Information Security Policy

1. Introduction

This Information Security Policy sets out the technical and organisational security measures implemented by Tapnet Solutions (Pty) Ltd (Registration No. 2023/135522/07) to protect the confidentiality, integrity, and availability of personal information and digital assets across our systems.

This policy applies to tapnet.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd, including the Tapnet core platform and the dedicated driver mobile proof-of-delivery application.

Tapnet Solutions is committed to compliance with POPIA Condition 7 (Security Safeguards), which requires a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control. We implement reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, or unlawful access to personal information.

2. Authentication and Authorisation

Tapnet implements robust authentication and authorisation controls to protect access to administrative functions and sensitive data.

Admin Authentication

• Authentication is handled via JSON Web Tokens (JWT) using the HS256 algorithm, implemented with the jose library
• Tokens are stored in HttpOnly, Secure, SameSite cookies to prevent client-side script access and cross-site request forgery
• Token expiry is set to 7 days, after which re-authentication is required

Password Security

• Passwords are hashed using bcrypt with 10 salt rounds before storage
• Passwords are never stored in plain text and cannot be recovered, only reset

Brute-Force and Enumeration Protection

• A constant-time delay of 200–500ms is applied to all login attempts (successful or failed) to prevent user enumeration via timing analysis
• Login attempts are rate-limited to 5 attempts per 15 minutes per IP address

Role-Based Access Control

• Admin routes are protected by middleware-level JWT verification, requests without a valid token are rejected before reaching application logic
• Role-based access ensures that only authorised personnel can access administrative functions

Session Management

• Sessions are managed through JWT tokens with automatic expiry
• Secure cookie flags (HttpOnly, Secure, SameSite) are enforced on all authentication cookies

3. Rate Limiting

Rate limiting is implemented across all public-facing endpoints to protect against abuse, denial-of-service attacks, and automated submission spam. Limits are enforced using an LRU cache with TTL-based token counting.

• When limits are exceeded, the server responds with HTTP 429 Too Many Requests
• Duplicate submission detection prevents the same email address from submitting the same form within a 5-minute window

4. Encryption

Tapnet encrypts data both in transit and at rest to ensure confidentiality of personal information throughout its lifecycle.

Data in Transit

• HTTPS/TLS is enforced on all connections, unencrypted HTTP requests are automatically redirected
• HSTS (HTTP Strict Transport Security) is configured with a 1-year max-age, instructing browsers to only connect via HTTPS

Data at Rest

• The database is hosted on Neon PostgreSQL, which encrypts all data at rest using AES-256 encryption
• Vercel encrypted storage is used for deployment artefacts and static assets

Password and Secret Storage

• Passwords are stored as bcrypt one-way hashes, they are never stored in plain text and cannot be reversed
• JWT signing secrets and all API keys are stored as environment variables in Vercel’s encrypted secrets store and are never committed to version control

5. Application Security

The Tapnet application is built on Next.js 13 with App Router and implements multiple layers of defence to protect against common web application vulnerabilities.

Input Validation

All form inputs are validated using Zod schema validation with strict type checking, length constraints, and format requirements. Invalid input is rejected before it reaches any processing logic.

SQL Injection Prevention

All database queries are executed through Prisma ORM, which uses parameterized queries exclusively. No raw SQL is used anywhere in the application, eliminating the risk of SQL injection attacks.

Cross-Site Scripting (XSS) Prevention

• All user-generated content is sanitised using DOMPurify before rendering
• HTML is stripped from form inputs to prevent stored XSS attacks

Cross-Site Request Forgery (CSRF) Protection

• The SameSite cookie attribute prevents cookies from being sent with cross-origin requests
• Origin verification is performed on state-changing requests

Security Headers

Security headers are configured via Helmet and next.config.js:

• Content Security Policy (CSP), restricts script sources and prevents inline script execution
• X-Frame-Options: DENY, prevents the site from being embedded in iframes (clickjacking protection)
• X-Content-Type-Options: nosniff, prevents MIME-type sniffing
• Referrer-Policy, controls information sent in the Referer header
• Permissions-Policy, restricts access to browser features (camera, microphone, geolocation, etc.)

Code Execution Safety

No use of eval() or dynamic code execution anywhere in the application codebase.

6. Infrastructure Security

Tapnet’s infrastructure is hosted on industry-leading platforms with enterprise-grade security certifications.

Vercel (Application Hosting)

• SOC 2 Type 2 and ISO 27001 certified
• Automated deployments with immutable build artefacts
• Global edge network with built-in DDoS protection

Neon PostgreSQL (Database)

• SOC 2 Type 2 certified
• Encrypted connections (TLS) and encrypted at rest
• Automated backups with point-in-time recovery
• Network isolation, no direct public access to the database

Third-Party Services

• Google Analytics, Google Cloud security certifications, data processing agreement in place
• OpenAI, enterprise-grade security, data processing agreement in place, API key authentication

Environment Variables

All secrets, API keys, and database credentials are stored in Vercel’s encrypted secrets store. Environment variables are never exposed to the client-side bundle and are never committed to version control.

7. Data Anonymisation and Pseudonymisation

Where possible, Tapnet anonymises or pseudonymises data to minimise the risk associated with processing personal information.

• Google Analytics, IP anonymisation is enabled before data is stored, ensuring full IP addresses are never retained
• Scroll tracking, session-based analytics use randomly generated IDs with no personal information stored
• Logs, personally identifiable information (PII) is stripped in production; IP addresses are not logged alongside request data

8. Backups and Recovery

Tapnet maintains backup and recovery capabilities to ensure business continuity and data integrity.

• Database backups, Neon PostgreSQL provides automated point-in-time recovery, allowing restoration to any moment within the retention window
• Application backups, Vercel maintains a full deployment history with instant rollback to any previous deployment
• Backup retention, retention periods follow the respective provider policies
• Recovery testing, periodic verification of restore procedures is conducted to ensure backups are functional and recovery objectives can be met

9. Vulnerability Management

Tapnet actively manages vulnerabilities across the application stack to maintain a strong security posture.

• Dependency auditing, regular npm audit scans and dependency updates are performed to identify and resolve known vulnerabilities
• Critical security patches, applied within 72 hours for critical vulnerabilities
• Code review, all changes are reviewed before deployment to production
• Monitoring, Vercel analytics and error tracking provide ongoing visibility into application health and potential security events

10. Incident Response

Tapnet maintains an incident response process to detect, contain, and recover from security incidents in a timely manner.

• Identification, detection of potential security incidents through monitoring, error tracking, and user reports
• Containment, immediate steps to limit the scope and impact of the incident
• Eradication, removal of the root cause and remediation of affected systems
• Recovery, restoration of normal operations and verification that the threat has been eliminated

11. Access Control

Access to Tapnet systems and data is governed by the principle of least privilege, users and processes are granted only the minimum level of access necessary to perform their functions.

• Admin access is restricted to authorised personnel only
• Database access is mediated exclusively through Prisma ORM, there are no direct database connections from client-side code
• API routes are protected by authentication middleware that verifies JWT tokens before processing requests
• Environment-specific controls ensure that development and production environments have separate access credentials and permissions

12. Review

This Information Security Policy is reviewed annually and following any significant security incident. Security measures are updated as new threats emerge and as the application evolves.

The Information Officer is responsible for ensuring that this policy remains current and that the security measures described herein are effectively implemented.

Contact

For questions about this policy or to report a security concern, please contact our Information Officer: