated regularly.
At engagement close, all credentials, access keys, and repository permissions granted to SyntaxPath are revoked. Full documentation is handed over to the client team.
Responsible Disclosure
We welcome security researchers who responsibly report vulnerabilities. We commit to investigating all credible reports promptly and will not pursue legal action against researchers who follow this policy in good faith.
Email security@syntaxpath.co.za with details of the vulnerability. Encrypt sensitive reports using our PGP key if required.
We will acknowledge receipt of your report within 2 business days and begin investigation.
We assess severity using the CVSS scoring framework and prioritise remediation accordingly.
We work to remediate confirmed vulnerabilities within 30 days for critical issues, 90 days for others.
We coordinate disclosure timing with you. We ask that you allow us reasonable time to remediate before public disclosure.
With your permission, we publicly acknowledge researchers who report valid vulnerabilities responsibly.
Scope
- ▶www.syntaxpath.co.za and all subdomains
- ▶SyntaxPath web applications and APIs
- ▶Authentication and authorisation flows
- ▶Data exposure or information leakage
- ▶Cross-site scripting (XSS)
- ▶SQL or NoSQL injection
- ▶Server-side request forgery (SSRF)
- ▶Insecure direct object references (IDOR)
- ✕Social engineering or phishing attacks against staff
- ✕Physical security of offices or devices
- ✕Denial of service (DoS/DDoS) attacks
- ✕Automated scanner results without proof of exploitability
- ✕Issues in third-party services we do not control
- ✕Clickjacking on non-sensitive pages
- ✕Missing security headers without demonstrated impact
Found Something?
If you believe you have discovered a security vulnerability in any SyntaxPath system, please report it responsibly. We appreciate your help in keeping our platform secure.