Engineering-grade security, by default
Cyntech designs critical infrastructure. The same rigour we apply to a fuel terminal or a substation, we apply to the systems that run our business and yours. This page is our public, dated record of how.
Six security pillars
Layered defences across identity, data, network and operations. Every control is documented in our ISMS and reviewed at least annually.
Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest. Field-level encryption for credentials. Forward-secrecy ciphers enforced on the edge.
Zero-trust access
Mandatory MFA on every admin, short-lived JWTs, role-based access at the database, and audited service-account secrets in a hardware-backed vault.
Tenant isolation
Row-level security on every multi-tenant table. Cross-tenant queries are physically impossible — enforced in PostgreSQL, not at the application layer.
Continuous monitoring
Daily automated vulnerability scans, dependency audit on every commit, security headers verified in CI, and centralised audit logs with tamper-evident retention.
OT/IIoT-grade
MQTT telemetry signed and scoped per device. Network segmentation between IT and OT. IEC 62443-aligned secure-by-default device onboarding.
Resilient by design
Multi-region edge, point-in-time database backups, documented RTO/RPO, and quarterly disaster-recovery exercises.
Security headers on every response
Every HTTP response carries a strict set of defence-in-depth headers aligned with OWASP, ISO 27001 Annex A.8, and GDPR Article 32. Verified in CI on every commit.
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
HTTPS is enforced for two years across all subdomains. Preload-eligible.
X-Content-Type-Optionsnosniff
Browsers cannot override the declared MIME type, blocking MIME-sniffing attacks.
X-Frame-OptionsDENY
Pages cannot be embedded in frames, eliminating clickjacking risk.
Referrer-Policystrict-origin-when-cross-origin
Referrer data is stripped down to origin on cross-origin requests.
Permissions-Policyaccelerometer=(), camera=(), geolocation=(), microphone=(), payment=(), usb=() …
Powerful browser APIs are disabled by default. Only explicitly needed features are allowed.
Cross-Origin-Opener-Policysame-origin
Cross-origin windows are isolated, preventing cross-window attacks.
Cross-Origin-Resource-Policysame-site
Resources are restricted to same-site requests, reducing cross-origin leak vectors.
Content-Security-Policydefault-src 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests …
Fail-closed policy that blocks inline scripts, external frames, and mixed content. Only whitelisted origins load.
Cookie consent categories
Our banner follows the IAB / ICO model with four clear categories. Non-necessary scripts are blocked until you opt in, and every choice is timestamped for GDPR Article 7(1) demonstrability.
Strictly necessary
Authentication, security tokens, load-balancing and CSRF protection. Always on and cannot be disabled.
Preferences
Theme, language, dismissed banners and last-selected tenant. Only set after you opt in.
Analytics
Anonymous page-view and event data so we can improve performance. No personal identifiers or advertising profiles.
Marketing
Retargeting pixels for LinkedIn and search campaigns. Off by default. Only loads after explicit consent.
The "Reject all" button is given the same visual weight as "Accept all". No nudge architecture.
Analytics and marketing scripts are wrapped with consent checks. They do not load before permission is granted.
Users can accept or reject each category individually, and revisit choices at any time via the Cookie Policy.
Certifications, frameworks & where we are
No green-washing — we publish what we have, what's in flight, and what's planned, with honest status labels.
Stage-1 audit scheduled — controls implemented and mapped to Annex A.
Privacy extension to ISO 27001, kicking off after Stage-2 certification.
12-month observation window planned alongside ISO 27001.
Service-provider controls mapped for industrial integration work.
Govern / Identify / Protect / Detect / Respond / Recover — internal self-assessment quarterly.
Information Officer registered with the South African Information Regulator.
We're happy to share evidence under NDA — contact security@cyntech.co.za.
Compliant across three regions
We serve clients across South Africa, the EU/UK and the United States, plus industrial standards specific to energy and OT.
- POPIA
- Cybercrimes Act
- ECT Act
- PAIA
- GDPR
- UK GDPR
- ePrivacy / PECR
- NIS2 ready
- DORA flow-down ready
- CCPA / CPRA
- CIRCIA reporting
- State breach-notification matrix
- IEC 62443
- ISO 27019 (roadmap)
- IOGP 627 / 645
- TSA / NERC CIP flow-down ready
How we process personal information
Transparent, purpose-limited and rights-respecting. Aligned to POPIA, GDPR and CCPA / CPRA requirements.
What we collect
Contact details, project and site data, portal account metadata, recruitment CVs, and technical logs (IP, browser, pages viewed).
Lawful basis
Contract fulfilment for deliverables, legitimate interest for security and improvement, legal obligation for regulators, and consent for marketing.
How we protect it
TLS 1.2+ in transit, AES-256 at rest, row-level security in PostgreSQL, MFA on admin accounts, and quarterly access reviews.
Cross-border transfers
Sub-processors outside South Africa are bound by EU Standard Contractual Clauses (SCCs) or equivalent adequacy decisions.
Retention
Only as long as the purpose requires. Financial records kept 5+ years per Tax Administration Act. Project data retained for asset lifecycle plus indemnity period.
Your rights
Access, correction, erasure, portability, objection and withdrawal of consent. Submit a request via our DSAR form or email privacy@cyntech.co.za.
For the full description of processing, retention schedules and lawful basis, read our Privacy Policy and Cookie Policy.
Five promises we put in writing
- We will never sell client data.
- We will never train third-party AI models on your data without written consent.
- We will notify you within 72 hours of confirming a security incident that affects you.
- We will give 30 days' notice before adding a new sub-processor.
- Our DPA, sub-processor list, and security posture are always public — not gated behind a sales call.
Tested incident response
A live runbook, named owners, regulator-clock awareness, and customer-first comms.
Centralised logs, automated anomaly detection on auth and database, customer reports via vulnerability-disclosure.
Defined sev-1 → sev-3 thresholds, on-call escalation, forensic snapshot of affected systems.
POPIA 'as soon as reasonably possible' & GDPR 72-hour clocks tracked. Affected customers contacted via primary admin.
Read the full Incident Response Notice or report a vulnerability via our coordinated disclosure programme (safe-harbour protected).
Client request workflows
A clear, no-cost process for exercising rights under POPIA, GDPR, UK GDPR and CCPA / CPRA.
Request types
- Access — receive a copy of your data
- Rectification — correct inaccurate information
- Erasure — delete your data ('right to be forgotten')
- Portability — export in a machine-readable format
- Objection — stop processing for direct marketing
- Restriction — pause processing while a dispute is resolved
- Withdraw consent
- Lodge a complaint
How to submit
Use our Data Subject Request form or email privacy@cyntech.co.za. For sensitive requests we may ask for proof of identity separately.
Everything you need to close the file
Controller-to-Processor template with 2021 SCCs and UK Addendum.
Live list of authorised sub-processors with locations and transfer mechanisms.
Template aligned to GDPR Art. 30 / POPIA s.17 — for your own programme.
Data Protection Impact Assessment for high-risk processing.
The questionnaire we use to assess sub-processors — yours to reuse.
RFC 9116 machine-readable contact for security researchers.
Building something where security matters?
Our security and privacy team responds to vendor questionnaires (SIG / CAIQ / bespoke) within 5 business days.