• Home
  • Security & Compliance

Security & Compliance Statement

Effective Date: August 10, 2025
(for Nassau Technologies, LLC – Devsey)


1. Commitment to Security

Nassau Technologies, LLC (“Company,” “we,” “our,” or “us”) is committed to maintaining the confidentiality, integrity, and availability of Customer Data processed through the Devsey platform (“Service”). We recognize that Devsey may process sensitive test artifacts, including screenshots, logs, and network traces, and we implement layered safeguards to mitigate risk.

Our security and compliance framework aligns with recognized standards, including:

  • New York SHIELD Act (N.Y. Gen. Bus. Law § 899-bb);
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF);
  • Center for Internet Security (CIS) Critical Security Controls;
  • ISO/IEC 27005 (information security risk management principles);
  • OWASP Top 10 (secure application development practices).

2. Hosting & Infrastructure

  • All production servers are self-hosted and physically located within the State of New York, United States.
  • No Customer Data or test artifacts are stored outside the United States.
  • Hosting facilities are protected by access controls, surveillance, and restricted entry measures.

3. Data Protection


In Transit

All data transmitted between Customer systems and Devsey is encrypted using HTTPS/TLS (TLS 1.2 or higher).


At Rest

  • Passwords are stored using industry-standard secure hashing algorithms.
  • Databases are protected with access controls.
  • Backups are encrypted at rest.

Physical

Servers are housed in controlled-access environments with protections against theft, tampering, and unauthorized access.


4. Security Controls

We maintain technical and administrative safeguards, including but not limited to:

  • Firewalls and network segmentation;
  • Multi-Factor Authentication (MFA) for administrator accounts;
  • Role-Based Access Controls (RBAC);
  • Input sanitization and parameterized queries (PDO) to prevent injection attacks;
  • Transport Layer Security (TLS) enforced across all communications;
  • Fail2Ban and intrusion-prevention systems;
  • Continuous patching of operating systems, middleware, and dependencies.

5. Controlled Execution of Tests

Devsey runs tests in isolated browser environments designed to minimize risk to external systems. Safeguards include:

  • Outbound rate-limiting and throttling;
  • Concurrency limits to prevent denial-of-service conditions;
  • Separation of test environments from production infrastructure;
  • Automated sandboxing to isolate each browser session.

6. Artifact Security

  • Testing artifacts (e.g., screenshots, HAR files, console logs) are stored in encrypted databases.
  • Access to artifacts is restricted to the Customer account that generated them, and to Company personnel with a strict business need (e.g., support or troubleshooting).
  • Artifacts are deleted 90 days after creation unless deleted earlier by the Customer.

7. Logging & Monitoring

  • Devsey maintains logs of authentication events, administrative actions, and test execution activity.
  • Logs are used solely for platform security, usability, and accountability purposes.
  • Logs are retained for up to 90 days after account deletion and then permanently deleted.

8. Vulnerability Management

  • Regular vulnerability scanning of infrastructure and application layers;
  • Secure development lifecycle incorporating OWASP Top 10 guidance;
  • Risk management procedures informed by ISO/IEC 27005;
  • Security controls prioritized using the CIS Critical Security Controls;
  • Continuous monitoring and incident detection mechanisms.

9. Backup & Recovery

  • Encrypted database backups are performed on a weekly basis.
  • Backups are securely stored within the United States.
  • Recovery procedures are tested periodically to ensure data availability in the event of failure.

10. Incident Response & Breach Notification

  • All suspected or confirmed security incidents are investigated promptly.
  • If a breach involving Customer Data is confirmed, affected Customers will be notified as soon as reasonably practicable and no later than seven (7) days after discovery.
  • Notifications will be delivered via email and/or Customer dashboard alerts and will include the nature of the breach, data potentially affected, and steps taken to remediate.

11. Compliance Scope

Devsey is designed for use within the United States. While our security program is informed by international best practices (NIST, CIS, ISO, OWASP), our legal obligations are governed by:

  • New York SHIELD Act;
  • Applicable U.S. federal cybersecurity and data protection laws.

12. Force Majeure

The Company shall not be liable for delays, failures, or damages resulting from events outside its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, labor disputes, government orders, power outages, Internet failures, or denial-of-service attacks.


13. Contact Information

For security-related inquiries, incident reports, or compliance questions, contact:
Nassau Technologies, LLC
Email: support@devsey.com