HomePoliciesData Protection & Security

Data Protection & Security

The technical and organisational safeguards we use to protect data on the SafetyMeter platform.

Version 1.0
Effective 18 May 2026
Last updated 18 May 2026
Security by design: SafetyMeter is built with a minimal attack surface. We do not store assessment data on our servers, which means the vast majority of your information never leaves your browser session.

1. Our Security Approach

Trusted Tech Africa takes a layered approach to security. Because SafetyMeter is designed around data minimisation (we do not persist assessment data by default), our attack surface is significantly smaller than platforms that store user-generated content. The security measures described in this policy apply to our infrastructure, API integrations, and the transmission of any data that does pass through our systems.

2. Infrastructure Security

Hosting and Deployment

SafetyMeter is hosted on Vercel's edge network, a SOC 2 Type II certified platform. All static assets and server-side functions are deployed to globally distributed infrastructure with automatic DDoS mitigation, firewall protection, and infrastructure redundancy built in at the platform level.

Network Security

  • All connections to SafetyMeter are encrypted in transit using TLS 1.2 or higher
  • HTTPS is enforced on all routes; HTTP requests are redirected automatically
  • HTTP Strict Transport Security (HSTS) headers are set with a minimum 1-year max-age
  • Content Security Policy (CSP) headers restrict which scripts and resources may be loaded
  • DNS is secured via a reputable DNS provider with DNSSEC where supported

Application Security

  • API routes validate all incoming payloads using server-side schema validation (Zod)
  • User inputs are sanitised before being included in API requests or HTML responses
  • We apply rate limiting on API routes to prevent abuse
  • All dependencies are regularly audited via npm audit and updated in a timely manner
  • We do not use third-party tracking or advertising scripts that could introduce supply-chain risk

3. Data Transmission Security

When your form data is transmitted to our server-side API routes (for example, when triggering AI narrative generation), it is:

  • Encrypted in transit via TLS
  • Validated immediately upon receipt — invalid or malformed payloads are rejected
  • Forwarded to Anthropic's API (for AI narrative generation) or processed and returned to your browser
  • Not written to any persistent storage or database

We do not log request bodies in production. Server function logs capture only metadata (timestamp, status code, anonymised IP) for debugging purposes and are retained for a maximum of 30 days.

4. AI Provider Security

SafetyMeter uses Anthropic's Claude API for AI narrative generation. Anthropic maintains enterprise-grade security controls including SOC 2 Type II certification. Data sent to Anthropic's API is governed by their Data Processing Agreement and Privacy Policy. Anthropic does not use API inputs for model training by default.

We use API keys to authenticate with Anthropic. These keys are stored as environment secrets, never exposed in client-side code, and rotated periodically.

5. Access Controls

SafetyMeter currently does not require user accounts or authentication. Access to our production infrastructure is restricted to authorised Trusted Tech Africa engineers and is protected by:

  • Multi-factor authentication (MFA) on all cloud platform accounts
  • Role-based access control: developers have the minimum permissions necessary for their role
  • SSH key-based access where applicable; password authentication is disabled
  • All access to production systems is logged and reviewed

6. Vendor and Third-Party Security

We use a small number of third-party services. Before integrating any vendor, we review their security posture. Current third-party integrations:

VendorPurposeData Shared
VercelHosting and edge functionsRequest metadata; no persistent user data
AnthropicAI narrative generationStructured assessment data (no personal data of end users)

We do not use advertising networks, analytics platforms that track individuals, or data brokers.

7. Security Monitoring

We monitor our infrastructure for anomalous activity including unusual API call volumes, unexpected error rates, and potential abuse patterns. Alerts are configured to notify our engineering team within minutes of detecting significant anomalies.

8. Incident Response

In the event of a security incident, Trusted Tech Africa will:

  • Contain the incident as quickly as possible
  • Assess the scope and impact
  • Notify affected parties if personal data has been compromised, in accordance with GDPR Article 33 (within 72 hours of awareness)
  • Publish a post-incident summary for significant incidents that affect user trust or data
  • Implement remediation measures to prevent recurrence

9. Vulnerability Disclosure

If you discover a security vulnerability in SafetyMeter, please report it in accordance with our Responsible Disclosure Policy. We commit to acknowledging all reports within 5 business days.

10. Continuous Improvement

Security is not a one-time exercise. We review our security posture at least quarterly, track evolving threats in the Next.js and Vercel ecosystems, and update this policy when material changes are made to our security controls.

11. Contact

For security concerns or data protection questions, contact info@trustedtechafrica.com.