Security & Trust Centre

Architecture, controls, and disclosure policy for enterprise IT teams · Last reviewed: 29 March 2026

🔒

Zero Server Storage

Session response data is never written to EngageLive's servers. Firebase is used only for transit, with automatic deletion on session end.

🇪🇺

GDPR Compliant

Full DPA available. Data processed within EU (Hostinger Lithuania) and Singapore (Firebase). SCCs in place for transfers.

🛡️

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy deployed on all pages.

📋

No Tracking

No Google Analytics, no Facebook Pixel, no session recording, no behavioural profiling. Ads are optional and removable.

🔐

TLS Everywhere

All connections enforced over TLS 1.2+. HSTS preload enabled. Firebase uses WSS. Payment pages use provider SSL.

💳

PCI via Gateways

No card data ever touches EngageLive servers. All payments processed by PayPal (PCI DSS Level 1) or PayU (PCI DSS compliant).

Architecture & Data Flow

Understanding where data travels is essential for IT risk assessment. EngageLive is architecturally simple:

Host Browser──── enters email (stays in localStorage) ────Never sent to EngageLive servers

Host creates activity── activity config ──►Firebase RT DB (Singapore)── real-time ──►Participant Browsers

Participant submits response──►Firebase RT DB── live ──►Host Browser only

Session ends──► Firebase TTL fires ──►All session data deleted automatically

PDF/Excel export──── generated in Host Browser ────Never uploaded to any server

What is stored on EngageLive's servers (Hostinger, Lithuania EU):

Template library metadata (no participant data)
Purchase records (email address + package + expiry date, for plan verification)
Blog posts and static content

What is never stored on any server: poll responses, quiz answers, participant names, Q&A content, word cloud submissions, session codes, branding configuration, activity content created by hosts.

Security Controls

Control	Status	Details
TLS / HTTPS	✅ Enforced	TLS 1.2+ mandatory, HTTP permanently redirected. HSTS max-age 1 year with preload.
Content Security Policy	✅ Deployed	Strict CSP restricts script execution to known origins. Inline scripts permitted only for session functionality.
X-Frame-Options	✅ SAMEORIGIN	Prevents clickjacking via iframe embedding from third-party domains.
HSTS	✅ 1 year + preload	Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Referrer Policy	✅ strict-origin	Only origin (not path) sent in Referer header to third parties.
Permissions Policy	✅ Minimal	Camera, microphone, geolocation, USB, Bluetooth all disabled.
Directory Listing	✅ Disabled	Options -Indexes in .htaccess. No server directory browsing.
Config File Access	✅ Blocked	config.php blocked from web access via .htaccess FilesMatch.
SQL Injection	✅ N/A	EngageLive uses no SQL database. All storage is JSON files or Firebase.
XSS Prevention	✅ Escaped	All user input is HTML-escaped via htmlspecialchars() server-side and esc() client-side before rendering.
CSRF	✅ Token-based	Payment endpoints use HMAC-signed server tokens. Admin panel uses session authentication.
Admin Panel	✅ Auth required	Admin panel requires password authentication. Session cookie is HttpOnly and Secure.
PHP Version	✅ PHP 7.4+	Hosted on Hostinger with current PHP version. display_errors disabled in production.
Payment Card Data	✅ Never stored	Card data processed directly by PayPal/PayU. EngageLive servers never receive or store card numbers.
Cookie Security	✅ Secure flags	Admin session cookie: HttpOnly=1, Secure=1, SameSite=Strict. No tracking cookies set.
Penetration Testing	⚠️ Planned	External penetration test scheduled for Q3 2026. Results will be published in this section.
SOC 2	⚠️ In progress	SOC 2 Type I audit in preparation. Expected Q4 2026. GDPR DPA available now — see DPA page.

Incident Response

In the event of a confirmed security incident affecting personal data:

Detection and containment: Within 1 hour of discovery, the affected system is isolated.
Assessment: Within 4 hours, scope and impact assessed. Personal data affected identified.
Customer notification: Affected Controllers (organisations with signed DPAs) notified by email within 24 hours of confirmation — before the GDPR 72-hour supervisory authority deadline.
Regulatory notification: Where required, we notify the relevant supervisory authority within 72 hours of becoming aware.
Root cause and remediation: Post-incident report published to affected parties within 14 days.

Security incidents can be reported to security@postlister.com. Response within 24 hours on business days.

Employee & Access Controls

Server access restricted to named individuals via SSH key authentication
Admin panel access controlled by hashed password stored in config
No third-party employees have access to production systems without explicit authorisation
All access to purchase records requires admin authentication

Vulnerability Disclosure Policy

Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities in EngageLive. We follow coordinated disclosure principles and will not take legal action against researchers who follow these guidelines.

To report a vulnerability: Email security@postlister.com with a description of the issue, steps to reproduce, and potential impact. Use our PGP key for sensitive reports (key available on request).

We commit to: Acknowledge receipt within 48 hours · Provide a remediation timeline within 10 business days · Credit researchers in our acknowledgments (below) unless they prefer anonymity · Not pursue legal action for good-faith research.

Scope: postlister.com, engagelive (all paths), Firebase security rules. Out of scope: third-party services (Firebase, PayPal, Hostinger infrastructure), social engineering.

Acknowledgments

We thank the following researchers for responsible disclosure (none to date — this section will be updated as the programme matures).

IT Department Checklist

Common enterprise IT questions about EngageLive:

Question	Answer
Does the app store participant responses on your servers?	No. Responses pass through Firebase in real-time and are auto-deleted at session end. Never stored on EngageLive servers.
Can we use EngageLive without exposing employee emails to the vendor?	Yes. Host email is stored only in the host's own browser localStorage. It is sent to EngageLive servers only when purchasing a paid plan (for purchase record). Free sessions: email never leaves the browser.
Does EngageLive use cookies for tracking?	No. No analytics or advertising cookies. See Cookie Policy.
Is there a signed DPA available?	Yes. Available at engagelive/dpa.html. Counter-signed within 2 business days.
Where are servers located?	Application: Hostinger Lithuania (EU). Real-time messaging: Firebase Singapore. See DPA for full sub-processor list.
Is the app accessible for users with disabilities?	WCAG 2.1 AA target. Accessibility statement at engagelive/accessibility.html.
Can we whitelist the domains needed?	Yes. Required: postlister.com, .firebaseio.com, .googleapis.com, fonts.gstatic.com. Optional (payments): paypal.com, secure.payu.in. Optional (ads, removable): pagead2.googlesyndication.com.
Is there an SSO / SAML integration?	Not currently. Enterprise SSO integration (Azure AD, Okta, Google Workspace) is on the roadmap. Contact support@postlister.com.
What is your uptime SLA?	EngageLive depends on Hostinger's uptime (99.9% SLA) and Firebase's uptime (99.95% SLA). Enterprise SLA agreements available on request.
Do you have SOC 2 / ISO 27001?	SOC 2 Type I audit in preparation (target Q4 2026). GDPR DPA and this security documentation are available now. Contact security@postlister.com for our security questionnaire response.

For IT department queries, vendor assessment questionnaires, or enterprise deployment support: support@postlister.com