1. This site, today
- All traffic is served over HTTPS with strict transport security.
- Hardened response headers: a content-security policy, frame denial, MIME-sniffing protection, and a locked-down permissions policy.
- Form endpoints are validated and rate-limited; anti-spam checks run without third-party captchas or trackers.
- Email-confirmation, unsubscribe, and Privacy Center links use single-purpose tokens stored only as cryptographic hashes. A database leak exposes no usable links.
- Consent records carry SHA-256 proofs of the exact text agreed to.
- Responsible-disclosure contact is published in /.well-known/security.txt.
2. The platform, at launch
The Briovela platform is being built to a security bar we publish and hold ourselves to. These are launch commitments, stated plainly because reviewers and customers deserve to know the bar before the doors open:
- Encryption in transit and at rest, everywhere.
- Least-privilege, role-based access control with deny-by-default permissions.
- Per-customer (tenant) isolation enforced at the database layer, so one customer’s data and behavior can never touch another’s.
- Tamper-evident audit logging of administrative and security-relevant actions.
- An independent, human-run penetration test before the first customer goes live, with critical and high findings fixed and re-tested first.
3. Responsible disclosure
If you believe you’ve found a vulnerability in this site or (later) the platform, email security@briovela.com with steps to reproduce. We will acknowledge quickly, keep you informed, and never pursue good-faith research. Abuse reports may use the same address (security@briovela.com).
4. FAQ
- Where is security.txt?
- At /.well-known/security.txt on this domain. Contact points to security@briovela.com.
- Do you run a pen test before customers go live?
- Yes. An independent, human-run penetration test is a launch commitment; critical and high findings are fixed and re-tested first.
Document version 2026-07-09.5