Skip to content
EVVO DIGITAL

Security

A visibly secure site is product marketing for a governance company.

The practices below are how EVVO DIGITAL operates this site. They are also the baseline we expect to see on the AI estates we assess and operate for clients.

Practice / 01

Transport security

TLS 1.2+ only, HSTS preloaded, HTTP→HTTPS enforced.

Practice / 02

Strict content security

CSP with nonce-based script allow-listing; no third-party scripts without a named business reason.

Practice / 03

Header hardening

X-Content-Type-Options, Referrer-Policy and Permissions-Policy locked down; securityheaders.com A+.

Practice / 04

DNS & domain

Cloudflare DNS, DNSSEC on, registrar lock enabled, role-mailbox contacts.

Practice / 05

Forms & data

Server-side validation, rate limiting, honeypot and Turnstile; data stored in CRM only, never in the CMS.

Practice / 06

Privacy regimes

Aligned with Singapore PDPA and Vietnam Decree 13/2023; data-subject request channel published.

Practice / 07

Cookie posture

Essential-only by default; analytics opt-in if added. No third-party advertising tags.

Practice / 08

Operational

Uptime monitoring, error alerting, scheduled backups, documented rollback path, DMARC reporting.

Want this assessed on your estate?

We can run the same posture review — and the remediation — on your AI and web estate. It starts with a 30-minute briefing.