A LevantGate productSecurity
Effective 2026-07-14 · LevantGate, Erbil, Kurdistan Region of Iraq
Security is a first-class requirement of SRP. This page summarises the controls we operate today. It is maintained by LevantGate; it is not a certification or a substitute for a written security addendum.
1. Encryption
- In transit: all traffic to and from our apps and APIs uses HTTPS with TLS 1.2 or higher. HSTS is enabled on all public domains.
- At rest: production databases and object storage are encrypted with AES-256 managed keys.
- Backups: encrypted using the same standard; keys are rotated on a regular schedule.
- Secrets: credentials and API keys are stored in a managed secrets vault and never in source control.
2. Authentication
- Passwords are stored as salted hashes using a modern algorithm (bcrypt/argon2 family).
- Multi-factor authentication is available for all users and mandatory for administrators.
- Session tokens are rotated on privilege change and invalidated on sign-out and password reset.
- Brute-force protection: rate limits and progressive lock-out on repeated failed attempts.
3. Access control
Role-based access control (RBAC) scopes every action to the smallest role that can perform it. Administrator access to production systems is restricted, logged, and reviewed. Access is granted on a least-privilege basis and revoked on role change.
4. Secure storage
Customer data is logically segregated per compound. Uploaded files are stored in a hardened object store; direct URLs are signed and short-lived. Personal identifiers are never included in log messages.
5. Audit logs
Administrative actions and privileged reads are recorded to an append-only audit log. Logs are retained for the period required by law and reviewed on incident.
6. Backups and disaster recovery
Databases are backed up automatically every day and replicated across availability zones. We test restores on a periodic basis. Our recovery targets are aligned to the SLA agreed with each Customer.
7. Change management
Code changes are peer-reviewed, tested in staging, and released via automated pipelines. Production deployments are logged and reversible.
8. Vendor management
Sub-processors are listed on our Third-Party Services page and are engaged under written data processing agreements with equivalent security obligations.
9. Reporting a vulnerability
We welcome responsible disclosure. Please email info@levantgate.com with:
- A clear description of the issue and its impact.
- Steps to reproduce, or proof-of-concept.
- Your preferred credit (name, handle) if the report is confirmed.
Please give us reasonable time to remediate before public disclosure. We do not pursue legal action against good-faith researchers who follow this policy.
10. Security incident contact
24/7 security intake: info@levantgate.com · LevantGate, Erbil, Kurdistan Region of Iraq.