Security & Data Protection

Learn about the comprehensive security measures we implement to protect your information and ensure a safe experience on our platform.

Last updated: May 2026

Security at Amatola Water

Security is a fundamental aspect of everything we do. We implement industry-leading security practices to protect your data, maintain system integrity, and ensure compliance with all applicable regulations. Our security approach is built on the principles of prevention, detection, and response.

All staff members receive regular security training, and our systems undergo continuous monitoring and assessment to identify and address potential vulnerabilities.

Authentication & Access Control

Secure Authentication

HTTP-only Cookies: Session tokens stored securely in HTTP-only, secure cookies, preventing JavaScript access and XSS attacks
JWT Tokens: JSON Web Tokens signed with cryptographic keys for verified session management
Password Security: All passwords hashed with bcrypt (12 salt rounds) - we never store plain-text passwords
Rate Limiting: Login attempts are rate-limited to prevent brute force attacks (5 attempts per 15 minutes)

Role-Based Access Control

Admin users require authentication for all administrative functions
Different permission levels: SuperAdmin, Admin, and standard users
Server-side session validation on every API request
Automatic session expiration for inactive users

Data Protection & Encryption

Encryption Standards

In Transit: All data transmitted over HTTPS/TLS 1.2+ using AES-256 encryption
At Rest: Sensitive data encrypted at the database level
Algorithm: AES-256 encryption for all sensitive information

Database Security

Supabase PostgreSQL with Row Level Security (RLS) policies
Service role separation for administrative operations
Regular automated backups with point-in-time recovery
Database access restricted to authorized personnel only

XSS & Injection Prevention

Cross-Site Scripting (XSS) Protection

HTML Sanitization: All HTML content is sanitized using DOMPurify with strict whitelists
Only safe HTML tags and attributes are allowed (no script, iframe, or event handlers)
Links are validated to ensure they are not malicious
Content Security Policy (CSP) headers implemented to prevent inline scripts

Injection Attack Prevention

Parameterized queries for all database operations (no SQL injection)
Input validation on all forms and API endpoints
Output encoding for all user-controlled data

File Upload Security

Upload Validation

MIME Type Verification: Files checked for correct MIME types
Magic Byte Detection: File headers verified to prevent disguised malicious files
Extension Whitelisting: Only approved file extensions accepted
File Size Limits: Enforced maximums (2-5MB depending on file type)

Upload Storage

Files stored in Vercel Blob with access controls
Filename sanitization to prevent directory traversal attacks
Separate storage buckets for different file types
Automatic scanning for malicious content

API Security

Authentication Required: All administrative API endpoints require valid session authentication
CORS Protection: Cross-Origin Resource Sharing configured to prevent unauthorized access
Rate Limiting: API endpoints protected against abuse and DDoS attacks
Request Validation: All API inputs validated and sanitized before processing
Error Handling: Generic error messages prevent information leakage
Audit Logging: All administrative actions logged for accountability and forensic analysis

Monitoring & Incident Response

Continuous Monitoring

24/7 system monitoring for unauthorized access attempts
Automated alerts for suspicious activities
Performance monitoring to detect anomalies
Regular security audits and penetration testing

Incident Response

Documented incident response procedures
Rapid response to security events (detection to response in minutes)
Incident investigation and root cause analysis
User notification in case of data breaches (within 72 hours as required by law)

Compliance & Standards

We comply with:

POPIA: Protection of Personal Information Act (South Africa)
GDPR: General Data Protection Regulation (for EU users)
OWASP Top 10: Web application security standards
ISO 27001: Information security management principles
Water Services Act: South African water sector regulations

Your Security Responsibilities

While we implement comprehensive security measures, your actions also matter:

Use strong, unique passwords for your account
Never share your login credentials with others
Log out when using shared devices
Report suspicious activity immediately
Keep your devices and browsers updated with the latest security patches
Be cautious of phishing emails requesting your credentials

Report Security Issues

If you discover a security vulnerability, please report it responsibly to our security team immediately. Do not publicly disclose the vulnerability before we have had time to address it.

Security Team

Email: security@amatolawater.co.za

Phone: +27 (0) 43 707 3700

We appreciate your cooperation in keeping our systems secure and will recognize your responsible disclosure.

Questions?

For questions about our security practices or data protection, please contact our Information Officer:

Information Officer

Amatola Water Board

6 Lancaster Road, Vincent

East London, 5247

Email: privacy@amatolawater.co.za

Tel: +27 (0) 43 707 3700