WhatsApp BOOK A CALL

Security & Trust

Last reviewed: · Effective: 2026-05-16

We take security seriously. Both for our own site and for the production sites we build and operate for clients.

1. Posture

  • Encryption in transit: TLS 1.3 with HSTS preload. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.
  • Encryption at rest: All databases and backups encrypted (AES-256).
  • Headers: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy enforced via host nginx.
  • WAF + Bot mitigation: Cloudflare in front of all production sites.
  • DDoS: Cloudflare absorbs L3/L4/L7.
  • Least-privilege access: SSO (Google Workspace), 2FA enforced on all admin accounts, scoped API tokens, secrets rotation policy.
  • Patching: Critical CVEs patched within 24 hours, others within 7 days.

2. Code security

  • OWASP Top 10 covered in our delivery checklist before every launch.
  • Dependency scanning: GitHub Dependabot + Snyk.
  • Static analysis: ESLint security rules, Semgrep, gitleaks for secret scanning.
  • No production secrets in source control. All secrets in 1Password vaults or cloud secret managers.

3. PDPA & GDPR alignment

  • Data minimisation: we collect only what we need.
  • Consent Mode v2 implemented site-wide (analytics + ads denied until explicit consent).
  • Data Processing Agreements (DPAs) with all sub-processors.
  • Regional data residency on request (we can host in SG, EU, or US).

4. Incident response

  • P0 (active exploit / data breach): contained within 4 hours, customers notified within 24 hours.
  • P1 (vulnerability with exploit path): patched within 24 hours.
  • PDPC notification within 72 hours of breach detection (per PDPA).
  • Public post-mortem published within 14 days of resolution.

5. Responsible disclosure

If you've found a vulnerability in sgbp.tech or a site we operate, please report it via:

  • Email: connect@sgbp.tech
  • WhatsApp: /wa (mark message "Security report")

We acknowledge within one business day, triage within five, and patch on the timeline above. We don't pursue legal action against good-faith researchers and we credit you (with permission) once the fix is public.

6. Compliance & audits

  • Annual full security audit (third-party, scheduled).
  • Quarterly internal review.
  • Pen-testing on request (and required pre-launch for fintech / healthcare clients).

7. Subprocessors

See Privacy Policy §4 for the full list. Major: Cloudflare, AWS, Vercel, Google Workspace, GitHub.