Security

This page explains measures taken by JWP Consulting GK (hereinafter referred to as "JWP") to ensure the security of the Projectify software (hereinafter referred to as "Projectify"). JWP offers Projectify to users as defined in the terms of service and those who are interested in using Projectify (both hereinafter referred to as "you") .

This page contains a security assessment created following the Minimum Viable Secure Product checklist v2.0. JWP invites you to share your feedback. For security related inquiries, please refer to the security disclosure policy.

Version History

Date	Changes	Author
2026-02-20	Adjusted content based on Django frontend rewrite	Justus W. Perlwitz, JWP Consulting GK
2024-03-29	Created page	Justus W. Perlwitz, JWP Consulting GK

Business Controls

JWP offers a point of contact for Projectify-related vulnerability reports on Projectify's security disclosure policy page.

If you would like to evaluate the security of Projectify, JWP offers dedicated test environments. Please contact JWP for more details.

JWP has not commissioned external penetration testing of Projectify as of 2024-03-29.

JWP trains its personnel in information security and stays up to date with threats. JWP follows industry standards to securely design, implement, and operate Projectify.

Compliance

JWP offers Projectify in compliance with Japanese and EU (GDPR) privacy regulations. To use Projectify, you have to agree with its terms of service.

Please reach out if you have any compliance related inquiries.

Incident handling

When a security incident on Projectify affects you, JWP will contact you no later than 72 hours with the following information:

• How you are affected
• Preliminary technical analysis of the breach
• Remediation plan with reasonable timelines
• Point of contact for your inquiries

Data handling

JWP does not store your data on its own premises. All third parties handling user data follow data sanitization best practices.

Application design controls

Projectify does not implement Single Sign-On (SSO).

You can only use Projectify using HTTPS. Projectify redirects HTTP connections to www.projectifyapp.com to the corresponding HTTPS address. Example:

http://www.projectifyapp.com/dashboard becomes https://www.projectifyap.com/dashboard.

Projectify uses the following HSTS policy:

strict-transport-security max-age=31536000

Projectify does not use HSTS preloading. ¹

Projectify uses the following Content Security Policy²:

script-src 'self'

To prevent iframe embedding, Projectify sets the X-Frame-Options HTTP response header to DENY.

Password policy

Projectify's Django backend stores your password in a secure form by hashing it with a salt using PBKDF2 with SHA256³. You can use passwords containg up to 128 characters. Your browser transmits your password to Projectify over an encrypted connection (HTTPS) when you set your password or log in.

Projectify never stores or log your password in plain text.

To change your password, you must provide your old password. Projectify sends you a confirmation mail when your password changes.

To reset your password, you can request a password reset. When you request a password reset, Projectify sends you a reset confirmation email. Clicking the reset link inside the email lets you set a new password and finish the password reset process. Projectify sends you a confirmation mail when your password resets.

Projectify does not use secret questions for logging in or resetting passwords.

Projectify prevents password brute-forcing, dictionary attacks, and credential stuffing by limiting the number of failed log-in attempts that someone can perform in a given amount of time.

Projectify enforces password policies that prevent users from using weak and easy to guess passwords.

Dependency patching

JWP keeps Projectify's third dependencies up to date and responds to known vulnerabilities. JWP uses Dependabot ⁴ to monitor new vulnerabilities in Projectify's source code repository ⁵.

Logging

To help you understand how someone accessed your account, Projectify logs the following information:

• Last time of successful log-in

Projectify does not log the following information:

• Users logging in and out
• Read, write, delete operations on application and system users and objects
• Security settings changes (including disabling logging)
• Application owner access to customer data (access transparency)

Encryption

We've taken specific measures to protect your sensitive data in transit and in storage.

Application and database server

Projectify uses TLS for the following connections:

• When your browser connects to Projectify
• Django backend to Render Key Value ⁶
• Django backend to Render Postgres⁷
• Sending mails with Mailgun

Render's upstream provides use encryption at rest. ⁹

Asset storage

For asset storage, we have not verified whether Projectify uses Cloudinary (Cloudinary Inc.) APIs exclusively over an encrypted connection. Cloudinary encrypts its data at rest. ⁸

Transactional Mailing

Projectify uses the transactional mailing service Mailgun (Sinch America, Inc.) to send you emails. Mailgun encrypts user data at rest ¹⁰.

