Back to Home

Security & Compliance

1. Our Security Commitment

ASI Technologies designs, builds, and operates engineering-grade systems. Security is not a feature we add — it is foundational to every line of code we write, every infrastructure decision we make, and every service we deliver. This document outlines our security posture, compliance alignment, and the measures we take to protect our clients' data and systems.

2. Regulatory & Compliance Framework

Our operations are aligned with the following South African and international standards:

3. Infrastructure Security

3.1 Hosting & Deployment

• Hosting Provider: Vercel (Edge Network) with automatic HTTPS/TLS 1.3 encryption for all traffic.
• CDN: Global edge caching with DDoS mitigation built into the hosting layer.
• DNS Security: DNSSEC-enabled domain management.
• Deployment Pipeline: Git-based CI/CD with branch protection, automated build verification, and zero-downtime deploys.

3.2 Application Security

• HTTP Security Headers: Strict-Transport-Security (HSTS with preload), X-Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy, and Content-Security-Policy enforced on all routes.
• Input Validation: Server-side validation on all API endpoints. No client-side trust assumptions.
• Authentication: Admin interfaces are protected with secure token-based authentication. Session tokens are rotated and expire after inactivity.
• Dependency Management: Automated vulnerability scanning via npm audit and regular dependency updates.

3.3 Data Security

• Encryption at Rest: All databases (Firebase/Firestore) encrypt data at rest using AES-256.
• Encryption in Transit: All communications are encrypted via TLS 1.2+ (TLS 1.3 preferred).
• Access Control: Role-based access control (RBAC) for all internal systems. Principle of least privilege enforced.
• Data Retention: Data is retained only for the duration necessary for service delivery and legal obligations (see our Privacy Policy).

4. Incident Response

ASI Technologies maintains a formal incident response procedure aligned with the Cybercrimes Act's mandatory reporting requirements:

1. Detection & Classification: Automated monitoring and alerting for anomalous activity. Incidents are classified P1–P4 per our SLA.
2. Containment: Immediate isolation of affected systems to prevent lateral movement.
3. Investigation: Root cause analysis conducted by the lead engineer on the engagement.
4. Notification: Affected clients are notified within 72 hours of confirmed data breach (per POPIA Section 22). The Information Regulator is notified where required by law.
5. Recovery & Remediation: Systems are restored from verified backups. Post-incident review and hardening measures are documented and implemented.
6. Post-Incident Report: A formal incident report is provided to the client detailing timeline, impact, root cause, and preventative measures.

5. Employee & Contractor Security

• All engineers and contractors sign confidentiality and non-disclosure agreements before accessing client data.
• Access to production systems is restricted to authorised personnel only.
• Security awareness training is conducted for all team members.
• Access credentials are revoked immediately upon contract termination.

6. Third-Party Risk Management

We vet all third-party services and sub-processors for security and compliance before integration. Our current third-party stack includes:

• Vercel — Hosting and edge compute (SOC 2 Type II compliant)
• Google Workspace — Business email and calendar (ISO 27001, SOC 2/3)
• Firebase / Google Cloud — Database and authentication (ISO 27001, SOC 2)
• Ozow / PayFast — Payment processing (PCI-DSS Level 1)
• SendGrid / Resend — Transactional email (SOC 2 Type II)

7. Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability in any ASI Technologies system, please report it through our Responsible Disclosure Policy.

8. Contact