Skip to main content
Tools Agents Data Destruction Sell to Us Blog Contact
Instagram Log In Get Started

Security Policy

Last updated: March 8, 2026

1. Security Overview

ITAD Tools is committed to protecting the confidentiality, integrity, and availability of our platform and your data. We implement industry-standard security controls across all layers of our infrastructure.

Encryption at Rest

All sensitive data stored in our databases is encrypted using AES-256 encryption. Passwords are never stored in plaintext and are hashed using bcrypt with per-user salts. Backups are encrypted before storage.

Encryption in Transit

All communications between your browser and our servers are encrypted using TLS 1.2 or higher. We enforce HTTPS across the entire platform with HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks.

Access Controls

We implement role-based access controls (RBAC) to ensure users can only access data and features appropriate to their role. Administrative access requires multi-factor authentication and is limited to authorized personnel. All administrative actions are logged and auditable.

Monitoring

Our infrastructure is continuously monitored for security threats, anomalous activity, and system health. Automated alerting ensures our team is notified of potential security events in real time. Login activity is tracked and users are alerted to new device or location access.

2. Vulnerability Reporting

We take the security of our platform seriously and welcome responsible disclosure of vulnerabilities from security researchers and the community.

If you discover a security vulnerability, please report it to us through one of the following channels:

When reporting a vulnerability, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your contact information for follow-up

We will acknowledge receipt of your report within 48 hours and aim to provide an initial assessment within 5 business days. We ask that you refrain from publicly disclosing the vulnerability until we have had a reasonable opportunity to address it.

3. Incident Response Process

ITAD Tools maintains a structured incident response process to ensure security events are handled quickly, consistently, and transparently.

Detection & Analysis

Security incidents may be detected through multiple channels:

  • Automated monitoring: Continuous system health checks, intrusion detection, log analysis, and anomaly detection alert our team to potential threats in real time.
  • User reports: Users can report suspected security issues via our contact page or by emailing admin@itadtools.com.
  • Third-party advisories: We monitor security advisories for all software dependencies and infrastructure components.

Upon detection, incidents are classified by severity (Critical, High, Medium, Low) and assigned to the appropriate response team.

Containment

Once a security incident is confirmed, we take immediate action to limit its impact:

  • Isolate affected systems to prevent further compromise
  • Disable compromised accounts and revoke affected credentials
  • Block malicious IP addresses and attack vectors
  • Preserve forensic evidence for investigation
Notification

We are committed to timely and transparent notification in the event of a security incident:

  • Regulatory notification: In compliance with GDPR Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach.
  • User notification: Affected users will be notified via email with details about the incident, what data was affected, and recommended actions they should take.
  • Public disclosure: For incidents affecting a significant number of users, we will publish a notice on our platform and update our Transparency Report.
Recovery

Following containment and notification, we focus on restoring normal operations:

  • Restore affected systems from verified clean backups
  • Implement fixes and patches to address the root cause
  • Conduct a post-incident review to identify lessons learned
  • Update security controls and procedures based on findings
  • Document the incident timeline, response actions, and outcomes

4. Data Breach Notification

In the event of a confirmed data breach involving personal information, we follow a structured notification process:

Who Gets Notified
  • Supervisory authorities: The relevant data protection authority (e.g., ICO for UK users) will be notified within 72 hours as required by GDPR.
  • Affected users: All users whose personal data was involved in the breach will be notified directly via email.
  • Law enforcement: When appropriate or legally required, we will cooperate with law enforcement agencies.
What Information Is Included

Breach notifications will include:

  • A description of the nature of the breach
  • The categories and approximate number of affected records
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for our data protection team
  • Recommended steps for affected users (e.g., password changes, monitoring)
Timeline
  • Within 24 hours: Internal escalation and initial assessment
  • Within 72 hours: Regulatory authority notification (GDPR requirement)
  • Without undue delay: Notification to affected users, prioritized by risk level

5. Security Measures

We employ the following technical and organizational security measures to protect your data:

  • bcrypt password hashing: All passwords are hashed using bcrypt with per-user salts, ensuring passwords cannot be recovered even if the database is compromised.
  • AES-256 encryption: Sensitive data at rest is encrypted using AES-256, a military-grade encryption standard.
  • TLS 1.2+ transport encryption: All data in transit is protected by TLS 1.2 or higher, with strong cipher suites and forward secrecy.
  • Content Security Policy (CSP) headers: CSP headers restrict the sources of scripts, styles, and other resources to prevent cross-site scripting (XSS) and data injection attacks.
  • Rate limiting: API and form endpoints are rate-limited to prevent brute force attacks, credential stuffing, and denial-of-service attempts.
  • Two-factor authentication (2FA): Users can enable TOTP-based two-factor authentication for an additional layer of account security, with backup codes for recovery.
  • CSRF protection: All forms are protected against cross-site request forgery using token validation.
  • Session management: Sessions include idle timeout, version tracking for remote invalidation, and secure cookie attributes (HttpOnly, Secure, SameSite).
  • Input validation and sanitization: All user inputs are validated and sanitized to prevent injection attacks.
  • Automated security scanning: Regular automated scans detect vulnerabilities, misconfigurations, and outdated dependencies.

6. Contact

If you have questions about this security policy or our security practices, please contact us: