Security & Trust Centre

Architecture, controls, and disclosure policy for enterprise IT teams · Last reviewed: 29 March 2026

🔒

Minimal Data Retention

Real-time session data flows through Firebase for instant delivery. Aggregated results are archived on our encrypted servers per your plan's retention period. No data is ever sold or shared with third parties.

🇪🇺

GDPR Compliant

Full DPA available. Data processed within EU (Hostinger Lithuania) and Singapore (Firebase). SCCs in place for transfers.

🛡️

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy deployed on all pages.

📋

No Tracking

No Google Analytics, no Facebook Pixel, no session recording, no behavioural profiling. Ads are optional and removable.

🔐

TLS Everywhere

All connections enforced over TLS 1.2+. HSTS preload enabled. Firebase uses WSS. Payment pages use provider SSL.

💳

PCI via Gateways

No card data ever touches EngageLive servers. All payments processed by PayPal (PCI DSS Level 1) or PayU (PCI DSS compliant).

Architecture & Data Flow

Understanding where data travels is essential for IT risk assessment. EngageLive is architecturally simple:

Host authenticates── TLS-encrypted credentials ──►EngageLive Auth Server (EU)── HttpOnly cookie ──►Host Browser

Host creates activity── activity config ──►Firebase RT DB (Singapore)── real-time ──►Participant Browsers

Participant submits response──►Firebase RT DB── live ──►Host & Participants

Session ends──►Firebase session data cleared · Aggregated results archived to encrypted DB──►Available in host analytics per retention plan

PDF/Excel export──── generated in Host Browser ────Never uploaded to any server

What is stored on EngageLive's servers (Hostinger, Lithuania EU):

Template library metadata (no participant data)
Purchase records (email address + package + expiry date, for plan verification)
Blog posts and static content

What is never sold, shared, or used for advertising: poll responses, quiz answers, participant names, Q&A content, word cloud submissions, and all session content. Results are accessible only to the authenticated host who ran the session.

What is stored on our servers: Host account details (email, name, organisation), session metadata (date, participant count, activity types), aggregated response data (counts per option, averages) retained per plan schedule. Individual participant PII entered during sessions is minimised and not retained beyond session end unless exported by the host.

Security Controls

Control	Status	Details
TLS / HTTPS	✅ Enforced	TLS 1.2+ mandatory, HTTP permanently redirected. HSTS max-age 1 year with preload.
Content Security Policy	✅ Deployed	Strict CSP restricts script execution to known origins. Inline scripts permitted only for session functionality.
X-Frame-Options	✅ SAMEORIGIN	Prevents clickjacking via iframe embedding from third-party domains.
HSTS	✅ 1 year + preload	Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Referrer Policy	✅ strict-origin	Only origin (not path) sent in Referer header to third parties.
Permissions Policy	✅ Minimal	Camera, microphone, geolocation, USB, Bluetooth all disabled.
Directory Listing	✅ Disabled	Options -Indexes in .htaccess. No server directory browsing.
Config File Access	✅ Blocked	config.php blocked from web access via .htaccess FilesMatch.
SQL Injection	✅ Mitigated	All database queries use PDO prepared statements with parameterised inputs. Input sanitisation applied at API layer.
XSS Prevention	✅ Escaped	All user input is HTML-escaped via htmlspecialchars() server-side and esc() client-side before rendering.
CSRF	✅ Token-based	Payment endpoints use HMAC-signed server tokens. Admin panel uses session authentication.
Admin Panel	✅ Auth required	Admin panel requires password authentication. Session cookie is HttpOnly and Secure.
PHP Version	✅ PHP 7.4+	Hosted on Hostinger with current PHP version. display_errors disabled in production.
Payment Card Data	✅ Never stored	Card data processed directly by PayPal/PayU. EngageLive servers never receive or store card numbers.
Cookie Security	✅ Secure flags	Admin session cookie: HttpOnly=1, Secure=1, SameSite=Strict. No tracking cookies set.
Penetration Testing	⚠️ Planned	External penetration test scheduled for Q3 2026. Results will be published in this section.
SOC 2	⚠️ In progress	SOC 2 Type I audit in preparation. Expected Q4 2026. GDPR DPA available now — see DPA page.

Incident Response

In the event of a confirmed security incident affecting personal data:

Detection and containment: Within 1 hour of discovery, the affected system is isolated.
Assessment: Within 4 hours, scope and impact assessed. Personal data affected identified.
Customer notification: Affected Controllers (organisations with signed DPAs) notified by email within 24 hours of confirmation — before the GDPR 72-hour supervisory authority deadline.
Regulatory notification: Where required, we notify the relevant supervisory authority within 72 hours of becoming aware.
Root cause and remediation: Post-incident report published to affected parties within 14 days.

Security incidents can be reported to security@postlister.com. Response within 24 hours on business days.

Employee & Access Controls

Server access restricted to named individuals via SSH key authentication
Admin panel access controlled by hashed password stored in config
No third-party employees have access to production systems without explicit authorisation
All access to purchase records requires admin authentication

Vulnerability Disclosure Policy

Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities in EngageLive. We follow coordinated disclosure principles and will not take legal action against researchers who follow these guidelines.

To report a vulnerability: Email security@postlister.com with a description of the issue, steps to reproduce, and potential impact. Use our PGP key for sensitive reports (key available on request).

We commit to: Acknowledge receipt within 48 hours · Provide a remediation timeline within 10 business days · Credit researchers in our acknowledgments (below) unless they prefer anonymity · Not pursue legal action for good-faith research.

Scope: postlister.com, engagelive (all paths), Firebase security rules. Out of scope: third-party services (Firebase, PayPal, Hostinger infrastructure), social engineering.

Acknowledgments

We thank the following researchers for responsible disclosure (none to date — this section will be updated as the programme matures).

IT Department Checklist

Common enterprise IT questions about EngageLive:

Question	Answer
Does the app store participant responses on your servers?	Minimally. Individual responses flow through Firebase in real-time for instant display. Aggregated session results (counts per option, averages, leaderboard positions) are archived on our encrypted servers to power the host's post-session analytics. Raw individual responses are not retained beyond what's needed for the aggregation. Firebase clears real-time session data at session end.
Can we use EngageLive without exposing employee emails to the vendor?	Yes. Participants are never required to provide their email address — name and email are optional fields controlled by the host. The host's own email is stored on our servers for authentication purposes. Participant response data (answers, votes) contains no email addresses unless the host explicitly enables email collection for their session.
Does EngageLive use cookies for tracking?	No. No analytics or advertising cookies. See Cookie Policy.
Is there a signed DPA available?	Yes. Available at engagelive/dpa.html. Counter-signed within 2 business days.
Where are servers located?	Application: Hostinger Lithuania (EU). Real-time messaging: Firebase Singapore. See DPA for full sub-processor list.
Is the app accessible for users with disabilities?	WCAG 2.1 AA target. Accessibility statement at engagelive/accessibility.html.
Can we whitelist the domains needed?	Yes. Required: postlister.com, .firebaseio.com, .googleapis.com, fonts.gstatic.com. Optional (payments): paypal.com, secure.payu.in. Optional (ads, removable): pagead2.googlesyndication.com.
Is there an SSO / SAML integration?	Not currently. Enterprise SSO integration (Azure AD, Okta, Google Workspace) is on the roadmap. Contact support@postlister.com.
What is your uptime SLA?	EngageLive depends on Hostinger's uptime (99.9% SLA) and Firebase's uptime (99.95% SLA). Enterprise SLA agreements available on request.
Do you have SOC 2 / ISO 27001?	SOC 2 Type I audit in preparation (target Q4 2026). GDPR DPA and this security documentation are available now. Contact security@postlister.com for our security questionnaire response.

For IT department queries, vendor assessment questionnaires, or enterprise deployment support: support@postlister.com