Security & Compliance

In transit. All connections between devices, browsers and TakeOvr APIs use TLS 1.2 or higher with modern cipher suites. HTTP Strict Transport Security (HSTS) is enforced once SSL is active on the public host. MQTT device traffic is secured with TLS-PSK or X.509 client certificates depending on the hardware capability.

At rest. Customer data, telemetry and backups are encrypted using AES-256. Database storage and object storage volumes are encrypted with managed keys held by our cloud providers.

• Role-based access control (RBAC) with tenant- and group-scoped permissions.
• Mandatory single sign-on (SSO/SAML) for enterprise tenants; supports Google Workspace, Azure AD, Okta and any SAML 2.0-compliant IdP.
• Multi-factor authentication available for all accounts; enforceable per tenant.
• Internal access to production systems is restricted by least privilege, requires SSO + hardware-key MFA, and is logged end-to-end.

• Tenant isolation enforced at every database query and server function.
• Input validation with typed schemas (Zod) at every boundary.
• Strict Content Security Policy and security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP) on all public surfaces.
• Defense-in-depth noindex on private routes (meta + HTTP header).
• Dependencies tracked with automated CVE scanning; security patches deployed weekly or sooner for critical advisories.

TakeOvr is built around an SOC 2 Type II control framework. Specific certifications and external audits are available under NDA on request.

We align our data-handling practices with the EU General Data Protection Regulation (GDPR), the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the UK Data Protection Act 2018 and similar regimes.

• Production workloads run in audited, ISO 27001 / SOC 2 certified cloud regions.
• Network segmentation isolates compute, database and edge ingress.
• Automated daily backups with point-in-time recovery for primary databases; backups are encrypted and retained per policy.
• Regional deployments available under enterprise contracts for data-residency requirements.

• 24/7 platform monitoring with on-call rotations.
• Centralised, tamper-evident audit logging for tenant admin actions, authentication events, asset configuration changes and alarm activity.
• Anomaly detection on production access patterns and infrastructure metrics.

We maintain a documented incident response plan with defined severities, RACI roles and external communication procedures. Customers affected by security incidents are notified without undue delay and in any case within the 72-hour GDPR deadline. Public status is published at status updates communicated via email and on the platform.

We welcome reports from the security research community. See our security.txt for contact details. Reports made in good faith will not face legal action. We aim to acknowledge within 2 business days and fix critical issues within 7 days.

Security is a shared model. As a customer you should:

• enforce SSO and MFA for all your users;
• follow least-privilege role assignments and review access regularly;
• rotate API keys and webhook secrets and revoke unused credentials;
• configure tenant-level data retention to match your compliance needs;
• use signed firmware on connected devices where supported by the hardware vendor.

Security questionnaires, audit requests, or a security concern? Email zee@novakhan.com or reach us via the contact form.