Security Policy
Last updated: 21 June 2025
Choicevector is committed to protecting the security of our platform, our systems, and the information entrusted to us by our users. This Security Policy describes the measures we take to safeguard data, maintain system integrity, and respond to security incidents.
1. Scope
This policy applies to all systems, services, and infrastructure operated by Choicevector under the domain choicevector.info, including web applications, databases, communication channels, and any supporting third-party services used to deliver our platform.
2. Data Protection
2.1 Data in Transit
All data transmitted between users and our platform is encrypted using industry-standard Transport Layer Security (TLS). We do not permit unencrypted connections for any service that handles personal or account-related information.
2.2 Data at Rest
Sensitive data stored on our systems is encrypted at rest using strong encryption standards. Encryption keys are managed separately from the data they protect and are rotated on a defined schedule.
2.3 Data Minimisation
We collect and retain only the data necessary to provide our services. Data that is no longer required is securely deleted in accordance with our data retention practices.
3. Access Controls
3.1 Principle of Least Privilege
Access to systems, databases, and administrative tools is granted on a least-privilege basis. Personnel are given only the access necessary to perform their specific responsibilities.
3.2 Authentication
All internal systems require strong authentication. Where technically feasible, multi-factor authentication is enforced for access to production environments and sensitive administrative interfaces.
3.3 Access Reviews
Access rights are reviewed periodically. Access is revoked promptly when no longer required, including upon changes in role or termination of engagement.
4. Infrastructure Security
4.1 Network Security
Our infrastructure is protected by firewalls, network segmentation, and traffic monitoring. Unnecessary ports and services are disabled. Administrative access to infrastructure is restricted to secured channels.
4.2 Patch Management
Operating systems, software dependencies, and third-party components are kept up to date. Critical security patches are applied promptly following disclosure.
4.3 Vulnerability Management
We conduct periodic vulnerability assessments of our systems. Identified vulnerabilities are prioritised and remediated based on their severity and potential impact.
5. Application Security
5.1 Secure Development Practices
Security considerations are integrated into our development process. Code changes are reviewed before deployment. We follow established guidelines for preventing common vulnerabilities including injection attacks, cross-site scripting, and insecure authentication flows.
5.2 Dependency Management
Third-party libraries and components used in our platform are monitored for known security vulnerabilities. Outdated or vulnerable dependencies are updated or replaced in a timely manner.
5.3 Testing
Security testing is performed as part of our release process. We conduct both automated scanning and manual review of security-sensitive areas of the application.
6. Monitoring and Logging
Our systems generate logs of access events, errors, and administrative actions. These logs are stored securely and monitored for anomalous activity. Log data is retained for a defined period and is accessible only to authorised personnel.
7. Incident Response
7.1 Detection and Containment
We maintain procedures for detecting, containing, and investigating security incidents. Upon identifying a potential incident, our team acts promptly to limit impact and preserve evidence for investigation.
7.2 Notification
In the event of a security incident that affects user data or platform availability, we will notify affected users in a timely manner with relevant details and recommended actions, consistent with our obligations and the nature of the incident.
7.3 Post-Incident Review
Following resolution of a security incident, we conduct a review to identify root causes and implement measures to prevent recurrence.
8. Third-Party Services
We work with third-party providers for hosting, payment processing, communications, and other platform functions. We evaluate the security practices of our providers before engagement and require that they maintain appropriate security standards. We do not share user data with third parties beyond what is necessary to deliver our services.
9. Physical Security
Our platform is hosted in facilities that maintain physical access controls, environmental protections, and redundancy measures. Physical access to infrastructure is restricted to authorised personnel only.
10. Business Continuity and Backups
Critical data is backed up regularly. Backups are encrypted and stored in a manner that supports recovery in the event of data loss or system failure. Recovery procedures are tested periodically to verify their effectiveness.
11. Employee Security Practices
Personnel with access to systems or user data are informed of their security responsibilities. We maintain internal guidelines covering acceptable use, password management, device security, and handling of sensitive information.
12. Responsible Disclosure
If you discover a potential security vulnerability in our platform, we encourage you to report it to us promptly. Please contact us at info@choicevector.info with a description of the issue. We ask that you avoid accessing, modifying, or disclosing data beyond what is necessary to demonstrate the vulnerability. We will acknowledge your report and work to address confirmed issues in a reasonable timeframe.
13. Changes to This Policy
We may update this Security Policy from time to time to reflect changes in our practices, technology, or obligations. The date at the top of this page indicates when the policy was last revised. Continued use of our platform following any update constitutes acceptance of the revised policy.
14. Contact
For questions or concerns regarding this Security Policy, please contact us:
- Email: info@choicevector.info
- Phone: +64 27 673 0095
- Address: 81 Shamrock Street, Takaro, Palmerston North 4412, New Zealand