● UK · EU — Regulated fintech & energy Certifications delivered: ISO 27001 · PCI DSS v4 · DORA

Trust

Security posture

Plain-English summary: strict CSP, HSTS preload, DNSSEC, CAA pinned, SPF + DKIM + DMARC reject, WAF + rate limits, cookieless analytics. Vulnerabilities to [email protected] or via /.well-known/security.txt with PGP.

What we run

This website is a static site built with Astro and hosted on Cloudflare Pages. The narrow attack surface is intentional.

Transport

  • TLS 1.3 only
  • HSTS preload submitted (max-age=63072000; includeSubDomains; preload)
  • Cipher suite: modern (no RC4, no SHA-1, no MD5)

Headers

  • Strict CSP (default-src 'none', allowlists per directive, frame-ancestors 'none', no 'unsafe-inline' for scripts)
  • Permissions-Policy locking off camera/mic/geolocation/payment/usb/serial
  • Referrer-Policy: strict-origin-when-cross-origin
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • COOP/COEP same-origin

External grades targeted: Mozilla Observatory ≥ A, Hardenize ≥ A, SSL Labs A+. CI fails on regression.

DNS

  • DNSSEC enabled
  • CAA pinned (Cloudflare + Let’s Encrypt)

Email

  • SPF
  • DKIM (Resend)
  • DMARC p=reject
  • MTA-STS
  • TLS-RPT

WAF + rate limiting

  • Cloudflare managed ruleset + OWASP CRS sensitivity medium
  • Bot Fight Mode on
  • Rate limits: /api/contact 5/min, /api/lead-magnet 10/min, /ai/* 20/min (when v1.1 ships)
  • Turnstile on all public forms (no per-user tracking)

Privacy-first analytics

  • Cloudflare Web Analytics (cookieless)
  • Workers Analytics Engine for custom events (server-side only, no PII)
  • No third-party trackers

Disclosure policy

We follow a 90-day responsible disclosure window:

  • Acknowledge within 2 working days
  • Initial triage within 5 working days
  • Resolution within 30 days for high/critical, 90 days otherwise
  • Coordinated disclosure with the reporter; default 90-day window

Report vulnerabilities to:

We will not pursue legal action against good-faith research that avoids privacy violations / data destruction / service disruption, only touches own accounts, and gives reasonable time before disclosure.

Out of scope

  • Third-party services (report to vendor)
  • Social engineering
  • Physical security
  • Volumetric DoS

Effective date

Effective: 2026-04-20 · Last reviewed: 2026-04-20 · Version: 1.0.0

Version 1.0.0 · Effective · Last reviewed