Notice: RBIS UK Ltd (England amp; Wales) provides independent intelligence analysis and reporting. We are not a law firm and do not provide legal advice. Contact: contact@rbisintelligence.com Details
Notice: RBIS UK Ltd (England & Wales) provides independent intelligence analysis and reporting. We are not a law firm and do not provide legal advice. Contact: contact@rbisintelligence.com
RBIS

Trust — Security • Privacy • Accessibility

Evidence-first systems demand strong defaults. RBIS applies strict headers, lawful processing, and WCAG 2.2 AA accessibility. Below are copy-and-paste configurations for Cloudflare (or your reverse proxy) so you can mirror our posture immediately.

Ask a Trust Question Read Legal Notice

All rights reserved © RBIS UK Ltd Terms include IP protections Watermarking / code obfuscation where appropriate

Scope

  • Brochure site (static) + forms (Formspree)
  • Operational apps (Veridex, PACT, OmniAssist) use separate secure stacks and signed URLs. No sensitive uploads via this site.
  • Voice is OFF by default for any demos; explicit consent before recording or outbound speech.

Security posture

  • Transport: TLS 1.2/1.3 only; modern ciphers; HSTS preload.
  • Headers: CSP, HSTS, Referrer-Policy, Permissions-Policy, X-Content-Type-Options, X-Frame-Options, X-DNS-Prefetch-Control.
  • Hosting: static CDN; immutable assets with cache-busting; origin locked.
  • Ops: MFA for admins; key rotation; audit logs; least privilege; dependency pinning; SRI for third-party where unavoidable.

Apps with uploads use signed URLs, AV scanning, and object-level access logs; not this brochure site.

Incident & vulnerability disclosure

  • Coordinated disclosure welcome at security@rbisintelligence.com.
  • No scope for destructive testing on production; prove concept with headers and non-destructive PoCs.
  • Acknowledgement for verified issues; emergency channels for critical findings.

Privacy & lawful basis

  • Minimal data collection on brochure site; consent banner with granular categories (see Cookies).
  • Form submissions (Formspree) processed to fulfil requests (contract/legitimate interest).
  • Analytics configured for consent-mode; cookieless defaults until opt-in.
  • Data Subject Rights supported through our DSR channel; identity checks before action.

Read the full Privacy Policy and Terms.

DPIA & DPA

  • DPIA templates available for regulated deployments.
  • Data Processing Addendum (DPA) available on request; UK/EU region pinning available for supported products.
  • Subprocessors list provided per product stack; change notifications with reasonable notice.

Accessibility (WCAG 2.2 AA)

  • Color contrast ≥ 4.5:1; focus states; keyboard-only navigation; logical headings.
  • Reduced motion media query respected; captions/transcripts for media; BSL options in OmniAssist.
  • Screen reader labels on controls; ARIA only where semantic roles aren’t enough.

If you encounter barriers, email accessibility@rbisintelligence.com with page URL and description.

IP & Licensing

  • © RBIS UK Ltd. All rights reserved.
  • Terms of use include IP protections.
  • Watermarking for documents; code obfuscation where appropriate.
  • Open-source components, when used, retain their original licenses and attributions.

Copy-and-paste header snippets (Cloudflare / reverse proxy)

Adjust domains/paths as needed. The CSP below allows this site, images, Formspree, and Cloudflare Turnstile. Remove anything you don’t use.

1) HSTS (enable only after HTTPS is everywhere)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2) Content Security Policy (CSP)

Content-Security-Policy:
  default-src 'self';
  base-uri 'self';
  object-src 'none';
  frame-ancestors 'none';
  upgrade-insecure-requests;
  img-src 'self' data: https:;
  style-src 'self' 'unsafe-inline';
  font-src 'self' data:;
  script-src 'self' https://challenges.cloudflare.com 'unsafe-inline';
  connect-src 'self' https://formspree.io;
  frame-src https://challenges.cloudflare.com;

3) Referrer & Permissions

Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()

4) Misc hardening

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-DNS-Prefetch-Control: off

5) Cloudflare Transform Rules (example)

Cloudflare → Rules → Transform Rules → HTTP Response Header Modification → Add:

# Add HSTS
add_response_header("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
# Add CSP (as a single line)
add_response_header("Content-Security-Policy", "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' https://challenges.cloudflare.com 'unsafe-inline'; connect-src 'self' https://formspree.io; frame-src https://challenges.cloudflare.com;")
# Add Referrer-Policy
add_response_header("Referrer-Policy", "strict-origin-when-cross-origin")
# Add Permissions-Policy
add_response_header("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=()")
# Add X-Content-Type-Options
add_response_header("X-Content-Type-Options", "nosniff")
# Add X-Frame-Options
add_response_header("X-Frame-Options", "DENY")
# Add X-DNS-Prefetch-Control
add_response_header("X-DNS-Prefetch-Control", "off")

6) NGINX (alternative)

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' https://challenges.cloudflare.com 'unsafe-inline'; connect-src 'self' https://formspree.io; frame-src https://challenges.cloudflare.com;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-DNS-Prefetch-Control "off" always;

7) Apache (alternative)

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' https://challenges.cloudflare.com 'unsafe-inline'; connect-src 'self' https://formspree.io; frame-src https://challenges.cloudflare.com;"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "DENY"
  Header always set X-DNS-Prefetch-Control "off"
</IfModule>

Our commitments

  • Respond to trust queries promptly and transparently.
  • No dark patterns around consent or data rights.
  • Keep this page current with configuration examples.

Need help mirroring this setup?

We can review your headers, consent configuration, and accessibility posture, then ship a one-page remediation plan.

Request a Trust Review Review cookie categories