Security & Compliance

Your data and your divers' records are protected with bank-level encryption and industry security best practices.

Security is built in, not bolted on

DIVCAAS manages sensitive competency records, certifications, and personal data for commercial diving professionals. We treat the protection of that information as a core responsibility — applying the same security principles trusted by banks and enterprise platforms.

How we protect your data

Encryption in transit

All data is encrypted with TLS — the same technology used by online banks — so information is protected as it travels between you and our servers.

Strong password protection

Passwords are never stored as plain text. They are protected with PBKDF2 hashing (100,000 rounds), making them extremely difficult to crack.

Brute-force defense

Accounts automatically lock after repeated failed login attempts, blocking automated password-guessing attacks.

Organization data isolation

Each organization's data is fully separated and private. One client can never access another client's records.

Role-based access control

Candidates, assessors, verifiers, and admins each see only what they are authorized to. Sensitive actions require the right role.

Verified email domain

Our emails are sent from a verified domain protected by SPF, DKIM, and DMARC — helping prevent spoofing and phishing.

Enterprise-grade hosting

Hosted on Cloudflare's global network with built-in DDoS protection and high availability across worldwide data centers.

Secure session handling

Logins use signed, time-limited security tokens. Access is verified on every request — not trusted blindly.

Our compliance approach

Transparency note: DIVCAAS is engineered to align with SOC 2 and ISO 27001 principles. Formal third-party certification is part of our roadmap and is pursued through independent accredited auditors.

Questions about our security?

We're happy to discuss our security practices with current and prospective clients.

Contact [email protected]