Security Policy

At Dealers Connect, security is foundational — not an afterthought. Our platform serves professionals who operate in high-stakes financial environments, handling sensitive business intelligence and professional relationships. We hold this responsibility seriously.

This Security Policy describes the technical and organisational measures we maintain to protect the confidentiality, integrity, and availability of the platform and your data. It covers our infrastructure security, access controls, encryption standards, application security practices, and how we respond when things go wrong.

Dealers Connect is hosted on enterprise-grade cloud infrastructure provided by a Tier 1 cloud service provider. We leverage their industry-leading physical security, network architecture, and compliance certifications as the foundation of our security posture.

Physical Security

Our cloud infrastructure operates across geographically redundant data centres with 24/7 physical security, biometric access controls, and continuous CCTV monitoring. We do not operate our own physical data centres.

Network Security

• Web Application Firewall (WAF) protecting against common attack vectors including OWASP Top 10
• Distributed Denial of Service (DDoS) mitigation at the network edge
• Private networking between services with no unnecessary public exposure
• Network segmentation isolating production, staging, and development environments
• Intrusion detection and anomaly alerting

Availability & Backups

• Automated daily backups with encrypted offsite storage
• Point-in-time recovery capability for all primary databases
• Redundant architecture designed to minimise single points of failure
• Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets

We apply the principle of least privilege across all internal systems. Access to production infrastructure and user data is strictly limited and continuously reviewed.

• Need-to-know access only — production system access is granted only to team members with a specific operational requirement
• Role-based permissions — granular access controls within our cloud infrastructure limit what each team member can read, write, or modify
• Mandatory MFA — multi-factor authentication is required for all internal accounts with access to cloud infrastructure, code repositories, and production systems
• Regular access reviews — access rights are audited on a quarterly basis; any excess permissions are revoked
• Immediate de-provisioning — all access credentials are revoked within hours of an employee departure or role change
• No shared credentials — each team member has individual, uniquely identifiable credentials; shared accounts are prohibited
• Privileged access management — all access to sensitive systems is logged, monitored, and subject to time-limited sessions

Data in Transit

All data transmitted between your browser and our platform is encrypted using TLS 1.2 or TLS 1.3. We enforce HTTPS across all platform endpoints and reject connections using older, insecure protocol versions. HTTP Strict Transport Security (HSTS) is enabled to prevent downgrade attacks.

Data at Rest

All persistent data — including user profiles, platform content, and database records — is encrypted at rest using AES-256 encryption. Encryption keys are managed using our cloud provider's dedicated key management service, with regular key rotation.

Password Storage

User passwords are never stored in plain text. We use a modern, computationally expensive hashing algorithm (bcrypt with an appropriate cost factor) combined with per-user salting. This ensures that even in the event of a database compromise, individual passwords cannot be recovered.

Sensitive Data Handling

• We collect only the minimum personal data necessary for the Service to function
• Sensitive data fields are identified and subject to additional access restrictions
• Logs are scrubbed to prevent inadvertent capture of sensitive values
• No payment card data is stored on our platform — payments are handled by PCI-DSS compliant third-party processors

We integrate security throughout our software development lifecycle rather than treating it as a final step.

Secure Development Practices

• Security-focused code reviews are conducted for all significant changes before deployment
• Automated static analysis scanning identifies common vulnerability patterns during development
• Third-party dependencies are monitored for known CVEs and updated promptly
• All production deployments pass through a staging environment and testing suite before release

OWASP Top 10 Mitigations

Our application security controls are informed by the OWASP Top 10, including:

• Injection prevention — parameterised queries and ORM usage throughout; strict input validation on all user-supplied data
• Broken authentication prevention — secure session handling, absolute session timeouts, and invalidation on logout
• XSS prevention — output encoding and Content Security Policy (CSP) headers
• CSRF prevention — CSRF tokens on all state-changing requests
• Security misconfiguration prevention — hardened server configurations with regular review against security benchmarks

Penetration Testing

We conduct periodic external penetration testing by independent security professionals. Critical and high-severity findings are remediated within defined SLAs. Results are reviewed by leadership and used to inform our security roadmap.

