We earn government trust the hard way — by design.

The most secure data is the data you never collect. This site is built on that principle — it gathers the minimum to let you reach us, and nothing it does not need.

We hold ourselves to the standard our government and institutional clients expect: least privilege, defence in depth, and no security theatre. Where we have not yet earned a formal certification, we say so plainly rather than imply one.

The only personal information this website handles is what you submit through the contact form, plus standard technical logs. We describe exactly what that is, and why, in §2 of our privacy notice. There is no database of user accounts to breach and no stored payment data, because this site holds neither.

The only third parties that can touch this data are our host (Vercel), our email delivery (Resend), and — only if you accept analytics — Google Analytics, each bound by a data-processing agreement and listed, with its role and location, in our privacy notice.

• ›Encrypted in transit. Every connection is served over HTTPS/TLS; plaintext requests are redirected to secure ones.
• ›Encrypted at rest. The managed providers that briefly hold your message — our host and email provider — encrypt stored data at rest by default. We run no database of our own for this site to leak.
• ›Locked-down accounts. The handful of accounts that can reach this site, its code, or the inbox your enquiry lands in — hosting, email, and our repository — require multi-factor authentication and follow least privilege: only the people who need access have it.
• ›Managed hosting. The site runs on Vercel’s global edge network, with serverless compute in the us (iad1 / us-east-1), which provides DDoS protection, isolated builds, and patched infrastructure under a data-processing agreement.
• ›No third-party scripts you didn’t ask for. We self-host our fonts, and our only analytics (Google Analytics) loads consent-denied by default — so unless you accept, the browser makes no analytics calls, and never any to advertising networks.
• ›Secrets stay out of code. Credentials live in environment variables in the hosting platform, never in the repository or in client-side code.

• ›Validated inputs. Everything the contact form submits is validated and normalised against a strict schema on the server before it is processed.
• ›Abuse resistance. Submissions are rate-limited to deter automated abuse — without a CAPTCHA, which would tax legitimate visitors.
• ›Dependencies under watch. Automated dependency updates and routine audits flag known vulnerabilities so we patch quickly.
• ›Strict by default. TypeScript strict mode and linting run in continuous integration on every change; a build that fails the gate does not ship.
• ›Reviewed before release. Changes land on an integration branch and reach production only through a gated, batched release; the production branch is protected, so nothing ships unreviewed or untested.
• ›No hand-rolled crypto. We rely on vetted, standard libraries and platform primitives rather than inventing our own.

A large part of this site’s security comes from what it deliberately does not do:

• ›No user accounts, passwords, or sessions to compromise.
• ›No payments, and no stored card or banking data.
• ›No file uploads.
• ›No advertising trackers, cross-site cookies, or visitor profiling.
• ›No AI inference run on anything you type — your words are only delivered to us.

We monitor the platform’s security and availability alerts and treat suspected incidents as a priority. If a security incident affected personal information, we would act to contain it, assess the impact, and — in line with POPIA (§22) and the GDPR — notify the relevant regulator and any affected people as required by law, without undue delay.

If you believe you have found a security issue, please tell us before disclosing it publicly. Email security@tensoanalytics.com — our machine-readable contact details are also published at /.well-known/security.txt. We aim to acknowledge every good-faith report within 5 business days.

If you act in good faith, we commit to:

• ›Acknowledge your report promptly and keep you updated as we investigate.
• ›Not pursue or support legal action against research that respects the rules below.
• ›Credit you, with your permission, once an issue is resolved.

We ask that you, in return:

• ›Give us reasonable time to fix an issue before disclosing it, and avoid privacy violations, data destruction, or service disruption.
• ›Only interact with accounts you own or have permission to test, and never access or modify other people’s data.
• ›Do not run automated, high-volume, or denial-of-service testing against the site.

The controls on this page cover the public website. When we take on client work, security is governed by the engagement’s signed agreement and its dedicated security addendum — covering data classification, access control, encryption, retention, and breach handling for the specific data involved. We are glad to walk security and procurement teams through it before any data changes hands.

We do not currently claim a formal security certification for this website, and we will not imply one we have not earned.

For how the data this site collects is handled and your rights over it, see our privacy notice.