Information Security Policy

This Information Security Policy sets out the technical and organisational measures implemented by Tapnet Solutions (Pty) Ltd, trading as TradeJournal, to protect personal information and platform infrastructure against unauthorised access, loss, damage, or destruction.

This policy applies to tradejournal.co.za and all other websites, applications, and digital services operated by Tapnet Solutions (Pty) Ltd.

These measures are implemented in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA), specifically the security safeguards condition (Condition 7), which requires a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control.

Access to personal information and platform systems is controlled through the following measures:

• Role-based access control (RBAC): Access to data and systems is granted based on the principle of least privilege, ensuring that individuals only have access to the information and resources necessary for their role
• Strong password requirements: All accounts require strong passwords that meet minimum complexity and length requirements
• Multi-factor authentication (MFA): MFA is required for all administrative access to production systems, databases, and hosting infrastructure
• Access reviews: Access permissions are reviewed regularly and revoked promptly when no longer required

Encryption is used to protect personal information both in transit and at rest:

• Data in transit: All data transmitted between the user's browser and our servers is encrypted using TLS 1.2 or higher
• Database connections: All connections to our PostgreSQL database use SSL/TLS encryption with channel binding enabled, preventing man-in-the-middle attacks
• HTTPS enforcement: HTTPS is enforced across all pages and API endpoints via HTTP Strict Transport Security (HSTS) headers, preventing protocol downgrade attacks

Our platform infrastructure is secured through the following measures:

• Vercel hosting: The platform is hosted on Vercel, which provides enterprise-grade DDoS protection, edge network security, and automated SSL certificate management
• Neon managed PostgreSQL: Our database is hosted on Neon, which provides managed PostgreSQL with automated backups, point-in-time recovery, and infrastructure-level security
• Security headers: The following security headers are implemented across the platform:
  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection
  • Strict-Transport-Security (HSTS)
  • Referrer-Policy

Rate limiting is applied to protect the platform against brute-force attacks, abuse, and excessive use:

The following application-level security measures are in place to protect against common web vulnerabilities:

• Input validation: All user input is validated using Zod schema validation to prevent injection attacks, malformed data, and unexpected input
• Parameterised database queries: All database interactions use parameterised queries via Prisma ORM, preventing SQL injection attacks
• Content Security Policy: A strict CSP is enforced to prevent cross-site scripting (XSS) and other code injection attacks
• XSS protection headers: X-XSS-Protection and X-Content-Type-Options headers provide additional defence against cross-site scripting

We maintain monitoring and logging capabilities to detect and respond to security incidents:

• Server-side logging: Application and access logs are maintained for security analysis and incident investigation
• Access monitoring: Administrative access to production systems is logged and reviewed
• Anomaly detection: Unusual patterns of access or behaviour are monitored to identify potential security threats

Logs are retained for 90 days in accordance with our Data Retention Policy.

In the event of a security incident or data breach, our Data Breach Response Plan is activated immediately. This plan includes procedures for:

• Identifying and containing the breach
• Assessing the scope and impact
• Notifying the Information Regulator and affected data subjects as required by POPIA Section 22
• Remediating the vulnerability and preventing recurrence
• Documenting the incident and conducting a post-incident review

Data backup is managed to ensure business continuity and data recovery:

• Database backups: Managed by Neon with point-in-time recovery capability, allowing restoration to any point within the backup retention window
• Application-level backups: Application code and configuration are version-controlled and can be redeployed at any time
• Backup retention: Backups are retained on a 30-day rolling basis and automatically overwritten thereafter

All individuals with access to personal information or production systems are subject to the following requirements:

• Non-disclosure agreements (NDAs): All personnel and contractors must sign NDAs before being granted access to personal information or systems
• Security awareness: All personnel are briefed on their data protection and security responsibilities
• Access revocation: On termination of employment or contract, all access to systems and data is revoked immediately

All third-party operators (processors) who process personal information on our behalf are assessed for adequate security measures:

• Operators are required to implement security measures that meet or exceed our own standards
• Data Processing Agreements (DPAs) or equivalent contractual terms are in place with all operators
• Operators are contractually obligated to notify us of any security incidents affecting our data

Details of our current operators and their agreements are set out in our Operator Agreements page.

This policy is reviewed annually by the Information Officer to ensure that security measures remain appropriate, effective, and aligned with current threats and best practices.

Updates to this policy are communicated to all relevant personnel and published on our website.

For questions about this policy or to report a security concern, please contact: