Security

• - Next.js application deployed on Vercel with automatic HTTPS/TLS on all routes
• - Self-hosted Directus CMS in the EU with granular access control per collection and per role
• - Redis used for rate limiting and server-side session management

• - Content Security Policy (CSP) headers enforced on all HTTP responses
• - Permissions-Policy headers configured to restrict access to sensitive browser APIs
• - CSRF token protection on all sensitive forms
• - Cloudflare Turnstile captcha on all public-facing forms (contact, newsletter, login)
• - Rate limiting on all API routes, backed by Redis
• - HTML sanitization applied to all user inputs before processing or storage

• - JWT-based authentication for admin and client dashboards
• - Password hashing with bcrypt
• - Role-based access control (admin, client roles) with strict permission separation

• - TLS encryption for all data in transit
• - Encryption at rest provided by Directus
• - Secrets and API keys stored exclusively in server-side environment variables, never exposed client-side
• - No sensitive data in localStorage — only user preferences (language, theme) are stored there

We maintain continuous monitoring and logging of our systems. In the event of a security incident, we isolate affected components, assess the impact, notify impacted users when required and document all corrective actions taken.

To report a vulnerability or incident: [email protected]