hustler.co.za

Information Security Policy

Last updated: 7 April 2026

1. Purpose

This policy describes the technical and organisational security measures implemented by Tapnet Solutions (Pty) Ltd to protect personal information processed through hustler.co.za and all other websites, applications, and digital services operated by Tapnet, in compliance with POPIA Condition 7 (Security Safeguards).

2. Access Controls

2.1 Authentication

  • User passwords are hashed using bcrypt with a cost factor of 12 — passwords are never stored in plaintext and cannot be reversed
  • Google OAuth is available as an alternative sign-in method, using industry-standard OAuth 2.0
  • Sessions are managed via secure, HTTP-only, SameSite cookies (JWT tokens)
  • Session tokens are cryptographically signed and cannot be tampered with

2.2 Authorisation

  • All dashboard routes are protected by server-side authentication checks
  • API endpoints verify ownership — users can only access their own data
  • Pro features are gated at both the API and UI level
  • Admin functions are restricted to authorised personnel only

2.3 Rate Limiting

  • Authentication endpoints: 5 requests per IP per minute
  • Registration: 5 per IP per minute
  • Public forms: 10 per IP per minute
  • API endpoints: 100 per IP per minute
  • Username checks: 30 per IP per minute

3. Encryption

3.1 In Transit

  • All traffic to hustler.co.za is encrypted via HTTPS (TLS 1.2+)
  • HTTP requests are automatically redirected to HTTPS
  • Strict Transport Security (HSTS) headers are set
  • Database connections use SSL/TLS encryption

3.2 At Rest

  • Database storage is encrypted at rest by our database provider (Neon, using AES-256)
  • Passwords are hashed (bcrypt) — not encrypted, as they never need to be decrypted
  • IP addresses are one-way hashed using SHA-256 before storage — they cannot be reversed

4. Application Security

  • Input validation: All user inputs are validated server-side using Zod schema validation. Client-side validation is for UX only and is never trusted.
  • SQL injection prevention: All database queries use Prisma ORM with parameterised queries — raw SQL is never constructed from user input
  • Cross-site scripting (XSS): React automatically escapes all rendered content. Content Security Policy headers restrict script execution.
  • CSRF protection: NextAuth uses SameSite cookies and Origin header verification for all mutations
  • Security headers: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (camera, microphone, geolocation disabled)

5. Infrastructure Security

  • Hosting: Vercel — SOC 2 Type II compliant, automatic SSL, DDoS protection, edge network
  • Database: Neon (Frankfurt, EU) — SOC 2 Type II compliant, encrypted at rest and in transit, automated backups, point-in-time recovery
  • Email: Resend — SOC 2 compliant, TLS encryption for all emails
  • Payments: PayFast — PCI DSS Level 1 compliant. We never receive, transmit, or store card numbers.

6. Data Anonymisation

  • IP addresses are hashed using SHA-256 and truncated to 16 characters before storage — they cannot identify a specific individual
  • User agent strings are truncated to 200 characters
  • Analytics data does not contain names, emails, or other directly identifying information
  • Analytics tracking only occurs when the user has opted in via the cookie consent banner

7. Backups

  • Database backups are automated by Neon with point-in-time recovery
  • Backup data is encrypted at rest
  • Backup retention follows our Data Retention Policy — data deleted from the live database is purged from backups within the backup retention window

8. Incident Response

Security incidents and data breaches are handled according to our Breach Response Plan. All suspected incidents are investigated immediately by the Information Officer.

9. Vulnerability Management

  • Dependencies are monitored for known vulnerabilities via npm audit
  • Security patches are applied as soon as reasonably possible
  • The platform codebase is regularly reviewed for security issues

10. Review

This policy is reviewed annually and after any security incident. The Information Officer is responsible for ensuring measures remain adequate.

11. Contact

To report a security vulnerability or concern:
Information Officer: Wynand de Beer
Email: wynand@tapnet.co.za
Phone: 079 174 8357