AES-256-GCM encryption at rest
Every piece of personally identifiable information (PII) you give us is encrypted at rest using AES-256-GCM, the same algorithm recommended by NIST and used across the modern cloud infrastructure stack. The encryption key is loaded from an environment variable that is managed separately from the application code and never written to disk in plaintext. If an attacker somehow gained read access to our database, they would see only ciphertext, authentication tags and initialisation vectors, with no way to recover the original content.
Document blobs (passport scans, photographs, supporting paperwork) are stored as encrypted binary records with the same scheme. Each blob has its own randomly generated initialisation vector, so identical files never produce identical ciphertexts. Even your email address, which we need to let you look up the status of your application, is stored only as a one-way HMAC-SHA256 hash rather than plaintext.
TLS 1.3 in transit
Every connection between your browser, the Kitas VIP API and our back-end database runs over TLS 1.3 with modern cipher suites. TLS 1.0 and 1.1 are disabled at the edge. Certificates are issued by public authorities and automatically renewed. You can verify this for yourself using any SSL inspection tool pointed at kitas.vip. There is no HTTP fallback: any request on port 80 is upgraded immediately to HTTPS with HSTS enforcement.
No third party trackers
We do not run Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Segment, or any other analytics or advertising tracker on kitas.vip. We do not embed third party ad networks. We do not sell or share your data with advertisers. We do not run A/B testing platforms that phone home to third parties. The only external calls the applicant flow makes are to Google Fonts (for the Inter typeface) and to jsDelivr (for the MediaPipe image segmentation library used to produce your regulation photograph).
This is enforced by our Content Security Policy, which is set by the server on every HTML response and locks down exactly which origins the page is allowed to connect to. You can inspect the CSP directly in your browser's developer tools.
Rate limited API
Every public endpoint on the Kitas VIP API is rate limited per IP address to prevent abuse, scraping and automated attacks. Limits vary by endpoint purpose: application submission is limited to 5 requests per minute, status lookups to 15 per minute, handoff session creation to 30 per minute, chat to 30 per minute, and admin login to 10 per minute. Exceeding a limit returns a clean 429 response with a retry-after hint. This is a layer of defence against credential stuffing, brute force attempts and data scraping.
Full audit trail
Every meaningful action on the platform is recorded in an append-only audit log: application submissions, admin logins (successful and failed), applicant data views, document views, status changes, staff notes, CSV exports, logout events, chatbot messages and status lookups. Each record includes a timestamp, the actor (anonymous or admin user ID), the IP address where relevant, and a JSON payload of structured details. The audit log is used for incident response and for responding to any data subject access requests you may file.
Password and session security
Admin passwords are never stored in plaintext. We use Node.js scrypt with strong parameters to hash passwords before they are written to the database. Scrypt is memory-hard, which makes offline brute-forcing prohibitively expensive even with GPUs. Sessions are opaque 32 byte random tokens stored only as SHA-256 hashes in the database, and session cookies are marked HttpOnly, SameSite=Strict and Secure in production so they cannot be stolen by client side scripts or cross-site request forgery.
Infrastructure
Kitas VIP runs on Vercel Fluid Compute with a managed Turso libSQL database. Both are SOC 2 Type II certified platforms. Our function instances are stateless aside from a short-lived warm cache, so a compromised instance cannot leak long-term data. Our database is backed up continuously and is accessible only from our authorised function identities through private network ACLs.
Content Security Policy headers
Every HTML response from Kitas VIP carries a strict Content Security Policy. The key directives: default-src 'self', script-src 'self' 'wasm-unsafe-eval' https://cdn.jsdelivr.net, style-src 'self' 'unsafe-inline' https://fonts.googleapis.com, font-src 'self' https://fonts.gstatic.com data:, connect-src 'self' https://cdn.jsdelivr.net, frame-ancestors 'none'. This locks the site against XSS injection, clickjacking and most forms of script tampering.
What we do not do
- We do not sell your data. Ever.
- We do not share your data with advertising networks or data brokers.
- We do not use your documents to train any AI model.
- We do not publish testimonials with real names, photos or case details without express written consent.
- We do not run fingerprinting scripts.
GDPR and Indonesian PDP Law
Kitas VIP is built with both the EU General Data Protection Regulation (GDPR) and the Indonesian Personal Data Protection Law (UU PDP, Law No. 27/2022) in mind. You can exercise the rights those frameworks grant you, including access, correction, deletion and data portability. For a formal request, email us at privacy@kitas.vip. See our full privacy policy for details.
Responsible disclosure
If you are a security researcher and you find a vulnerability in our platform, we would like to hear about it. Please email security@kitas.vip with a description of the issue and any reproduction steps. We acknowledge reports within two business days and aim to issue fixes as quickly as possible. We do not have a formal bug bounty programme at this time, but we publicly credit researchers who help us improve the platform.