Security & Responsible Disclosure

Controls in place

Area	Control
Transport	TLS 1.2+ enforced at the Cloudflare edge with HSTS and modern cipher suites; HTTP redirected to HTTPS at every host.
Authentication	Bcrypt-hashed local credentials with strong-password policy. JWT access tokens with short lifetime; refresh tokens stored in Cloudflare KV with revocation support. Optional time-based one-time-password MFA.
Authorisation	Permission-string RBAC checked on every API endpoint. Super-admin actions require an additional permission tier and are fully audit-logged.
Tenancy	Per-row `companyId` scoping on all customer data. API keys are issued per company and cannot read across tenants.
API keys	Granular per-endpoint read/write permissions. Restricted (security-critical) endpoints are blocked from API keys by default and require explicit super-admin enablement.
Rate limiting & abuse	Per-IP and per-account rate limits, edge bot-fight rules, automated abuse detection on authentication endpoints.
Audit logging	Every state-changing action and every authentication event is logged with actor, time, IP, route and result. Logs are append-only.
Data at rest	Cloudflare D1, R2 and KV provide encryption at rest. Backups inherit the same protection.
Secrets	API tokens, signing keys and database credentials are stored as Cloudflare-managed secrets, never committed to the repository.
Software supply chain	Lockfile-pinned dependencies, automated `npm audit` on every build, TypeScript strict mode end-to-end, unit and integration tests on every push, deploy gated on green CI.
Network	Origin is Cloudflare Workers — there is no public origin server. DDoS protection and WAF are provided by Cloudflare.

Responsible disclosure

If you believe you have found a security vulnerability in ILSS, we want to hear from you. We aim to respond to good-faith reports quickly and to keep researchers informed throughout the process.

Scope

ilss.co.za and all subdomains under *.ilss.co.za operated by ILSS.
The ILSS API at api.ilss.co.za.
The ILSS web applications at admin.ilss.co.za and phone.ilss.co.za.

Out of scope

Findings against third-party services or infrastructure not operated by ILSS (e.g. Cloudflare core platform).
Reports generated solely by automated scanners with no demonstrable impact.
Volumetric denial-of-service testing.
Social-engineering of ILSS staff or customer staff.
Physical-security testing.

How to report

Email security@ilss.co.za with:

a clear description of the issue;
steps to reproduce, including any URLs, requests, or accounts used;
the impact you believe the issue has, and any suggested remediation;
your name (or handle) and how you would like to be credited if the finding is valid.

What we will do

Acknowledge your report within two (2) business days.
Provide an initial assessment within seven (7) business days.
Keep you informed of remediation progress and let you know when the issue is resolved.
Credit you on this page (with your consent) for valid reports.

Safe-harbour

ILSS will not pursue civil action or report researchers to law enforcement for good-faith security research that adheres to this policy. "Good faith" means: avoiding privacy violations, destruction of data, and interruption or degradation of the Service; only interacting with accounts you own or have explicit permission to access; reporting promptly; and giving us reasonable time to resolve before public disclosure.

A machine-readable security.txt is published per RFC 9116.

Sub-processors

Provider	Purpose	Region
Cloudflare, Inc.	Workers (compute), Pages (web hosting), D1 (database), R2 (object storage), KV (sessions and cache), Queues (events), DNS, TLS, WAF, DDoS protection, edge logs.	Global edge — see Cloudflare's public data-processing documentation.

Compliance posture

Aligned with the Protection of Personal Information Act, 4 of 2013 ("POPIA") — see the Privacy Policy.
Internal controls modelled on the OWASP Application Security Verification Standard.
Operational security tested against the OWASP Top 10 on each release.