This Security Policy applies to:

• The ProIT Solutions website and its supporting infrastructure.
• Client portals, dashboards, learning platforms, applications, APIs, and digital services operated by ProIT Solutions.
• Internal development, deployment, administration, communication, and support systems.
• Personal information, project information, source code, credentials, documentation, and business records under ProIT Solutions' control.
• Employees, contractors, developers, tutors, administrators, service providers, and other authorised users.

This public policy describes our general security approach. Detailed configurations, network diagrams, credentials, detection rules, internal procedures, and other sensitive security information are not published because disclosure could increase security risk.

Access to systems and information should be granted only to authorised users and should be appropriate to their responsibilities.

Depending on system sensitivity, measures may include:

• Unique user accounts and restricted administrative access.
• Role-based access controls and permission separation.
• Strong password requirements.
• Multi-factor authentication where available and appropriate.
• Secure session management and authentication tokens.
• Account lockout, throttling, or rate limiting against repeated attempts.
• Periodic review and removal of unnecessary access.
• Prompt access removal when a role, employment, contract, or project ends.
• Logging of important administrative and authentication events.

Shared administrative accounts should be avoided where practical. Credentials must not be embedded in public source code, client-side applications, screenshots, documentation, or publicly accessible repositories.

Security safeguards are selected according to the nature, sensitivity, value, and risk of the information being processed.

• Encryption in transit where supported by the relevant system or provider.
• Controlled access to databases, storage, dashboards, and administrative tools.
• Separation of development, testing, and production environments where reasonably practicable.
• Secure handling of API keys, tokens, passwords, certificates, and secrets.
• Limited use of production information in development and testing.
• Retention and deletion practices aligned with legitimate operational and legal requirements.
• Backups and recovery measures appropriate to the service.
• Confidentiality obligations for authorised personnel and service providers.

Highly sensitive information should not be sent through insecure or unauthorised communication channels.

Security should form part of the software development lifecycle rather than being treated only as a final deployment activity.

The exact development and testing controls used may vary according to project scope, hosting environment, client requirements, budget, system sensitivity, and agreed service level.

Infrastructure safeguards may include, where relevant:

• Secure cloud and server configuration.
• Restricted network exposure and administrative interfaces.
• HTTPS and valid transport security certificates.
• Firewalls, provider-level security controls, and traffic filtering.
• Security headers and browser-facing protections.
• System, framework, dependency, and operating-system updates.
• Rate limiting and abuse-prevention controls.
• Environment-variable and secret-management practices.
• Segmentation or isolation between services where appropriate.
• Removal or disabling of unnecessary services and default credentials.

Infrastructure configurations may differ between ProIT-operated services and systems hosted or controlled by a client.

ProIT Solutions may collect and review operational and security logs for purposes including:

• Detecting unauthorised access and suspicious authentication activity.
• Investigating application errors, service failures, and security events.
• Monitoring availability, performance, and abnormal behaviour.
• Preventing fraud, automated abuse, scraping, spam, and denial-of-service activity.
• Maintaining audit records for important administrative actions.
• Supporting incident investigation and recovery.

Logs should be protected against unnecessary access and retained only for a period reasonably required for security, operational, legal, or diagnostic purposes.

ProIT Solutions may rely on third-party providers for hosting, authentication, email, payments, storage, monitoring, analytics, communications, and other infrastructure.

Provider selection may consider factors such as:

• The nature and sensitivity of information being processed.
• Security capabilities and available access controls.
• Reliability, availability, and backup options.
• Contractual and confidentiality commitments.
• Data location and international transfer considerations.
• Incident reporting and support capabilities.
• The provider's role within the relevant service architecture.

No third-party provider is risk-free. Provider dependencies are considered as part of service and security risk management.

A security incident may include unauthorised access, credential exposure, malicious activity, service compromise, data loss, or unintended disclosure.

