Security Overview

Effective: October 1, 2025 • KavaCore LLC, Grover Street, Joliet, IL 60433 • Support@kavacorellc.com

We design for security by default: minimal data collection, static-first websites, least-privilege access, and vetted vendors. This page summarizes our controls and how to report a security issue.

1) Scope & shared responsibility

We protect the systems and data we control (hosting, build pipelines, support tooling). Customers remain responsible for their own environments, credentials, end-user devices, and third-party tools they connect.

2) Data classification & retention

  • Personal information (PI): contact details, support communications, minimal logs.
  • No sensitive PI by default: we avoid government IDs, biometrics, precise location, health data unless a contract requires it and lawful basis is established.
  • Retention: keep only as long as needed for service, legal, or audit requirements; then delete or de-identify.

3) Technical & organizational controls

AreaControls
Encryption TLS for data in transit; storage protected by provider disk-level encryption; secrets not committed to repos.
Access Least privilege, role-based access, MFA on admin accounts, session timeouts, audit trails where supported.
Backups & DR Regular backups for critical assets; restore tests on a cadence appropriate to the service.
Hosting Hardened hosting with HTTPS enforced; static-first sites reduce attack surface; WAF/CDN available via provider.
Monitoring & logs Server and application logs for security events; anomaly review; least-retention necessary.
People & training Confidentiality obligations; security training and playbooks for agents and engineers.

4) Secure development lifecycle

  • Code review for critical changes; dependency updates and vulnerability scanning.
  • Secrets management outside source control; environment variables per environment.
  • Change management with staging → production approvals; rollback plans.
  • Privacy by design: collect the minimum, avoid sensitive data, and disable unneeded services.

5) Vendors & subprocessors

We use vetted providers for hosting, email/helpdesk, and voice services. Each subprocessor is bound by contract to protect data and only process it under our instructions. See: /legal/subprocessors.

6) Incident response

We acknowledge reports within 24 hours and investigate promptly. If a personal-data breach affects you, we notify you without undue delay and share information to support your assessment.

SeverityDescriptionTarget actions
Low Minor issue with little/no impact; defense-in-depth contained. Log & remediate in normal cycle.
Medium Potential misuse or elevated risk; limited scope. Prioritized remediation, customer notice if relevant.
High Confirmed compromise or material risk to PI/service. Immediate response, containment, customer notification.

7) Vulnerability disclosure

We welcome coordinated disclosure. Please email Support@kavacorellc.com with steps to reproduce, impact, and your contact details. We authorize good-faith testing that:

  • avoids privacy violations, data destruction, or service disruption;
  • does not access customer data without explicit permission;
  • limits testing to assets we own/control; and
  • respects applicable laws.

Out of scope (examples): clickjacking on pages without sensitive actions, missing SPF/DMARC on non-sending domains, rate-limit bypasses without impact, vulnerabilities requiring physical access to a device.

security.txt

We support the /.well-known/security.txt convention. Place this file at your domain root:

Contact: mailto:Support@kavacorellc.com
Policy: https://www.kavacorellc.com/legal/security
Preferred-Languages: en
Canonical: https://www.kavacorellc.com/.well-known/security.txt
Expires: 2026-10-01T00:00:00Z

8) Website hardening (headers & CSP)

For our marketing site, we enforce HTTPS and modern security headers. On Hostinger/LiteSpeed (Apache-compatible), add to your site’s .htaccess:

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Strict Transport Security (HSTS) — enable after confirming HTTPS works everywhere
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Basic CSP (adjust as needed when adding widgets)
Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"

# Other hardening headers
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header set X-Frame-Options "DENY"
Header set Cross-Origin-Resource-Policy "same-origin"

Note: When you add analytics/maps/chat, update the CSP to include their script, style, font, connect, and frame origins.

9) Contact

Email: Support@kavacorellc.com
Mail: KavaCore LLC, Grover Street, Joliet, IL 60433 (USA)

Status: No known incidents • Last review: October 1, 2025

Scroll to Top