Anti-abuse and security policy
Last updated: [TO BE COMPLETED: publication date].
This policy describes the technical and organizational measures implemented by Promastro to prevent abuse, fraud, and malicious behavior on the website promastro.be. It is published for transparency purposes and constitutes the legal basis for legitimate interest (RGPD Art. 6.1.f) under which certain technical data are processed.
1. Why This Policy?
Promastro processes registrations, reviews, messages, and payments every day. To preserve the quality of service and user security, several technical measures are deployed. They may occasionally block a legitimate action; this page explains why and how to unblock the situation.
2. Rate Limits
To prevent spam, automated scraping, and brute force attacks, certain actions are frequency-limited:
| Action | Limit | Criterion |
|---|---|---|
| VAT number verification (VIES) | 5 / hour | Per IP address (anonymized) |
| Messages sent to a Pro | 3 / 24 h | Per recipient Pro and per IP |
| Mollie payment attempts | 3 / 24 h | Per account |
| AI search (natural language) | 20 / hour | Per IP address (anonymized) |
| Login attempts | 5 / 15 min | Per account + IP |
| Password reset requests | 3 / hour | Per account + IP |
| Review submissions | 1 per listing + 5 per day total | Per account |
The IP address is anonymized by HMAC-SHA256 hash with a rotating key, in accordance with the recommendations of the APD (Belgian Data Protection Authority). No IP address is stored in clear text.
3. VAT Anti-Fraud / Professional Registration
Registration of a Professional on Promastro is subject to several anti-fraud verifications:
- VAT number — automated verification via the official VIES service of the European Commission; expected format
BE0XXXXXXXXXorBE1XXXXXXXXX; - Uniqueness — a single VAT number can only be associated with one active Pro account at a time. Detection is done via an SHA256 hash of the number (never in clear text);
- Free trial anti-abuse — the free trial period (see trial policy) can only be used once per VAT number and per email address;
- Pre-authorization 0,01 € via Mollie to validate the credit card and obtain a mandate; this amount is credited or refunded immediately;
- BCE verification (Crossroads Bank for Enterprises) — consistency between the VAT number, company name, and declared address is verified with the Belgian Banque-Carrefour des Entreprises;
- KYC identity verification (optional, at the Pro’s request to obtain an additional badge) — scanned identity document + selfie, verified by the moderation team, data encrypted AES-256.
4. Anti-Spam and Anti-Fake Review
- Automated AI moderation (Claude model / Anthropic) applied to each review and each description — detection of spam / insult / off-topic (see moderation charter);
- Mandatory registration with verified email to submit a review;
- Detection of abnormal behavior: submission rate, text similarity with other reviews, chained IP addresses — these signals are used internally for moderation only, never published;
- Invisible captcha — Promastro uses a non-intrusive bot detection method, without third-party cookie deposit;
- Honeypot on registration and contact forms to block the simplest bots.
5. Anti-Identity Theft
- Email verification at registration (confirmation link);
- Strong password policy enforced: minimum 10 characters, uppercase, lowercase, digit, special character;
- Bcrypt hash of passwords — irreversible;
- 2FA (two-factor authentication) mandatory for administrator accounts;
- Email notification when logging in from a new device or browser (on implicit consent — Pro users);
- Automatic blocking after 5 failed login attempts (15 minutes).
6. Protection Against Web Attacks (OWASP)
Promastro applies web security best practices covering the OWASP Top 10:
- Systematic output escaping (anti-XSS);
- Parameterized queries
$wpdb->prepare()(anti-SQL injection); - Nonce validation on all sensitive actions (anti-CSRF);
HttpOnly+SameSite=Lax+Securecookies over HTTPS;- Content Security Policy (CSP) on the Nginx side;
- Strict verification of the Mollie webhook secret (5 steps: signature, ID format, idempotence, amount consistency, user consistency);
- Restricted UNIX permissions on sensitive files (
wp-config.phpat 640); - Disabled file editing from admin panel (
DISALLOW_FILE_EDIT); - Disabled
xmlrpc.php; - Removal of
readme.htmlandlicense.txtfrom webroot.
7. Monitoring and Logs
- Administrator access logging (30 jours retention);
- Server error logging (30 jours retention);
- Mollie webhook logging (payment audit);
- Claude API call logging (cost audit + moderation) — without request content beyond 7 jours.
No log contains IP addresses in clear text or passwords.
8. Behavior in Case of Security Incident
In case of a security incident affecting personal data, Promastro applies the following procedure:
- Immediate containment (revocation of compromised access, secret rotation, isolation of affected accounts);
- Analysis within 24 hours: nature, extent, severity, number of affected individuals;
- APD notification within 72 hours (RGPD Art. 33) if a risk to rights and freedoms is established;
- Notification of affected individuals without undue delay if the risk is high (RGPD Art. 34), with clear description of the nature of the breach, measures taken, and recommendations to protect yourself;
- Entry in internal register of breaches (RGPD Art. 33.5);
- Documented lessons learned and corrective measures.
9. Were You Blocked by Mistake?
If you believe you have been unfairly blocked by one of our anti-abuse systems (rate limit, AI moderation, captcha), you can:
- Wait (most limits reset automatically after a few hours);
- Write to us at contact@promastro.be specifying: the nature of the block, approximate timestamp, your account ID if applicable. A human operator will review your request within 7 business days.
No block is permanent without human intervention; you always have the option to request a review.
10. Report Abuse
If you notice abusive behavior on the Site (fake Pro, organized fake reviews, harassment, illegal content), report it:
- Via the “Report” button present on each listing and each review;
- By email to contact@promastro.be with screenshot and URL.
All reports are processed confidentially. The identity of the reporter is never communicated to the reported person, except by legal obligation.
11. Contact
For any questions regarding Site security or a block: contact@promastro.be.
For any RGPD questions: rgpd@promastro.be.
