Security Policy

Last updated: 24 March 2026

1. Introduction

At TenuTech (Pty) Ltd ("TenuTech", "we", "us", or "our"), the security of the SkillTracer platform and the protection of our users' data are fundamental to our operations. This Security Policy outlines the technical, administrative, and organisational measures we implement to safeguard the confidentiality, integrity, and availability of all data processed through the Platform.

This policy applies to the SkillTracer web application, mobile application, and all supporting infrastructure.

2. Data Encryption

2.1 Data in Transit

All data transmitted between users and the Platform is encrypted using Transport Layer Security (TLS 1.2 or higher). This applies to all web traffic, API communications, and mobile application connections. HTTP Strict Transport Security (HSTS) headers are enforced to prevent protocol downgrade attacks.

2.2 Data at Rest

Sensitive data stored in our databases, including personal information, authentication credentials, and assessment data, is encrypted using industry-standard encryption algorithms (AES-256). Database backups are encrypted with the same standard.

2.3 Password Security

User passwords are never stored in plain text. All passwords are hashed using the bcrypt algorithm with a cost factor that meets or exceeds current industry recommendations. Password reset tokens are time-limited and single-use.

3. Access Control

3.1 Role-Based Access Control (RBAC)

The Platform implements a granular role-based access control system. Each user is assigned a specific role (e.g., administrator, manager, coach, athlete, parent) that determines their level of access to data and functionality. Access permissions are enforced at both the application and database levels.

3.2 Authentication

  • Strong password requirements: Users are required to create passwords that meet minimum complexity standards, including length and character diversity.
  • Session management: User sessions are securely managed with encrypted session tokens, automatic timeout after periods of inactivity, and protection against session fixation and hijacking.
  • Rate limiting: Login attempts are rate-limited to protect against brute-force attacks. Accounts are temporarily locked after repeated failed authentication attempts.

3.3 Administrative Access

Access to production systems, databases, and infrastructure is restricted to authorised personnel only. Administrative access requires multi-factor authentication and is logged for audit purposes. The principle of least privilege is applied to all system accounts.

4. Infrastructure and Network Security
  • Firewall protection: Network-level and application-level firewalls are configured to restrict unauthorised inbound and outbound traffic.
  • Intrusion detection and prevention: We deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor for and respond to suspicious network activity in real time.
  • DDoS mitigation: The Platform is protected against distributed denial-of-service (DDoS) attacks through traffic filtering and rate limiting at the network edge.
  • Network segmentation: Production, staging, and development environments are logically separated. Database servers are not directly accessible from the public internet.
  • Regular patching: All servers, frameworks (including Laravel), operating systems, and third-party dependencies are regularly updated and patched to address known vulnerabilities.
5. Application Security
  • Input validation and sanitisation: All user inputs are validated and sanitised to prevent injection attacks, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
  • CSRF protection: All state-changing requests are protected with CSRF tokens, which are validated on every request.
  • Content Security Policy (CSP): HTTP security headers, including CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy, are configured to mitigate common web-based attacks.
  • Secure file uploads: Uploaded files are validated for type, size, and content. Files are stored in isolated storage with restricted access permissions.
  • Code review: All code changes undergo peer review before deployment, with particular attention to security-sensitive components.
  • Dependency management: Third-party libraries and packages are regularly audited for known vulnerabilities using automated scanning tools.
6. Data Storage and Backup
  • Database security: Databases are hosted in secure, access-controlled environments with encrypted connections. Sensitive fields are encrypted at the application level in addition to storage-level encryption.
  • Automated backups: Database backups are performed on a regular schedule, encrypted, and stored in geographically separate locations to ensure data recovery in the event of a disaster.
  • Backup testing: Backup restoration procedures are periodically tested to verify data integrity and recovery capability.
  • Data isolation: Where the Platform serves multiple organisations, logical data isolation ensures that each organisation's data is accessible only to its authorised users.
7. Mobile Application Security
  • Secure communication: The SkillTracer mobile application (built with Flutter) communicates exclusively over encrypted channels (TLS).
  • Local data protection: Sensitive data stored locally on mobile devices is encrypted using platform-native secure storage mechanisms.
  • Token-based authentication: Mobile sessions use secure, time-limited tokens for authentication. Tokens are stored in secure device storage and are not exposed to other applications.
  • App integrity: The mobile application is distributed exclusively through official app stores (Google Play Store and Apple App Store) and is code-signed to prevent tampering.
8. Third-Party Security

All third-party services and integrations (including WhatsApp/Meta, Google services, and verification providers) are evaluated for security compliance before integration. We ensure that:

  • Third-party services are accessed using secure API connections with encrypted credentials.
  • API keys and secrets are stored in environment variables or secure vaults, never in source code.
  • Data shared with third parties is limited to the minimum necessary for the intended function.
  • Third-party providers maintain security standards consistent with our own.
9. Monitoring, Logging, and Auditing
  • Activity logging: Security-relevant events, including authentication attempts, access to sensitive data, administrative actions, and configuration changes, are logged with timestamps and user identifiers.
  • Continuous monitoring: Systems are continuously monitored for anomalous activity, performance degradation, and potential security threats.
  • Log retention: Security logs are retained for a minimum period in accordance with regulatory requirements and are protected against unauthorised modification or deletion.
  • Security audits: Regular internal security assessments and periodic external penetration testing are conducted to identify and remediate vulnerabilities.
10. Incident Response

TenuTech maintains a formal incident response plan to ensure timely and effective handling of security incidents:

  • Detection and classification: Security incidents are detected through automated monitoring, log analysis, and user reports. Each incident is classified by severity and impact.
  • Containment and investigation: Upon detection, immediate steps are taken to contain the incident, preserve evidence, and investigate the root cause.
  • Notification: Affected users and relevant regulatory authorities (including the Information Regulator of South Africa, where required under POPIA) are notified within the timeframes prescribed by applicable law.
  • Remediation: Identified vulnerabilities are remediated promptly, and preventive measures are implemented to reduce the likelihood of recurrence.
  • Post-incident review: A post-incident review is conducted to document lessons learned and to update security procedures as necessary.
11. Business Continuity and Disaster Recovery

TenuTech maintains business continuity and disaster recovery plans to ensure the resilience of the Platform:

  • Regular encrypted backups stored in geographically separate locations.
  • Documented recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO).
  • Periodic testing of disaster recovery procedures to validate effectiveness.
12. User Responsibilities

Security is a shared responsibility. As a user of the Platform, we ask that you:

  • Choose a strong, unique password and do not share it with others.
  • Keep your devices and browsers up to date with the latest security patches.
  • Log out of the Platform when using shared or public devices.
  • Report any suspicious activity, potential vulnerabilities, or security concerns to support@skilltracer.com immediately.
  • Do not attempt to access data or functionality beyond what is authorised for your role.
13. Responsible Vulnerability Disclosure

If you discover a security vulnerability in the Platform, we encourage you to report it responsibly. Please contact us at support@skilltracer.com with details of the vulnerability. We commit to:

  • Acknowledging receipt of your report within forty-eight (48) hours.
  • Investigating and addressing the vulnerability promptly.
  • Keeping you informed of the progress toward resolution.
  • Not pursuing legal action against individuals who report vulnerabilities in good faith and in accordance with this policy.
14. Contact Us

If you have any questions or concerns about this Security Policy, please contact us: