Security & Compliance

Last reviewed: 2026-05-20 · Issued by: Netpoa Limited, Dar es Salaam

Scope — managed platform vs. Cloud VPS. The measures on this page describe the managed services we run (Netpoa Hosting, business email, Sanya Business, SanyaSMS, Kanisa MS). Netpoa Cloud (VPS) follows a shared-responsibility model: we secure the underlying infrastructure and control plane, but you control the operating system and everything inside your server — so backups of your VPS data and OS/software patching are your responsibility, not ours.

1. Quick summary

🔐 Encrypted everywhere — TLS 1.2+ in transit, AES-256 at rest. Passwords hashed with Argon2 / bcrypt — never stored in plaintext.
🧱 True tenant isolation — each SaaS customer has their own MySQL database (no shared tables), so one tenant's data physically cannot leak into another's through application bugs. Cloud VPS customers get a dedicated virtual server, isolated at the hypervisor; shared-hosting customers are isolated via CloudLinux CageFS + LVE.
🔑 2FA everywhere — available to every account, required for super-admins. Codes via SMS + email, 10-minute expiry, 5-attempt lockout.
📜 Full audit log — every significant action (login, password change, plan change, billing edit) logged with user, IP, and timestamp. Retained 2 years.
💾 Daily off-site backups (platform) — encrypted, retained 30 days. Cloud VPS data is not backed up by us — that's your responsibility.
⏱ 72-hour breach notification — if we discover a personal-data breach affecting you, you're notified within 72 hours per PDPA.

2. Application security

SQL injection — parameterised queries via PDO prepared statements as a strict coding standard. All user input is bound, never concatenated.
Cross-site scripting (XSS) — htmlspecialchars() on all user-supplied content rendered into HTML; innerHTML avoided in paths touching untrusted input.
Cross-site request forgery (CSRF) — SameSite=Lax session cookies; state-changing actions verify the session before any DB write.
Password storage — Argon2id (PHP password_hash()), bcrypt fallback.
Brute-force protection — failed logins logged + rate-limited (5 attempts / hour / IP). Honeypot field on signup.
Session management — 8-hour idle timeout, regenerated on login, rotated on privilege change.
File upload — MIME whitelist, stored outside web root, served through an ownership-checked proxy.
HTTP security headers — HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Content-Security-Policy rolling out.

3. Infrastructure security

Encryption in transit — TLS 1.2 minimum, TLS 1.3 preferred. HTTPS-only across every domain and subdomain.
Encryption at rest — AES-256 disk encryption at the hosting provider.
OS hardening — AlmaLinux + CloudLinux, automatic security patching of the cPanel + PHP runtime, kernel-level resource caps per account (LVE).
Network — firewalled at the host; MySQL bound to private interfaces; SSH key-only on infrastructure boxes.
DDoS mitigation — upstream provider network-level filtering + Cloudflare on public-facing properties.

4. Backups & disaster recovery

For the managed platform (hosting, SaaS, email):

Daily off-site backups, encrypted, retained 30 days.
RPO (recovery point objective): up to 24 hours of data loss in a worst-case incident.
RTO (recovery time objective): target restoration within 4 hours of a declared incident. This is an operational goal, not a guarantee — actual time depends on the nature and scope of the incident.

For Cloud VPS: backups are your responsibility. You can take snapshots from the control panel and push off-site backups to a Storage Box or any destination you choose. We do not back up VPS data and cannot restore it after deletion.

5. Access controls

Netpoa staff access to your account / workspace is logged and limited to support cases you've explicitly opened.
Super-admin impersonation of a customer account is audited (who, when, why) and surfaced to the customer in their access history.
Production database access is restricted to a small number of senior engineers and logged.

6. Breach notification

If we discover a personal-data breach affecting your data, we will notify you within 72 hours of discovery, per Tanzania's Personal Data Protection Act. The notice will describe what happened, what data was affected, what we've done, and what you should do.

7. Reporting a vulnerability

We welcome good-faith security research. If you find a vulnerability:

Don't exploit it beyond what's needed to demonstrate the issue, and don't access another customer's data.
Email info@netpoa.com with details.
We acknowledge within 48 hours, fix within a reasonable timeframe, and credit you publicly if you wish.

Good-faith disclosure will not result in legal action against you — see our Acceptable Use Policy §3.

8. Compliance & jurisdiction

Tanzania PDPA 2022 — we operate as data controller for our customers and processor for the data customers put into our services. See our Privacy Policy and Data Processing Agreement.
TCRA / EPOCA — telecoms and online-content compliance for SMS and hosting.
GDPR alignment — our EU hosting providers operate under GDPR, which exceeds PDPA in most respects, so data leaving Tanzania for hosting remains protected.

9. Contact

Security questions: info@netpoa.com · Data protection: info@netpoa.com