Security

Reviewed: September 6, 2025 • Focus: Protect user content, keep services available, minimize data

We keep data collection minimal and protect what we do handle. No system is perfect, but we use industry-standard controls, monitor continuously, and respond quickly if something goes wrong.

Core practices

• Encryption: TLS for data in transit; secrets and keys stored encrypted; HSTS enabled.
• Access control: least-privilege roles, MFA for admin access, audited admin actions.
• Hardened hosting: WAF/DDoS protections, rate-limiting, and automated abuse detection.
• Change management: all changes via code review and CI/CD; tracked releases and rollbacks.
• Dependencies: pinned versions, automated vulnerability alerts, and regular updates.
• Backups: periodic backups for critical config; restore tests before major releases.
• Logging: security/event logs with retention limits; no sensitive payloads in logs.
• Minimal data: we store as little as possible, for as short a time as possible.

Third-party services

We use reputable providers under contract to deliver hosting, security, email, and analytics. They may only process data to provide services to GovTok.

• Hosting/CDN/edge security (e.g., WAF, DDoS)
• Email delivery & support
• Analytics: Google Analytics (GA4) in a basic configuration (no ads/remarketing)

Incident response

• Detect and triage events via alerts and logs.
• Contain, eradicate, and recover using documented runbooks.
• Notify affected users as required by law and good practice.
• Post-incident review and hardening to prevent repeats.

Vulnerability disclosure

If you believe you’ve found a security issue, please report it responsibly. Don’t access data that isn’t yours, don’t disrupt services, and give us reasonable time to fix it. See our security.txt for contacts (and PGP if available).

• Email: security@govtok.us
• Web: /contact

We don’t offer a bug bounty at this time. Thanks in advance for responsible disclosure.

Data retention

• Ephemeral security logs kept briefly for threat detection, then minimized/aggregated.
• Saved drafts (if you opt in) are retained until you delete them or after reasonable inactivity, then purged.
• Legal holds only when required, as narrowly as possible.

Privacy & analytics

See our Privacy Policy for details about Google Analytics and your opt-out options. We do not use analytics for advertising or remarketing.

Contact

Security questions or requests? Email security@govtok.us. For general questions, use our contact page.