Legal

Security Policy

Last updated: June 2026

1. Scope

This policy applies to the NovaSec website (novasec.nl) and the systems directly supporting it. This website is a portfolio and point of contact for prospective clients. It is not critical infrastructure and does not store client data, engagement materials, or confidential business information.

NovaSec's internal operational security — including the security of client engagement environments — is governed by separate internal policies aligned with ISO 27001 and is not documented here.

2. Website Security Measures

Transport: All traffic is served exclusively over HTTPS with HSTS enforced. Contact form submissions are encrypted in transit via TLS. No sensitive personal data is stored server-side beyond what is necessary to route enquiries.

HTTP security headers: The following headers are applied at the infrastructure level:

Strict-Transport-Security max-age=31536000; includeSubDomains

X-Content-Type-Options nosniff

X-Frame-Options DENY

Referrer-Policy strict-origin-when-cross-origin

Permissions-Policy camera=(), microphone=(), geolocation=()

Content-Security-Policy script-src 'self' trusted-origins

Input handling: All contact form input is validated server-side and HTML-encoded before use. The form includes bot detection. Rate limiting is applied per IP address to prevent abuse.

Dependencies: Third-party libraries are kept current. The technology stack is minimal by design — fewer dependencies reduce attack surface.

3. Coordinated Vulnerability Disclosure (CVD)

We follow the coordinated vulnerability disclosure guidelines published by the Nationaal Cyber Security Centrum (NCSC-NL) under the Dutch Cybersecurity Act (Cyberbeveiligingswet, implementing NIS2 Directive 2022/2555/EU). If you have identified a vulnerability in our website or supporting systems, we ask that you disclose it responsibly.

How to report

Email your findings to info@novasec.nl or use our security.txt contact details. Include a clear description of the vulnerability, the steps to reproduce it, and any proof-of-concept materials. PGP encryption is available on request.

Our commitments:

  • ·We will acknowledge receipt within 5 business days.
  • ·We will provide a status update within 15 business days, including an indicative remediation timeline.
  • ·We will work toward remediation within 90 days of initial disclosure and agree a coordinated disclosure date with you.
  • ·We will not pursue legal action against researchers who report in good faith and adhere to these guidelines.

We ask that you:

  • ·Do not exploit the vulnerability beyond what is necessary to demonstrate it.
  • ·Do not access, modify, or delete data that is not yours.
  • ·Do not publicly disclose the vulnerability before the agreed coordinated disclosure date.
  • ·Do not use automated scanners or denial-of-service techniques against our infrastructure.

For vulnerabilities with potential national security impact or affecting critical infrastructure, reports can be submitted in parallel to the NCSC-NL at ncsc.nl/contact.

4. Consultant Qualifications and Vetting

NovaSec engages only consultants with a verified professional background in information security. Our standard requirements:

Certifications

Consultants hold one or more recognised industry certifications commensurate with their engagement scope, including CISSP, CISM, CISA, ISO 27001 Lead Implementer/Auditor, or equivalent. Certifications are verified prior to engagement and are required to remain current.

Track record verification

Prior to any client engagement, NovaSec verifies the professional track record of each consultant through reference checks with prior employers or clients. Identity verification is performed and documented.

Confidentiality obligations

All consultants operate under strict non-disclosure agreements covering client information, engagement findings, and any access credentials or data encountered during an engagement. These obligations survive termination of the engagement.

5. Regulatory and Standards Alignment

NovaSec's advisory practice is structured around the standards we apply for clients. Our internal security posture and service delivery are informed by:

ISO/IEC 27001:2022 — information security management principles govern how we handle client information, control access, and manage security incidents across our operations.

NIS2 Directive (EU 2022/2555) / Cyberbeveiligingswet — as a cybersecurity service provider operating in the Netherlands, NovaSec falls within the scope of entities subject to NIS2 security obligations, including appropriate technical and organisational measures and incident notification requirements.

DORA (EU 2022/2554) — where NovaSec operates as a third-party ICT service provider to financial entities subject to DORA, we apply the contractual and security requirements applicable to ICT third-party providers under Chapter V of the Regulation.

DNB Good Practice Information Security — engagements in the Dutch financial sector are conducted with reference to the frameworks and supervisory expectations of De Nederlandsche Bank.

6. Security Incident Notification

In the event of a security incident affecting this website that involves personal data, NovaSec will notify affected individuals and, where required, the Autoriteit Persoonsgegevens within the 72-hour deadline set by Article 33 GDPR. Where NovaSec is subject to NIS2 incident reporting obligations, significant incidents will be reported to the relevant competent authority within the timeframes specified under the Cyberbeveiligingswet.

If you believe you have observed a security incident affecting NovaSec's website or systems, contact us immediately at info@novasec.nl.

7. Contact

NovaSec B.V.

Amersfoort, Netherlands

info@novasec.nl

Security disclosures: /.well-known/security.txt

We use Resend to process contact form submissions. No tracking cookies are set. Privacy Statement