Security & Compliance Statement

Last updated 5/24/2026

This Security & Compliance Statement describes the administrative, technical, and physical safeguards implemented by Seygov, a product of Nassau Technologies LLC ("Seygov," "we," "us," or "our"), to protect the confidentiality, integrity, and availability of data processed through the Seygov platform and related services ("Services"). This statement applies to all Subscribers and authorized users of the Services. Seygov recognizes that the Services may process sensitive government and public data, including personally identifiable information submitted through Subscriber-deployed applications, and we maintain layered security controls designed to mitigate risk and support public sector compliance requirements.

1. Commitment to Security

Seygov is committed to maintaining a secure operating environment appropriate for public sector use. Our security and compliance framework is informed by recognized industry standards and best practices, including:

  • New York SHIELD Act (N.Y. Gen. Bus. Law § 899-bb);
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF);
  • Center for Internet Security (CIS) Critical Security Controls;
  • ISO/IEC 27005 (information security risk management principles);
  • OWASP Top 10 (secure application development practices).

While our security program is informed by these standards, Seygov does not represent or warrant that the Services are certified under any specific compliance framework unless expressly stated in a signed written agreement. Subscribers are responsible for ensuring that their use of the Services satisfies their own applicable regulatory and compliance requirements.

2. Hosting & Infrastructure

  • All production servers are self-hosted and physically located within the United States.
  • No Subscriber Data is intentionally stored outside the United States.
  • Hosting facilities are protected by physical access controls, surveillance, and restricted entry measures.
  • Network infrastructure is segmented and monitored to limit exposure and detect anomalous activity.

3. Data Protection

In Transit

All data transmitted between users and the Seygov platform is encrypted using HTTPS/TLS (TLS 1.2 or higher). Unencrypted connections are not permitted for access to the Services.

At Rest

  • User passwords are stored using industry-standard secure hashing algorithms and are never stored in plaintext.
  • Databases containing Subscriber Data are protected with access controls and authentication requirements.
  • Database backups are encrypted at rest and stored securely within the United States.
  • Files and documents uploaded through the Services are stored in private, access-controlled storage locations not directly accessible via public URL.

Physical

Servers are housed in controlled-access environments with protections against unauthorized access, theft, and tampering. Physical access to server infrastructure is restricted to authorized personnel only.

4. Security Controls

Seygov maintains technical and administrative safeguards designed to protect the platform and Subscriber Data, including but not limited to:

  • Firewalls and network segmentation to restrict unauthorized access;
  • Role-Based Access Controls (RBAC) enforced through the platform's user group and permissions system;
  • Input sanitization and parameterized database queries to prevent SQL injection and other injection-based attacks;
  • CSRF token protection on all form submissions;
  • Transport Layer Security (TLS) enforced across all platform communications;
  • ModSecurity web application firewall rules applied at the server level;
  • Fail2Ban and intrusion-prevention systems to detect and block brute-force and automated attack attempts;
  • Bot verification (CAPTCHA) on public-facing application submission forms to prevent automated spam submissions;
  • API authentication via bearer token scoped permissions through Laravel Sanctum;
  • Private file storage with controller-level access verification for all uploaded documents and sensitive files;
  • Continuous patching of operating systems, server software, middleware, and application dependencies.

5. Application Security

The Seygov platform is built with security-conscious development practices throughout. Application-level security measures include:

  • Authentication required for all administrative and dashboard functions;
  • Public-facing application access controlled by per-application settings configured by the Subscriber;
  • All Subscriber data scoped to the Subscriber's master account ID, preventing cross-account data access;
  • API endpoints scoped by token permissions and master account identity;
  • File upload validation enforcing permitted file types and maximum file size restrictions;
  • Uploaded files stored outside of the publicly accessible web root and served only through authenticated controller routes;
  • IP address logging on all public-facing form submissions for audit and security purposes;
  • LDAP authentication integration supporting organizational identity management without storing LDAP passwords within the platform.

6. Access Controls and User Management

Seygov provides Subscribers with granular user and group management capabilities to enforce appropriate access controls within their organization's instance of the Services, including:

  • Configurable user group permissions controlling access to specific menus, features, and administrative functions;
  • User status management allowing Subscribers to activate, deactivate, or suspend user accounts;
  • LDAP integration enabling Subscribers to manage user authentication through their own organizational directory;
  • New LDAP users automatically assigned to a restricted default group pending administrator review and approval;
  • API token scoping limiting API access to specific permitted operations.