Incident response activities may include:

• Receiving and recording the incident report.
• Confirming and assessing the nature and scope of the incident.
• Containing affected systems, credentials, accounts, or access paths.
• Preserving relevant evidence and technical records.
• Removing malicious access or remediating the vulnerability.
• Recovering services and monitoring for repeated activity.
• Documenting the incident, decisions, actions, and lessons learned.
• Notifying affected clients, users, providers, regulators, or authorities where required.

Notifications may be delayed where reasonably necessary to investigate the incident, restore system integrity, protect users, or comply with lawful instructions.

Backup and recovery arrangements depend on the relevant service, architecture, hosting provider, and client agreement.

• Important production information may be backed up according to service requirements.
• Backups should be protected from unnecessary access.
• Recovery procedures may be tested where reasonably practicable.
• Critical configuration and deployment information should be documented appropriately.
• Service dependencies and recovery priorities may be identified for important systems.
• Clients remain responsible for maintaining any backups expressly allocated to them under a project or hosting agreement.

Backups reduce risk but cannot guarantee that every file, transaction, message, or change can be recovered in every circumstance.

Users and clients are responsible for:

• Using strong, unique passwords.
• Enabling multi-factor authentication where available.
• Keeping devices, browsers, applications, and operating systems updated.
• Protecting API keys, access tokens, passwords, recovery codes, and administrative credentials.
• Restricting account access to authorised personnel.
• Reviewing account permissions when team members change roles or leave.
• Reporting suspicious activity or possible credential exposure promptly.
• Maintaining appropriate backups where backup responsibility belongs to the client.
• Avoiding the transmission of sensitive information through insecure channels.
• Complying with applicable laws, licences, agreements, and acceptable-use rules.

ProIT Solutions is not responsible for a compromise caused solely by a client or user failing to protect credentials, devices, accounts, or systems under their control, subject to applicable law and contractual obligations.

Security researchers and users may report a suspected vulnerability by emailing info@proit.dev.

Please include:

• The affected website, application, endpoint, or service.
• A clear description of the suspected vulnerability.
• Steps required to reproduce the issue.
• The potential impact.
• Relevant screenshots, request details, or technical evidence.
• Your contact information for follow-up.

Reports should avoid including unnecessary personal information, credentials, private client data, or confidential source code.

ProIT Solutions will assess reports according to severity, impact, reproducibility, affected systems, available resources, and required remediation work.

This Security Policy does not grant permission to access or test any ProIT Solutions or client system.

Without prior written authorisation, you must not:

• Access, download, alter, destroy, or disclose another person's information.
• Use stolen, exposed, guessed, or unauthorised credentials.
• Perform denial-of-service, stress, load, or resource-exhaustion testing.
• Deploy malware, ransomware, destructive payloads, or persistent access mechanisms.
• Conduct social engineering, phishing, impersonation, or physical attacks.
• Scan or test client environments not owned and controlled by ProIT Solutions.
• Disrupt production services, transactions, communications, or user activity.
• Publicly disclose an unresolved vulnerability in a way that creates avoidable risk.
• Attempt to bypass payment, authentication, authorisation, or account restrictions.

Authorised security assessments must be governed by a written scope, approved testing period, permitted techniques, communication process, and rules of engagement.

Although ProIT Solutions seeks to apply appropriate safeguards, no website, application, network, cloud provider, authentication system, or storage platform can be guaranteed to be completely secure or continuously available.

Security controls may be affected by newly discovered vulnerabilities, third-party failures, user error, device compromise, malicious activity, infrastructure outages, or events beyond reasonable control.

This policy is a public overview and does not constitute a guarantee that a particular control is available in every product, client project, deployment, or hosting environment.

Security questions and vulnerability reports may be submitted using:

For urgent reports, use the subject line Urgent Security Report.

This policy may be updated as our services, infrastructure, security practices, providers, legal requirements, or risk environment change. The latest version will be published on this page.