Application implementation controls

List of data

Please review the privacy policy for a detailed listing of sensitive data handled by Projectify.

Data flow diagram

Your browser connects to Projectify using the www.projectifyapp.com address and some user data flows from Projectify to various backend services. See the following diagram:

                    .------------.
        .-----------+ Cloudinary |
        |           .---+--------.
        |               |         .-----------------.
        |               |  +------+ Render Postgres |
        |               |  |      .-----------------.
.-------+------.    .---+--+--.   .------------------.
| Your Browser +----+ Backend +---+ Render Key Value |
.--------------.    .---+-----.   .------------------.
                        |
                        |         .---------.
                        .---------+ Mailgun |
                                  .---------.

Vulnerability prevention and security libraries

To prevent vulnerabilities, Projectify contains the following measures:

• Projectify uses access controls to prevent users from accessing data or admin features that they are not authorized to.
• Projectify sends Session ID cookies over HTTPS only ¹¹ and does not expose them to scripts. ¹²
• Projectify's Django backend prevents SQL injections in its ORM. ¹³ Projectify does not use raw SQL queries.
• Projectify's Django backend prevents cross-site scripting (XSS) by escaping untrusted inputs. ¹⁴
• Projectify's Django backend prevents cross-site request forgery (CSRF) by checking for a csrf ¹⁵ form attribute or HTTP header.

Time to fix vulnerabilities

JWP fixes any known exploitable vulnerabilities within 90 days of discovery.

Build process

The build and deploy process is fully automated. Any dependencies used in the Product are included in a reproducible way using Poetry lock files.

Operational controls

Physical access

All of Projectify's infrastructure is hosted by third parties which in turn implement strict physical access controls.

Logical access

Only Product administrators with a legitimate need have access to Projectify's infrastructure or admin site.

Administrative accounts that are no longer needed are deactivated in a timely manner.

JWP regularly reviews administrative accounts and only grants administrative privileges to administrators where absolutely necessary.

Administrative access to Projectify's infrastructure is only possible using Multi-Factor Authentication (MFA).

Administrative access to Projectify's admin site at www.projectifyapp.com/admin is not secured by MFA.

Subprocessors

A list of all subprocessors is available in the GDPR section of the privacy policy under Article 6 (Cross-Border Data Transfer).

Backup and Disaster Recovery

Render Postgres has continuous rollbacks enabled spanning 7 days. ¹⁶

Assets stored with Cloudinary are not backed up.

No steps have been taken to maintain and test disaster recovery plans.

No steps have been taken to periodically test backup restoration.

Inquiries

Should you have any questions, please reach out.

1. HSTS Preload List Submission hstspreload.org ↩

2. Content Security Policy (CSP) developer.mozilla.org ↩

3. "By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST." docs.djangoproject.com ↩

4. About Dependabot docs.github.com ↩

5. Projectify source code repository github.com/jwpconsulting/projectify ↩

6. Render Key Value render.com/docs ↩

7. Render Postgres render.com/docs ↩

8. Digital Asset Library: The Ultimate Guide - Role of a Digital Asset Library in Data Security cloudinary.com ↩

9. Security and Trust render.com/security ↩

10. How does Mailgun keep your emails protected? www.mailgun.com/blog ↩

11. Secure cookie configuration - Secure developer.mozilla.org ↩

12. Secure cookie configuration - HttpOnly developer.mozilla.org ↩

13. Security in Django - SQL injection protection docs.djangoproject.com ↩

14. Security in Django - Cross site scripting (XSS) protection docs.djangoproject.com ↩

15. Security in Django - Cross site request forgery (CSRF) protection docs.djangoproject.com ↩

16. Render Postgres Recovery and Backups render.com/docs ↩