Our calculators and counters are designed for speed and simplicity, but never at the cost of your security. This page explains how we protect the information you entrust to us.
At iLoveCounter, we take security seriously. We understand that our users trust us with their data and calculations. This Security Policy outlines the comprehensive measures we implement to protect our infrastructure, your data, and your privacy.
Our security philosophy is simple: We build security in, not bolt it on. Every decision from architecture to deployment considers protection first.
We follow industry best practices and continuously monitor, test, and improve our security posture.
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or TLS 1.3 protocols. We maintain an A+ rating on SSL Labs security assessments.
HTTPS is enforced across the entire website. HTTP requests are automatically redirected to HTTPS.
We use 256-bit encryption with strong cipher suites.
Our SSL/TLS certificates are from trusted Certificate Authorities and are renewed automatically before expiration.
HSTS (HTTP Strict Transport Security) is enabled to prevent protocol downgrade attacks.
Server hard drives are encrypted using AES-256 encryption.
Database backups are encrypted before being stored.
Any cached or logged data is stored in encrypted formats.
For sensitive operations, we implement additional encryption layers. However, calculator inputs are processed in memory and never written to disk.
Our infrastructure is hosted on enterprise-grade cloud providers with ISO 27001 certification, SOC 2 compliance, and GDPR adequacy.
Redundant servers across multiple geographic regions.
Automatic failover and disaster recovery systems.
99.9 percent uptime SLA with compensation guarantees.
We use Cloudflare Enterprise for comprehensive protection:
Web Application Firewall (WAF) blocking OWASP Top 10 threats.
DDoS mitigation at the network edge, capable of absorbing multi-terabit attacks.
Rate limiting to prevent brute force and abuse.
Bot management to block malicious automated traffic.
All internal network traffic is isolated and segmented.
No direct database access from the public internet.
VPN and bastion hosts required for administrative access.
Port scanning and intrusion detection systems actively monitor all traffic.
Access to systems and data is granted strictly on a need-to-use basis. No employee has default access to production environments.
Strong password policies: Minimum 12 characters, complexity requirements, no common passwords.
Multi-Factor Authentication (MFA): Mandatory for all administrative accounts, code repository access, and cloud provider consoles.
Single Sign-On (SSO): Enterprise-grade SSO with SAML 2.0 for internal tools.
Session management: Automatic timeout after 15 minutes of inactivity.
Only two senior technical staff members have production server access.
All access is logged, audited, and reviewed weekly.
Emergency break-glass procedures exist but trigger immediate alerts.
Former employee access is revoked within 1 hour of termination.
We follow a rigorous Secure Software Development Lifecycle (SSDLC):
Threat modeling during the design phase.
Secure coding standards enforced through peer review.
Static Application Security Testing (SAST) on every code commit.
Dynamic Application Security Testing (DAST) on staging environments.
Software Composition Analysis (SCA) to identify vulnerable third-party libraries.
Container image scanning for all deployments.
Quarterly penetration tests conducted by independent third-party security firms.
Bug bounty program inviting ethical hackers to find and report vulnerabilities.
Weekly dependency scans to patch known CVEs within 48 hours.
Internal red team exercises twice per year.
All user inputs are validated on both client and server sides.
Parameterized queries prevent SQL injection.
Output encoding prevents XSS (Cross-Site Scripting).
File uploads are strictly limited by type and size, and scanned for malware.
| System | Backup Frequency | Retention Period | Encryption |
|---|---|---|---|
| Production Database | Every 6 hours | 30 days | AES-256 |
| Server Configurations | Daily | 90 days | AES-256 |
| User Contact Submissions | Real-time | 6 months | AES-256 |
| System Logs | Continuous | 30 days | AES-256 |
Backups are stored in geographically separate locations from primary data centers. Full restoration tests are conducted quarterly.
Our Recovery Time Objective (RTO) is 4 hours. Our Recovery Point Objective (RPO) is 6 hours.
The disaster recovery plan includes:
Automated infrastructure provisioning via Infrastructure as Code.
Hot standby environments in alternate regions.
Annual full-scale disaster simulation exercises.
24/7/365 security monitoring by our Security Operations Center (SOC).
SIEM (Security Information and Event Management) system aggregating and correlating logs.
