Our commitment
Security is built into how we design, host, and operate smartspotsolutions.com and the systems behind it. This page summarises our approach for visitors, clients, and applicants.
Infrastructure
- Hosted on Firebase App Hosting with HTTPS enforced for all traffic.
- Database and file storage on Supabase with row-level security enabled on sensitive tables.
- Security headers (frame protection, MIME sniffing prevention, referrer policy, content security policy) applied at the application layer.
Staff access
- Internal tools are not linked from the public website.
- Staff sign-in uses email one-time codes and magic links — no shared passwords.
- Sessions use httpOnly cookies with a 12-hour expiry.
- Only authorised staff email addresses can request sign-in codes.
Data protection
- Service-role database keys are server-only and never exposed to browsers.
- Rate limiting on login, tracking, and public submission endpoints.
- Cron and internal jobs protected with secret bearer tokens.
- Job application CVs stored in a private bucket; authorised staff view files via short-lived signed URLs (15 minutes).
- Resume uploads restricted to PDF, max 5 MB, validated on client and server.
Analytics
We collect first-party analytics to understand how the site is used. Internal application paths are excluded from visitor tracking. We do not use third-party advertising trackers on this site.
What you can do
- Use strong, unique passwords on your own accounts linked to our services.
- Do not share staff sign-in links or one-time codes.
- Report suspected vulnerabilities or incidents to us promptly.
Incident response
If we become aware of a breach affecting your personal data, we will investigate, mitigate, and notify affected individuals and regulators where required by law.
Report a security issue
Please report security concerns to hello@smartspotsolutions.com with enough detail for us to reproduce the issue. We appreciate responsible disclosure and will acknowledge reports within a reasonable time.