Built to protect people, sites and operational data.
TAPTAGS is designed for security operations where trust matters. This page explains the practical measures TAPTAGS uses to protect logins, personal data, incident records, patrol evidence, audit activity and operational reports. No online platform can claim to be completely risk-free, but TAPTAGS is built with layered controls to reduce risk and support responsible data handling.
🔐 Security First
A clear security page helps customers understand how TAPTAGS handles access control, personal data, operational records and platform resilience.
| Security statement | TAPTAGS uses layered security controls including secure login, role-based access, site permissions, CSRF protection, safer uploads, audit-style logging and backup-aware operation. Security is reviewed continuously as new features are added. |
| Customer responsibility | Customers should use strong passwords, keep login details private, remove inactive staff promptly, and only give admin permissions to trusted users. |
Security measures TAPTAGS is designed around
These points explain the controls used across the TAPTAGS platform in clear, customer-friendly language. They help buyers understand how TAPTAGS protects operational access, personal data and security records.
HTTPS protected access
TAPTAGS is intended to be accessed through secure HTTPS so login details and operational data are protected in transit.
Role-based permissions
Officers, supervisors, managers, admins and super admins have different access levels based on their operational duties.
Site-based access control
Users only see the sites and records they are authorised to view, helping prevent cross-site data exposure.
Audit trail
Important actions are recorded where supported, including logins, changes, reports, panic actions, incidents, licences and roster activity.
Protected forms
Operational forms use server-side validation, prepared database statements and anti-CSRF protection for important actions.
Backup and recovery
Regular backups help protect against accidental deletion, hosting issues and recovery after a security incident.
Customer security overview
This table gives customers a simple overview of the main controls and the benefit of each one.
| Security area | What it means | Why it matters |
|---|---|---|
| Secure access | Operational users log in through the TAPTAGS app area using secure sessions and HTTPS access. | Helps protect credentials and keeps the public website separate from day-to-day operations. |
| Password protection | Passwords are stored as secure hashes rather than readable text. | If the database is ever exposed, real passwords are not visible. |
| Permissions | Officer, supervisor, manager, admin and super admin access is enforced on protected operational pages. | Prevents users manually opening pages or actions outside their role. |
| Database protection | Prepared SQL statements are used for user input and search forms across key operational areas. | Reduces the risk of SQL injection attacks. |
| Form protection | Important actions use CSRF tokens and server-side validation. | Stops unauthorised actions being submitted from another website while a user is logged in. |
| Audit logging | Key operational and management actions are recorded with user, date, time and context. | Creates accountability and supports investigation if something changes unexpectedly. |
| File upload safety | Uploaded images, documents and attachments are type-checked, size-limited and safely handled where upload features are available. | Prevents dangerous files being uploaded into the platform. |
| Backups | Database and file backups are part of the operational process and should be tested regularly as the platform grows. | Supports recovery after mistakes, hosting issues or cyber incidents. |
Data protection approach
TAPTAGS may process staff names, contact details, roles, site assignments, attendance records, patrol logs, incident details, licence dates, training records and audit activity. The platform is designed to collect only what is needed for security operations and restrict who can view or change it.
Data minimisation
Only collect information needed for patrols, attendance, reporting, compliance and site management.
Need-to-know access
Personal and operational records are restricted so users only access information needed for their role or site.
Policies and transparency
Public privacy, cookie, terms and security pages help customers understand how TAPTAGS handles information responsibly.
Recommended internal security checklist
Use this checklist internally for ongoing security reviews before and during customer onboarding.
| Checklist item | Status to confirm in code/server |
|---|---|
| 1. HTTPS forced | HTTP redirects to HTTPS and cookies are marked secure. |
| 2. Password hashing | All passwords use password_hash() and login uses password_verify(). |
| 3. Role checks | Every admin, manager and officer page checks permission server-side. |
| 4. Prepared SQL | No SQL is built by directly joining raw user input into the query string. |
| 5. CSRF tokens | Important create, edit, delete, approve, resolve and export actions include tokens. |
| 6. Secure sessions | Session cookies use httponly, secure and SameSite settings; session ID is regenerated after login. |
| 7. Login protection | Failed logins are logged and rate-limited or delayed after repeated attempts. |
| 8. Audit log | Important user and management actions are recorded. |
| 9. Backups | Database and file backups are automated and restore-tested. |
| 10. Upload protection | Uploads are type-checked, size-limited, renamed and prevented from executing as code. |
Security builds customer trust.
TAPTAGS takes access control, operational records and personal data seriously, with security reviews continuing as the platform grows.