Beyond platform-level security, we provide tools and controls to help you keep your individual account secure.

Authentication

• Email verification required at registration — we confirm you control the address before granting full access
• Two-factor authentication (2FA) is available and strongly recommended for all accounts
• Login attempt rate limiting and account lockout after repeated failed attempts
• Suspicious login detection with email alerts for unrecognised devices or locations

Session Management

• Sessions are cryptographically signed and invalidated immediately upon logout
• Absolute session timeouts prevent indefinitely open sessions on shared devices
• Concurrent session limits are available to prevent unauthorised parallel access

Your Responsibilities

Platform security is a shared responsibility. We ask that you:

• Use a strong, unique password for your Dealers Connect account
• Enable two-factor authentication
• Never share your login credentials with others
• Log out from shared or public devices after each session
• Notify us immediately if you suspect your account has been compromised

Despite our best efforts, no system is completely immune to security incidents. We maintain a documented incident response plan to ensure any breach is handled swiftly, transparently, and in compliance with applicable regulations.

Detection & Containment

We operate continuous security monitoring across our infrastructure. Upon detection of a suspected incident, we immediately initiate containment procedures to limit potential exposure and preserve forensic evidence.

Notification Timelines

• Internal security team notified within 1 hour of a confirmed or suspected incident
• Leadership and Data Protection Officer notified within 4 hours
• Regulatory notification (where required under GDPR) within 72 hours of a confirmed personal data breach
• Affected users notified without undue delay once the scope is understood and immediate containment is secured

Post-Incident Review

Following any significant incident, we conduct a root cause analysis and publish an internal post-mortem. Lessons learned are incorporated into our security controls and procedures to prevent recurrence.

Our security programme is aligned with and informed by industry standards and regulatory requirements relevant to a professional financial services community platform.

• GDPR / UK GDPR — data protection and security obligations under EU and UK data protection law, including mandatory breach notification timelines
• ISO 27001 principles — our security management practices are structured around the ISO 27001 information security framework
• OWASP — application security practices informed by the OWASP Application Security Verification Standard (ASVS)
• Cloud provider certifications — we leverage our hosting provider's SOC 2 Type II, ISO 27001, and PCI-DSS certifications for infrastructure-level assurance

We engage in periodic third-party security assessments and maintain internal documentation to evidence compliance with applicable security standards. Relevant compliance artefacts are available to enterprise partners upon request under NDA.

Security is not a one-time effort. We maintain an ongoing programme of security improvement across people, processes, and technology.

Regular Assessments

We conduct quarterly internal security reviews covering access rights, dependency vulnerabilities, configuration compliance, and policy adherence. External penetration tests are conducted at least annually, or following significant platform changes.

Security Training

All team members complete security awareness training upon joining and at least annually thereafter. Developers receive additional secure coding training. We run simulated phishing exercises to test and reinforce security behaviours.

Threat Intelligence

We actively monitor security advisories, threat intelligence feeds, and CVE databases relevant to our technology stack. Identified vulnerabilities in our dependencies or infrastructure are triaged and remediated according to severity within defined SLAs.

Security Roadmap

Our security team maintains a forward-looking roadmap of planned improvements. Items are prioritised by risk impact and reviewed quarterly. This policy is reviewed and updated at least annually to reflect changes in our environment, technology, and threat landscape.

We welcome responsible security research and believe that coordinated disclosure makes the internet safer for everyone. If you have discovered a vulnerability in the Dealers Connect platform, we ask that you follow the guidelines below.

What we ask of researchers

• Report findings to us privately via info@dealersconnect.pro before any public disclosure
• Give us a reasonable amount of time (we aim for 90 days) to investigate and remediate before publishing details
• Do not access, modify, or delete data belonging to other users
• Do not conduct tests that could impact platform availability for other users
• Do not use social engineering against Dealers Connect staff or members

What you can expect from us

• Acknowledgement of your report within 2 business days
• Regular updates on our investigation and remediation progress
• Public recognition (if desired) in our security acknowledgements once the issue is resolved
• No legal action against researchers acting in good faith in accordance with these guidelines