Security & Trust Center
We take security seriously. This page explains how we protect your data, secure our infrastructure, and maintain operational excellence across the Cyber Proficiency Center platform.
Last updated: April 2026
Infrastructure Security
Our platform runs on Kubernetes (Azure AKS) with a cloud-native, containerized architecture. Every component is isolated, resource-limited, and monitored.
- Multi-environment isolation — separate clusters for development, demo, production, and client-specific deployments
- Container hardening — all containers run as non-root users with defined CPU and memory limits
- Infrastructure as Code — all Kubernetes manifests are versioned in Git with Kustomize overlays for environment-specific configurations
- TLS everywhere — all external traffic is encrypted via HTTPS with auto-renewed Let’s Encrypt certificates
- Internal service isolation — services communicate via internal cluster DNS; only the Ingress controller is externally exposed
Authentication & Access Control
We provide flexible, enterprise-grade authentication options:
- Single Sign-On (SSO) — support for Microsoft Entra ID, Google Workspace, and Okta via OAuth 2.0 with automatic domain-based routing
- Password security — BCrypt hashing with a high work factor
- Brute force protection — dual rate limiting by both IP address and username (sliding window algorithm)
- Bot protection — Google reCAPTCHA v3 integration
- Account blocking — administrators can block user accounts, preventing login immediately
Access control is enforced at multiple levels:
- Role-based access control (RBAC) — granular role hierarchy (User, Master, Manager, Administrator, Super Admin)
- Resource-level authorization — custom security voters ensure users can only access their own data
- Session security — HTTPS-only cookies, HttpOnly flag, SameSite attribute, and automatic session fixation protection
Application Security
Our application is built on the Symfony 6.4 LTS framework, which provides robust, built-in security mechanisms:
- SQL injection prevention — parameterized queries via Doctrine ORM
- XSS prevention — automatic output escaping in Twig templates
- CSRF protection — automatic token validation on all forms
- Input validation — server-side validation with Symfony Validator component
HTTP Security Headers are deployed across all environments:
- Content-Security-Policy (strict CSP with
default-src 'self') - Strict-Transport-Security (HSTS with
max-age=31536000; includeSubDomains) - X-Frame-Options:
DENY - X-Content-Type-Options:
nosniff - Referrer-Policy:
strict-origin-when-cross-origin - Permissions-Policy: geolocation, microphone, and camera disabled
Secrets Management
Sensitive data is never stored in source code. All secrets are managed through Azure Key Vault:
- Kubernetes CSI Secret Driver mounts secrets from Key Vault as volumes
- Managed Identity authentication — no credentials needed for Key Vault access
- Automatic secret rotation with configurable polling intervals
- Per-environment isolation — each environment has its own dedicated Key Vault
Data Protection & Privacy
Data storage:
- MySQL 8.0 with SSL/TLS encrypted connections
- Persistent volumes on Azure for data durability
- User passwords hashed with BCrypt (never stored in plaintext)
- Payment information: only transaction IDs are stored; credentials reside in Key Vault
GDPR compliance:
- Right to deletion — users can delete their account and associated data
- Data minimization — we collect only essential data (email, name, password)
- No tracking cookies beyond session cookies
- Data residency in EU — Azure West Europe region (GDPR-compliant)
- Privacy policy available in both English and Polish
Backups:
- Automated daily MySQL backups (CronJob at 2 AM UTC)
- AES-256 encryption for backup files
- 30-day rolling retention window
- Azure MySQL Flexible Server built-in backups with automated point-in-time recovery (additional layer on top of custom backups)
Monitoring & Incident Response
- Prometheus + Grafana Cloud — real-time metrics collection (CPU, memory, disk, HTTP request rate, database performance, SSL certificate expiry)
- Alerting — email and SMS alerts for high CPU, memory, disk space, and certificate expiry
- Structured logging — JSON-format production logs with dedicated channels for security events and mail operations
- Rollback capabilities — zero-downtime rolling deployments with instant rollback via feature flags or Git revert
Testing & Quality Assurance
We maintain a comprehensive automated test suite that covers every critical path:
- 1,467+ PHP test cases across 99 test files (unit, integration, and controller tests)
- 105 frontend test suites (Jest)
- 20 E2E test suites (Playwright)
- Coverage includes: authentication, authorization, SSO, rate limiting, payments, code sandbox execution, CV processing, and Azure provisioning
Dependency Security
- Weekly automated Snyk scans — SCA (Software Composition Analysis) for PHP, JavaScript, and Python dependencies; SAST (Static Application Security Testing) for source code; IaC scanning for Kubernetes manifests and Dockerfiles
- Zero known vulnerabilities in both
composer auditandyarn audit - Results uploaded to GitHub Security tab as SARIF reports
CI/CD Pipeline
- Automated test execution on every push
- Docker image building and tagging with commit SHA
- Multi-environment deployment (development, demo, production) with zero-downtime rolling updates
- Automated security scanning as part of the pipeline
Compliance & Standards
- OWASP Top 10 — framework-level mitigations for all categories
- CIS Kubernetes Benchmark — non-root containers, RBAC enforcement
- GDPR — data residency in EU, right to deletion, data minimization
- RFC 9116 —
/.well-known/security.txtendpoint for responsible vulnerability disclosure - WCAG 2.1 — accessibility improvements including ARIA labels, keyboard navigation, skip-to-content links, and semantic form attributes
Deployment Models
SaaS (managed by cp.center):
- Shared infrastructure with multi-tenant isolation
- Managed updates, monitoring, and maintenance
Private Instance (customer-managed):
- Dedicated Kubernetes cluster in your own Azure subscription
- Full control over data location and deployment schedule
- No data leaves your Azure subscription
- We provide Kubernetes manifests, deployment automation, and technical support
Third-Party Integrations
| Service | Purpose | Data Shared | Security |
|---|---|---|---|
| Microsoft Entra ID | SSO authentication | Email, name | OAuth 2.0 |
| Google Workspace | SSO authentication | Email, name | OAuth 2.0 |
| Okta | SSO authentication | Email, name | OAuth 2.0 |
| Microsoft Graph API | Email sending | Email addresses | OAuth 2.0 |
| Google reCAPTCHA | Bot protection | IP address, user agent | HTTPS |
| PayPal | Payments | Transaction data | OAuth 2.0 + webhook validation |
| PayU | Payments | Transaction data | HTTPS + signature verification |
| MaxMind GeoIP | Geolocation | None (local database) | No external calls |
Vulnerability Disclosure
We support responsible vulnerability disclosure. If you discover a security issue, please contact us:
- Email: security@cp.center
- security.txt: /.well-known/security.txt (RFC 9116)
- Bug Bounty: Bug Bounty Program
We do not take legal action against good-faith security research.