Security Policy
How we protect our systems and how to report vulnerabilities.
Security Practices
Nova X Solutions builds enterprise-grade digital infrastructure for institutions and scaling organizations across the globe. Security is not a feature we add; it is a design requirement embedded at the start of every engagement and applied to our public-facing systems with the same standard we hold client infrastructure to.
This page describes the security controls applied to novaxhq.com and our public-facing systems, our responsible disclosure program, and how we handle security incidents.
1. Security Controls
Transport and communication security
- Traffic between your browser and novaxhq.com is encrypted via TLS (HTTPS).
- Security headers may be applied to public-facing responses, including Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Strict-Transport-Security (HSTS), where supported by our hosting environment.
Application security
- Input validation and output encoding are applied to public-facing form submissions to reduce injection risks.
- Rate limiting and abuse prevention controls are active on public submission endpoints.
- Anti-CSRF protections are applied to state-changing requests where applicable.
Access control
- Internal systems follow a least-privilege model; access to operational data is restricted by role.
- Vendor and third-party integrations are granted only the permissions required for their specific function.
- Administrative access to backend systems is protected by authentication controls beyond a password alone where available.
Monitoring and logging
- Security-relevant events are logged and monitored for anomalies.
- Logs are retained for a defined period for incident investigation and protected from unauthorized access.
Third-party and supply chain security
- We evaluate third-party tools and vendors for security posture before integration.
- Where third-party services handle personal or operational data, we apply data-handling requirements consistent with our Privacy Policy.
2. Responsible Disclosure
We welcome good-faith security research on our public-facing systems. If you believe you have found a security vulnerability in novaxhq.com or any system we operate, please report it to us privately before any public disclosure.
Safe harbour
Nova X Solutions will not take legal action against researchers who discover and report vulnerabilities in good faith following this policy, provided that they avoid accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the issue, do not exploit vulnerabilities beyond proof-of-concept, and do not conduct disruptive testing that impacts availability.
Scope
In scope:
- novaxhq.com and subdomains we operate
- Public-facing forms, submission endpoints, and APIs on our Website
Out of scope:
- Third-party systems and services (even if linked from our Website)
- Denial-of-service (DoS/DDoS) attacks or high-volume automated scanning
- Social engineering of Nova X staff or contractors
- Physical security testing
- Issues in third-party libraries where no direct exploitation path exists against our systems
How to report
Send your report to info@novaxhq.com with the subject line [Security Disclosure] — Brief Description.
- A clear description of the vulnerability and its potential impact
- The affected URL(s), endpoint(s), or component
- Step-by-step instructions to reproduce the issue
- Supporting material (screenshots, proof-of-concept code, HTTP request/response captures)
Please do not include real user data in your report. For sensitive disclosures, you may request our PGP public key by emailing info@novaxhq.com before submitting.
Response timelines
| Milestone | Target timeline |
|---|---|
| Acknowledgment of receipt | Within 3 business days |
| Initial assessment and severity classification | Within 7 business days |
| Remediation or mitigation of confirmed critical issues | Within 30 days |
| Remediation of non-critical confirmed issues | Within 90 days |
| Status update if timelines cannot be met | Before the deadline passes |
We ask that you allow remediation before public disclosure. If you plan to publish your findings, we are open to coordinating the timeline.
3. Incident Response
When a security incident is identified through internal monitoring, a third-party report, or responsible disclosure, we follow a structured response process:
- Triage — confirm the issue, assess scope, and classify severity.
- Containment — isolate affected systems or data where necessary to prevent further exposure.
- Remediation — apply a fix or mitigation, verified before closing the incident.
- Post-incident review — identify root cause and implement controls to prevent recurrence.
Data breach notification
Where a security incident constitutes a personal data breach that poses a risk to individuals’ rights or interests, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach and notify affected individuals without undue delay where required by the Nigeria Data Protection Act 2023.
4. What We Do Not Guarantee
Security is a continuous process. While we apply industry-standard controls, no system can be guaranteed to be free from vulnerabilities at all times. We do not guarantee that our Website or any system we operate will be uninterrupted, error-free, or immune to unauthorized access.
5. Contact
Nova X Solutions Limited
Email: info@novaxhq.com
Subject: [Security Disclosure] — Brief Description
Website: novaxhq.com
Location: Abuja, FCT, Nigeria