Security Overview
How Nova Gov protects Philippine LGU data and the operational integrity of the platform. This page is the public-facing summary; CIOs and IT teams can request a detailed Security Whitepaper or schedule a technical review via landon@zentarailabs.com.
Current security posture
Encryption in transit
TLS 1.2+ enforced on all public endpoints. HTTP Strict Transport Security with 1-year max-age and includeSubDomains preload.
Encryption at rest
Database storage encrypted via the hosting provider's native AES-256 encryption. Encryption keys managed and rotated by the provider.
Cloudflare Access on admin surfaces
Email one-time PIN gates protected surfaces (e.g., LGU Dashboard, GIS Intelligence Dashboard) at the edge — before any HTML reaches the browser.
Daily secret scanning
gitleaks runs on every commit and a scheduled daily scan checks production repos. Suspected exposures trigger immediate rotation per a written runbook.
Constant-time PIN compare
All shared-secret PIN validations across the backend use a single constant-time helper. Zero raw `!=` PIN compares in the codebase.
Rate limiting
Every authenticated route is throttled (5–60 req/min depending on sensitivity) to deter brute force and accidental denial-of-service patterns.
SOC 2 Type II
Targeted at 12 months post-first-pilot. Audit scope: security, availability, confidentiality. Engaged auditor TBD.
ISO 27001 certification
Targeted at 18 months post-first-pilot. Aligned with control families from Day 1 so the gap analysis is short.
Architecture diagrams, data residency specifics, access control implementation, incident response runbook, and secure development practices are provided under NDA to LGU IT teams, CIOs, and procurement officers evaluating Nova Gov.
Request Security Whitepaper →Responsible disclosure
If you believe you have found a security vulnerability in Nova Gov, please report it
privately to landon@zentarailabs.com with the
subject line SECURITY. We commit to:
- Acknowledge receipt within 2 business days
- Provide a status update within 7 business days
- Coordinate public disclosure with the reporter when fix is deployed
- Not pursue legal action against good-faith researchers who follow this policy
We do not yet operate a paid bug bounty. We will credit reporters publicly with permission.
Compliance alignment
- RA 10173 (Data Privacy Act): see Privacy Policy. DPO designated. Breach-notification process documented.
- RA 9470 (National Archives Act): retention schedules align with NAP regulations; original-handling protocols documented in services agreement.
- RA 10175 (Cybercrime Prevention Act): internal controls and acceptable-use policy mapped to enforcement framework.
- RA 12254 (CLUP Modernization): CLUP Compliance Application built specifically to monitor and report against this framework.
- DICT eGov Act (RA 10844): platform architecture aligns with DICT interoperability standards and eGovernment framework requirements for LGU digital services.
- SGLG (Seal of Good Local Governance): audit logging, service delivery tracking, and compliance dashboards are designed to support DILG's SGLG assessment criteria directly.
- COA audit readiness: immutable access log, exportable audit reports, role-based permissions, retention durations aligned with COA Circular 2009-006.
- ISO 27001: control families are referenced from Day 1. Formal certification is a pilot-revenue deliverable.
Service availability
The platform is hosted on Cloudflare Pages (frontend) and Railway (backend) — both providers publish their own availability SLAs. For Founding LGU partners, our target uptime is 99.5% measured monthly (excluding scheduled maintenance windows announced at least 72 hours in advance). Specific SLA terms — including credit schedules — are documented in the Founding Partner services agreement.
Security contact
- Reporter mailbox
- landon@zentarailabs.com · subject
SECURITY - Public PGP key
- Available on request
- Acknowledgement SLA
- 2 business days
- NPC complaints
- privacy.gov.ph