Security
A visibly secure site is product marketing for a governance company.
The practices below are how EVVO DIGITAL operates this site. They are also the baseline we expect to see on the AI estates we assess and operate for clients.
Practice / 01
Transport security
TLS 1.2+ only, HSTS preloaded, HTTP→HTTPS enforced.
Practice / 02
Strict content security
CSP with nonce-based script allow-listing; no third-party scripts without a named business reason.
Practice / 03
Header hardening
X-Content-Type-Options, Referrer-Policy and Permissions-Policy locked down; securityheaders.com A+.
Practice / 04
DNS & domain
Cloudflare DNS, DNSSEC on, registrar lock enabled, role-mailbox contacts.
Practice / 05
Forms & data
Server-side validation, rate limiting, honeypot and Turnstile; data stored in CRM only, never in the CMS.
Practice / 06
Privacy regimes
Aligned with Singapore PDPA and Vietnam Decree 13/2023; data-subject request channel published.
Practice / 07
Cookie posture
Essential-only by default; analytics opt-in if added. No third-party advertising tags.
Practice / 08
Operational
Uptime monitoring, error alerting, scheduled backups, documented rollback path, DMARC reporting.
Want this assessed on your estate?
We can run the same posture review — and the remediation — on your AI and web estate. It starts with a 30-minute briefing.