Subscribers are solely responsible for managing user access within their account, including promptly deactivating accounts for departed employees or unauthorized users.

7. Logging & Monitoring

  • Seygov maintains server-level logs of authentication events, administrative actions, application access, and system activity.
  • IP addresses are recorded for all form submissions and API requests for security and audit purposes.
  • Logs are used solely for platform security, operational monitoring, and accountability purposes.
  • Seygov does not use logs for advertising, behavioral profiling, or any commercial purpose.
  • Log retention periods are determined by Seygov at its sole discretion based on operational and legal requirements.

8. Vulnerability Management

  • Regular review and patching of application dependencies, server software, and infrastructure components;
  • Secure development lifecycle incorporating OWASP Top 10 guidance;
  • Risk management procedures informed by ISO/IEC 27005 principles;
  • Security controls prioritized using the CIS Critical Security Controls framework;
  • Continuous monitoring and anomaly detection at the server and application levels;
  • Web application firewall rules updated to address emerging threat patterns.

9. Backup & Recovery

  • Seygov performs database backups on its own schedule at its sole discretion for internal operational purposes.
  • Backups are encrypted and stored securely within the United States.
  • SEYGOV MAKES NO GUARANTEE THAT BACKUPS WILL BE AVAILABLE, COMPLETE, CURRENT, OR RESTORABLE ON DEMAND.
  • Seygov is under no obligation to provide data backups or restoration to Subscribers on demand or within any specific timeframe.
  • Subscribers are solely responsible for independently exporting and archiving their own Subscriber Data on a regular basis.
  • Recovery procedures are evaluated periodically to support data availability in the event of system failure.

10. Incident Response & Breach Notification

  • All suspected or confirmed security incidents are investigated promptly by Seygov personnel.
  • If a security breach involving Subscriber Data is confirmed, affected Subscribers will be notified as soon as reasonably practicable and in accordance with applicable law.
  • Breach notifications will be delivered via email to the Subscriber's registered contact address and will include, to the extent known at the time: the nature of the incident, the categories of data potentially affected, and the steps taken or planned to investigate and remediate.
  • Seygov's obligation to notify is limited to confirmed breaches of Seygov's own systems and does not extend to breaches of Subscriber-controlled systems, third-party integrations, or infrastructure operated by the Subscriber.

11. Third-Party Integrations and Subscriber-Controlled Systems

Seygov allows Subscribers to connect third-party systems to the Services, including LDAP identity providers, SMTP email servers, and payment processors. SEYGOV IS NOT RESPONSIBLE FOR THE SECURITY, AVAILABILITY, OR DATA HANDLING PRACTICES OF ANY THIRD-PARTY SYSTEM INTEGRATED WITH THE SERVICES AT THE SUBSCRIBER'S DIRECTION. The security of third-party integrations, including the protection of credentials used for those integrations, is solely the responsibility of the Subscriber. Seygov stores integration credentials using reasonable security controls but cannot guarantee protection against all threats.

12. Compliance Scope

Seygov is designed and operated for use within the United States. Our security program is informed by applicable U.S. federal and state cybersecurity and data protection requirements, including:

  • New York SHIELD Act (N.Y. Gen. Bus. Law § 899-bb);
  • Applicable U.S. federal cybersecurity and data protection laws and regulations.

Subscribers operating under specific regulatory frameworks — including but not limited to HIPAA, CJIS, FedRAMP, or state-specific government data requirements — are solely responsible for evaluating whether the Services meet their applicable compliance obligations. Seygov does not represent or warrant compliance with any specific regulatory framework unless expressly confirmed in writing.

13. Force Majeure

Seygov shall not be liable for any security incident, service disruption, data loss, or failure of security controls resulting from events outside of Seygov's reasonable control, including but not limited to acts of god, natural disasters, war, terrorism, civil unrest, government actions, power outages, internet or telecommunications failures, denial-of-service attacks, zero-day vulnerabilities, or other malicious third-party actions beyond Seygov's reasonable ability to prevent or mitigate.

14. Contact Information

For security-related inquiries, incident reports, or compliance questions, please contact Seygov through the contact methods provided on the Seygov website. Seygov will make reasonable efforts to respond to security inquiries promptly but does not guarantee any specific response time.