AssessKitAssessKit

Security Policy

Last updated: March 2026

AssessKit is operated by Crocker Digital Ltd (Company No. 17008789), a company registered in England and Wales.

Disclaimer: This document is provided for informational purposes and does not constitute legal advice. It describes our current security practices and is not a guarantee of absolute security. You should consult a qualified solicitor or security professional if you require formal guidance.

Our Approach

We take the security of your data seriously. AssessKit handles fire risk assessment data, and we recognise that this information is important to your business and your clients. Below is a plain-English summary of the measures we have in place.

What We Do

Encryption

  • In transit: All data sent between your browser and AssessKit is encrypted using TLS (Transport Layer Security). This means your data is protected while it travels over the internet.
  • At rest: Data stored in our database is encrypted at rest, meaning it is protected even when not actively being accessed.

Tenant Isolation

  • Our database uses row-level security (RLS) to ensure that each user or organisation can only access their own data. This provides strong isolation between accounts at the database level.

Authentication

  • All access to AssessKit requires authentication. You must sign in with valid credentials to access any data.
  • Passwords are stored using secure, one-way hashing. We never store plain-text passwords.

Backups

  • We perform regular automated backups of all data to protect against data loss.

Secrets Management

  • API keys, database credentials, and other sensitive configuration values are stored in environment variables only. They are never committed to source code or stored in publicly accessible locations.

Security Headers

  • We enforce standard security headers on all responses (including Content Security Policy, Strict Transport Security, and others) to help protect against common web vulnerabilities such as cross-site scripting (XSS) and clickjacking.

Access Control

  • Access to production systems and infrastructure is restricted to authorised personnel only and requires authentication.

Reporting Security Issues

If you discover a security vulnerability or have a concern about the security of AssessKit, please report it to us as soon as possible:

Please include as much detail as you can about the issue, including steps to reproduce it if applicable. We will acknowledge your report promptly and work to address confirmed vulnerabilities.

We ask that you:

  • Report issues responsibly and do not exploit any vulnerability you discover.
  • Give us reasonable time to investigate and address the issue before disclosing it publicly.

What We Do Not Promise

No system is 100% secure. While we apply reasonable and appropriate security measures to protect your data, we cannot guarantee that our systems are immune to all threats. We continuously review and improve our security practices, but we are transparent that absolute security is not achievable by any service provider.

Bug Bounty

We do not currently operate a formal bug bounty programme. However, we appreciate and take seriously all security reports received at security@assesskit.co.uk.

Contact Us

If you have questions about our security practices, contact us at: