Security Policy
Last updated: February 12, 2026
Cut Through Clarity (CTC Active) is built with enterprise-grade security at its foundation. We understand that leadership development involves sensitive personal and professional data, and we are committed to protecting it with industry-leading security practices.
1. Data Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). HTTP Strict Transport Security (HSTS) headers are enforced. Passwords are hashed using bcrypt with per-user salt rounds. Session tokens are cryptographically signed and stored server-side in our encrypted database.
2. Authentication & Access Control
Password requirements include a minimum 8 characters with mandatory uppercase, lowercase, numeric, and special character complexity. Automatic account lockout occurs after 5 failed login attempts with a 15-minute cooldown. Server-side sessions stored in PostgreSQL with cryptographic signing expire after 7 days of inactivity. All session cookies are configured with HttpOnly, Secure, and SameSite=Lax flags.
3. Infrastructure Security
Comprehensive HTTP security headers are enforced via Helmet.js including Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. API endpoints are protected by rate limiting (100 requests/minute per IP for general endpoints, 10 requests/minute for authentication endpoints). All user inputs are validated server-side using Zod schema validation to prevent injection attacks.
4. Audit Logging & Monitoring
All security-relevant events are logged including login attempts, administrative actions, access control changes, and password modifications. Audit logs capture user identity, IP address, user agent, timestamp, and action details for forensic analysis.
5. Data Privacy & Protection
We collect only the data necessary for delivering the Cut Through Clarity programme. Community features default to private. We never sell, rent, or trade user data to third parties. Our data handling practices align with the principles of the General Data Protection Regulation (GDPR).
6. Enterprise Security Standards
Code is developed following OWASP Top 10 security guidelines. Third-party dependencies are regularly audited and updated. Database operations use parameterised queries via Drizzle ORM to prevent SQL injection. API keys, database credentials, and secrets are stored in encrypted environment variables, never in source code.
7. Incident Response
In the event of a security incident, we follow a structured response process: detection via automated monitoring, immediate containment and credential revocation, forensic investigation, notification of affected users within 72 hours of confirmed data breaches, and root cause analysis to prevent recurrence.
8. Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. Please report issues to office@danrichardscoaching.com. We commit to acknowledging receipt within 48 hours and providing a resolution timeline within 5 business days.
9. Contact
Dan Richards Coaching — Email: office@danrichardscoaching.com — Website: cutthroughclarity.com