{"id":138,"date":"2026-05-21T00:28:59","date_gmt":"2026-05-20T22:28:59","guid":{"rendered":"https:\/\/promastro.be\/anti-abuse-policy\/"},"modified":"2026-05-21T00:28:59","modified_gmt":"2026-05-20T22:28:59","slug":"anti-abuse-policy","status":"publish","type":"page","link":"https:\/\/promastro.be\/en\/anti-abuse-policy\/","title":{"rendered":"Anti-abuse and security policy"},"content":{"rendered":"\n<style>\n  :root { color-scheme: light; }\n  .apb-legal-page { background: #fff; color: #1a1a2e; padding: 24px 32px; font-family: system-ui, -apple-system, Segoe UI, Roboto, sans-serif; line-height: 1.65; max-width: 920px; margin: 0 auto; }\n  .apb-legal-page h2 { color: #0C447C; margin-top: 1.8em; border-bottom: 1px solid #E2E6EA; padding-bottom: 6px; }\n  .apb-legal-page h3 { color: #185FA5; margin-top: 1.4em; }\n  .apb-legal-page a { color: #185FA5; }\n  .apb-legal-page strong { color: #1a1a2e; }\n  .apb-legal-page table { border: 1px solid #E2E6EA; margin: 1em 0; }\n  .apb-legal-page th { background: #F1F5F9; }\n  .apb-legal-page code { background: #F1F5F9; padding: 1px 6px; border-radius: 4px; font-size: 0.92em; }\n<\/style>\n<div class=\"apb-legal-page\">\n\n<p><em>Last updated: <strong>[TO BE COMPLETED: publication date]<\/strong>.<\/em><\/p>\n\n<p>This policy describes the technical and organizational measures implemented by Promastro to prevent abuse, fraud, and malicious behavior on the website <a href=\"https:\/\/promastro.be\/en\/\">promastro.be<\/a>. It is published for transparency purposes and constitutes the legal basis for <strong>legitimate interest<\/strong> (RGPD Art. 6.1.f) under which certain technical data are processed.<\/p>\n\n<h2>1. Why This Policy?<\/h2>\n<p>Promastro processes registrations, reviews, messages, and payments every day. To preserve the quality of service and user security, several technical measures are deployed. They may occasionally block a legitimate action; this page explains why and how to unblock the situation.<\/p>\n\n<h2>2. Rate Limits<\/h2>\n<p>To prevent spam, automated scraping, and brute force attacks, certain actions are frequency-limited:<\/p>\n<table style=\"width:100%;border-collapse:collapse\">\n<thead>\n<tr>\n<th style=\"text-align:left;border-bottom:1px solid #ccc;padding:6px\">Action<\/th>\n<th style=\"text-align:left;border-bottom:1px solid #ccc;padding:6px\">Limit<\/th>\n<th style=\"text-align:left;border-bottom:1px solid #ccc;padding:6px\">Criterion<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">VAT number verification (VIES)<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">5 \/ hour<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per IP address (anonymized)<\/td><\/tr>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">Messages sent to a Pro<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">3 \/ 24 h<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per recipient Pro and per IP<\/td><\/tr>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">Mollie payment attempts<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">3 \/ 24 h<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per account<\/td><\/tr>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">AI search (natural language)<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">20 \/ hour<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per IP address (anonymized)<\/td><\/tr>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">Login attempts<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">5 \/ 15 min<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per account + IP<\/td><\/tr>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">Password reset requests<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">3 \/ hour<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per account + IP<\/td><\/tr>\n<tr><td style=\"padding:6px;border-bottom:1px solid #eee\">Review submissions<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">1 per listing + 5 per day total<\/td><td style=\"padding:6px;border-bottom:1px solid #eee\">Per account<\/td><\/tr>\n<\/tbody>\n<\/table>\n<p>The IP address is <strong>anonymized by HMAC-SHA256 hash<\/strong> with a rotating key, in accordance with the recommendations of the APD (Belgian Data Protection Authority). No IP address is stored in clear text.