Back to Legal Centre

Legal Centre

Security

Authentication, MFA, encryption, backups, vulnerability reporting and responsible disclosure.

Last updated: 25 June 2026

1. Security approach

We aim to protect the Platform, User accounts and marketplace data using practical technical and organisational controls.

No system can be completely secure. Security is a shared responsibility between the Platform, Users and service providers.

2. Authentication

User accounts require authentication.

Users should use strong, unique passwords and keep their email accounts secure.

Passwords should be stored as hashes, not plain text.

3. Multi-factor authentication

MFA may be required for administrators and may be offered to other Users.

Administrators should use MFA wherever available.

4. Encryption

Production deployments should use encrypted HTTPS connections.

Sensitive secrets should be stored in environment variables or managed secret stores, not committed to source control.

Where supported by infrastructure providers, databases, backups and storage should use encryption at rest.

5. Access controls

Administrative access should be limited to people who need it.

Admin actions should be logged where practical.

Access should be removed when no longer needed.

6. Backups and recovery

Production data should be backed up regularly using the managed database provider's backup features or another controlled backup process.

Backup and restore procedures should be tested before the Platform holds significant production data.

7. Monitoring and audit

The Platform may keep logs for:

  • authentication events;
  • admin actions;
  • moderation actions;
  • errors;
  • security alerts;
  • suspicious activity.

Logs should be protected and retained only as long as needed.

8. Vulnerability reporting

If you believe you have found a security issue, contact: security@deployed.works

Please include:

  • a clear description;
  • affected URLs or features;
  • steps to reproduce;
  • potential impact;
  • your contact details if you want a reply.

9. Responsible disclosure

Please do not:

  • access, change or delete data that is not yours;
  • disrupt the Platform;
  • run destructive tests;
  • publicly disclose an issue before we have had a reasonable chance to investigate;
  • use social engineering, phishing or physical attacks.

We will aim to acknowledge serious reports and investigate proportionately.

10. Security contact

Security reports: security@deployed.works