Real-time alerting for anomalous behavior, unauthorized access attempts, and system integrity issues.
Uptime monitoring every 1 minute from 12 global locations.
We maintain a documented Incident Response Plan with clearly defined roles and procedures:
Detection and Analysis: Identify and validate the incident.
Containment: Isolate affected systems to prevent spread.
Eradication: Remove the threat from the environment.
Recovery: Restore systems from clean backups.
Post-Incident Review: Conduct root cause analysis and implement preventive measures.
In the event of a data breach affecting user information:
Affected users will be notified within 72 hours of confirmation.
Regulatory authorities will be notified as required by law (GDPR, CCPA, etc.).
A public disclosure will be posted on our website.
Credit monitoring or other remediation will be offered where appropriate.
All third-party service providers undergo rigorous security vetting before engagement:
Review of SOC 2, ISO 27001, or equivalent certifications.
Assessment of their data handling and security practices.
Contractual requirements for data protection and breach notification.
Annual re-certification requirement.
| Vendor | Certification | Last Audit | Data Handling |
|---|---|---|---|
| Google Cloud / AWS | ISO 27001, SOC 2 | Within 12 months | Encrypted at rest and transit |
| Cloudflare | ISO 27001, SOC 2 | Within 12 months | Edge network, DDoS protection |
| Google Analytics | ISO 27001, SOC 2 | Within 12 months | Anonymized analytics |
| Google AdSense | Industry Standard | N/A | Advertising cookies |
While our infrastructure is cloud-based, our physical offices and employee devices are secured:
Biometric access controls for office entry.
24/7 video surveillance of all entry points.
Company-issued, encrypted laptops with full-disk encryption.
Mobile Device Management (MDM) for remote wipe capability.
Clean desk policy enforced.
All employees complete mandatory security awareness training:
Upon hiring: Initial security orientation and policy acknowledgment.
Quarterly: Phishing simulations and refresher courses.
Annual: Comprehensive security certification.
Role-based training: Developers receive additional application security training.
Employees who fail phishing simulations are retrained immediately.
Our security program is designed to meet or exceed the requirements of:
GDPR (General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
PCI DSS (Payment Card Industry Data Security Standard) – applicable if payments processed
ePrivacy Directive (Cookie compliance)
We engage third-party security firms to conduct:
Annual penetration tests.
Quarterly vulnerability assessments.
Bi-annual compliance audits.
Audit reports are reviewed by senior management with action items tracked to closure.
We welcome reports from security researchers and the public. If you believe you have discovered a vulnerability in iLoveCounter:
Email us immediately at info@ilovecounter.com
Provide detailed steps to reproduce the issue.
Allow us reasonable time to investigate and remediate before public disclosure.
Do not access or modify other users’ data.
We commit to:
Acknowledging receipt within 24 hours.
Providing regular updates on our progress.
Not pursuing legal action against good-faith researchers.
Publicly crediting researchers upon request after remediation.
Email: info@ilovecounter.com
Response Time: Within 24 hours, 7 days a week.
PGP Key: Available upon request for encrypted communication.
| Security Domain | Implementation Status | Last Verified |
|---|---|---|
| Encryption in Transit | TLS 1.2/1.3, A+ Rating | Continuous |
| Encryption at Rest | AES-256 | Continuous |
| DDoS Protection | Cloudflare Enterprise | Continuous |
| WAF | Active, OWASP Top 10 | Continuous |
| Penetration Testing | Quarterly | February 12, 2026 |
| Vulnerability Scanning | Weekly | Continuous |
| Access Control | Least Privilege + MFA | Continuous |
| Backup Verification | Quarterly Tests | February 12, 2026 |
| Incident Response Plan | Documented, Tested | February 12, 2026 |
| Employee Training | Quarterly | Continuous |
Security is not a destination. It is a continuous journey. We:
Monitor emerging threats and attack vectors.
Regularly update our security policies and controls.
Invest in new security technologies and practices.
Learn from every incident and near-miss.
We are committed to earning and maintaining your trust every single day.
This policy was last updated on February 12, 2026.
For security-related inquiries, concerns, or disclosures:
Email: info@ilovecounter.com
General Inquiries: info@ilovecounter.com
Response Time: Within 24 hours for security reports.