Our Security Practices

Our Security Commitment

At AZi Solutions, security is not an afterthought — it is built into everything we deliver. We apply industry best practices across our own infrastructure and embed security considerations into every website and application we build for clients. This page describes our security posture, our practices, and what to do if you discover a potential vulnerability.

Website Security Standards

Every website delivered by AZi Solutions includes the following security measures by default:

• HTTPS/SSL: All websites are secured with SSL certificates, ensuring data in transit is encrypted. We implement HTTPS-only policies with HSTS headers where supported.
• Security Headers: We configure HTTP security headers including Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy on all projects.
• Input Validation: All contact forms and user inputs are validated and sanitised to prevent cross-site scripting (XSS) and injection attacks.
• Regular Updates: For WordPress and CMS-based projects, we recommend and implement regular core, plugin, and theme updates as part of ongoing maintenance packages.
• Minimal Attack Surface: We build lean, purposeful code without unnecessary plugins, scripts, or dependencies that could introduce vulnerabilities.

Our Infrastructure Security

AZi Solutions operates with the following infrastructure security practices:

• All team member accounts use strong, unique passwords and multi-factor authentication (MFA) on all critical platforms
• Client credentials are stored in encrypted password management systems — never in plain text, spreadsheets, or email
• Access to client systems is granted on a need-to-know basis and revoked immediately upon project completion
• All internal communications containing sensitive information use encrypted channels
• We do not store client payment information — all payments are processed through trusted third-party payment processors

Data Protection

We take the protection of client and user data seriously. Our data handling practices are described in full in our Privacy Policy. Key points: we collect only the data necessary for the stated purpose, data is retained only as long as needed, and we do not sell data to third parties. For clients in regulated industries (healthcare, finance, etc.), we can discuss specific compliance requirements as part of your project scope.

Responsible Disclosure

If you discover a security vulnerability on our website or in a deliverable we have produced, we ask that you report it responsibly:

1. Email us at [email protected] with "Security Vulnerability" in the subject line
2. Describe the vulnerability in as much detail as possible, including steps to reproduce
3. Do not publicly disclose the issue until we have had a reasonable opportunity to address it (we aim to acknowledge reports within 48 hours and resolve critical issues within 7 days)
4. Do not access, modify, or delete data that is not yours

We genuinely appreciate responsible security research and will acknowledge your contribution where appropriate.

What We Do Not Do

For clarity and to set correct expectations:

• We do not offer bug bounties at this time
• We do not engage in, facilitate, or condone any form of unauthorised access to third-party systems
• We do not accept requests to conduct offensive security testing unless explicitly contracted for that purpose with proper legal authorisation in place

Security for Your Project

If you would like to discuss the security requirements of your specific project — particularly for applications handling sensitive data, payments, or regulated information — please mention this during your consultation. We offer security-focused development practices, code reviews, and can recommend appropriate third-party security audits where needed. Get in touch to discuss your requirements.