Imageplus
Start a conversation

Secure development

Last updated: May 2026

Our approach

This page applies to custom software development engagements, typically those covered by an SLA or equivalent engagement documentation. Standard website deployments, theme-based builds and off-the-shelf platform configurations follow a separate process appropriate to their scope.

Security is a design constraint, not a checklist applied after delivery. For every engagement involving custom software development, security requirements are considered at the architecture stage and built into the system from the first decision.

How we build

  • Security by design on all projects. Authentication, authorisation, access control and data boundaries are defined before a line of code is written. Audit trails are implemented where the nature of the engagement requires it.
  • All code changes go through a pull request and are reviewed by a principal before being merged.
  • Third-party dependencies are assessed before adoption and monitored for vulnerabilities throughout the engagement. Alerts are reviewed and addressed without undue delay.
  • Secrets, credentials and API keys are never stored in source code repositories.
  • Development, staging and production environments are segregated.
  • AI-assisted development is used under controlled conditions. AI-generated code is reviewed and approved by a principal before being merged or deployed. No client personal data or confidential information is submitted to AI development tools.

Testing and validation

  • Security functionality is tested before production deployment on engagements involving application logic, authentication or data processing.
  • Staging validation is performed before production releases where a staging environment is available.
  • OWASP Top 10 is used as the baseline reference for application security review.
  • Where the engagement requires it, penetration testing is performed and findings are documented, prioritised and remediated. Reports are available to clients via an independent auditor on request.

Patching and vulnerability management

  • Security patches are applied without undue delay on Imageplus-managed infrastructure.
  • Critical vulnerabilities are assessed and remediated without undue delay.
  • Where a vulnerability may affect a client's deployed application, the client is informed in writing.

Our secure development manual

Imageplus maintains a Secure Development Manual covering the full software development lifecycle. It is reviewed annually and available to independent auditors on request as part of an engagement security review.

Engagement-specific arrangements

The controls described on this page represent our standard secure development practice for custom software engagements. Engagements with specific security requirements, such as regulated sectors, sensitive data or high-availability systems, may include additional controls agreed in writing before work starts and documented in the applicable SLA or DPA annex.

Questions

privacy@imageplus.be

← Back to trust center

CONTACT

Start a conversation.

Tell us what you want to change. We respond within two working days.