SiteSafe — HSE Compliance
 Back to home
Compliance

Security Overview

Effective 1 January 2026

How SiteSafe protects your worker data, documents and audit trail.

Template notice. This page describes our intended security posture for production. The local demo environment uses relaxed dev defaults.

Authentication

  • JWT-based sign-in with short-lived access tokens (15 minutes) and refresh tokens.
  • Account lockout after repeated failed sign-ins (django-axes).
  • Optional TOTP two-factor authentication for administrators.
  • Passwords hashed with Argon2id.

Tenant isolation

Every database row carries a tenant ID. Postgres row-level security enforces that a query in one tenant's session cannot read or write data belonging to another tenant — even if application code has a bug.

Encryption

  • TLS 1.2+ for all traffic in transit.
  • Database and document storage encrypted at rest (AES-256).
  • Backups encrypted with separate keys, retained for 30 days.

Access control

  • Role-based access: Company Admin, Site Manager, Safety Officer, Site Rep, Supervisor.
  • Field workers do not have logins — they exist as records, not user accounts.
  • Every change is logged in an immutable audit trail with who, what, when.

Hosting

Production runs on infrastructure hosted in the European Union, recognised by the South African Information Regulator as offering adequate protection for cross-border transfers.

Reporting a vulnerability

We welcome responsible disclosure. Email security@sitesafe.co.za with details. We commit to acknowledging within 2 business days.

Questions about this document? Email legal@sitesafe.co.za.