<\/p>\n\n<h2>3. VAT Anti-Fraud \/ Professional Registration<\/h2>\n<p>Registration of a Professional on Promastro is subject to several anti-fraud verifications:<\/p>\n<ul>\n<li><strong>VAT number<\/strong> \u2014 automated verification via the official VIES service of the European Commission; expected format <code>BE0XXXXXXXXX<\/code> or <code>BE1XXXXXXXXX<\/code>;<\/li>\n<li><strong>Uniqueness<\/strong> \u2014 a single VAT number can only be associated with one active Pro account at a time. Detection is done via an SHA256 hash of the number (never in clear text);<\/li>\n<li><strong>Free trial anti-abuse<\/strong> \u2014 the free trial period (see <a href=\"https:\/\/promastro.be\/supprimer-mon-compte\/\">trial policy<\/a>) can only be used once per VAT number and per email address;<\/li>\n<li><strong>Pre-authorization 0,01 \u20ac<\/strong> via Mollie to validate the credit card and obtain a mandate; this amount is credited or refunded immediately;<\/li>\n<li><strong>BCE verification<\/strong> (Crossroads Bank for Enterprises) \u2014 consistency between the VAT number, company name, and declared address is verified with the Belgian Banque-Carrefour des Entreprises;<\/li>\n<li><strong>KYC identity verification<\/strong> (optional, at the Pro&#8217;s request to obtain an additional badge) \u2014 scanned identity document + selfie, verified by the moderation team, data encrypted AES-256.<\/li>\n<\/ul>\n\n<h2>4. Anti-Spam and Anti-Fake Review<\/h2>\n<ul>\n<li><strong>Automated AI moderation<\/strong> (Claude model \/ Anthropic) applied to each review and each description \u2014 detection of spam \/ insult \/ off-topic (see <a href=\"https:\/\/promastro.be\/supprimer-mon-compte\/\">moderation charter<\/a>);<\/li>\n<li><strong>Mandatory registration<\/strong> with verified email to submit a review;<\/li>\n<li><strong>Detection of abnormal behavior<\/strong>: submission rate, text similarity with other reviews, chained IP addresses \u2014 these signals are used internally for moderation only, never published;<\/li>\n<li><strong>Invisible captcha<\/strong> \u2014 Promastro uses a non-intrusive bot detection method, without third-party cookie deposit;<\/li>\n<li><strong>Honeypot<\/strong> on registration and contact forms to block the simplest bots.<\/li>\n<\/ul>\n\n<h2>5. Anti-Identity Theft<\/h2>\n<ul>\n<li><strong>Email verification<\/strong> at registration (confirmation link);<\/li>\n<li><strong>Strong password policy<\/strong> enforced: minimum 10 characters, uppercase, lowercase, digit, special character;<\/li>\n<li><strong>Bcrypt hash<\/strong> of passwords \u2014 irreversible;<\/li>\n<li><strong>2FA<\/strong> (two-factor authentication) mandatory for administrator accounts;<\/li>\n<li><strong>Email notification<\/strong> when logging in from a new device or browser (on implicit consent \u2014 Pro users);<\/li>\n<li><strong>Automatic blocking<\/strong> after 5 failed login attempts (15 minutes).<\/li>\n<\/ul>\n\n<h2>6. Protection Against Web Attacks (OWASP)<\/h2>\n<p>Promastro applies web security best practices covering the OWASP Top 10:<\/p>\n<ul>\n<li>Systematic output escaping (anti-XSS);<\/li>\n<li>Parameterized queries <code>$wpdb-&gt;prepare()<\/code> (anti-SQL injection);<\/li>\n<li>Nonce validation on all sensitive actions (anti-CSRF);<\/li>\n<li><code>HttpOnly<\/code> + <code>SameSite=Lax<\/code> + <code>Secure<\/code> cookies over HTTPS;<\/li>\n<li>Content Security Policy (CSP) on the Nginx side;<\/li>\n<li>Strict verification of the Mollie <em>webhook secret<\/em> (5 steps: signature, ID format, idempotence, amount consistency, user consistency);<\/li>\n<li>Restricted UNIX permissions on sensitive files (<code>wp-config.php<\/code> at 640);<\/li>\n<li>Disabled file editing from admin panel (<code>DISALLOW_FILE_EDIT<\/code>);<\/li>\n<li>Disabled <code>xmlrpc.php<\/code>;<\/li>\n<li>Removal of <code>readme.html<\/code> and <code>license.txt<\/code> from webroot.<\/li>\n<\/ul>\n\n<h2>7. Monitoring and Logs<\/h2>\n<ul>\n<li>Administrator access logging (30 jours retention);<\/li>\n<li>Server error logging (30 jours retention);<\/li>\n<li>Mollie webhook logging (payment audit);<\/li>\n<li>Claude API call logging (cost audit + moderation) \u2014 without request content beyond 7 jours.<\/li>\n<\/ul>\n<p>No log contains IP addresses in clear text or passwords.<\/p>\n\n<h2>8. Behavior in Case of Security Incident<\/h2>\n<p>In case of a security incident affecting personal data, Promastro applies the following procedure:<\/p>\n<ol>\n<li><strong>Immediate containment<\/strong> (revocation of compromised access, secret rotation, isolation of affected accounts);<\/li>\n<li><strong>Analysis<\/strong> within 24 hours: nature, extent, severity, number of affected individuals;<\/li>\n<li><strong>APD notification<\/strong> within 72 hours (RGPD Art. 33) if a risk to rights and freedoms is established;<\/li>\n<li><strong>Notification of affected individuals<\/strong> without undue delay if the risk is high (RGPD Art. 34), with clear description of the nature of the breach, measures taken, and recommendations to protect yourself;<\/li>\n<li><strong>Entry in internal register<\/strong> of breaches (RGPD Art. 33.5);<\/li>\n<li><strong>Documented lessons learned<\/strong> and corrective measures.<\/li>\n<\/ol>\n\n<h2>9. Were You Blocked by Mistake?<\/h2>\n<p>If you believe you have been unfairly blocked by one of our anti-abuse systems (rate limit, AI moderation, captcha), you can:<\/p>\n<ul>\n<li>Wait (most limits reset automatically after a few hours);<\/li>\n<li>Write to us at <a href=\"mailto:contact@promastro.be\">contact@promastro.be<\/a> specifying: the nature of the block, approximate timestamp, your account ID if applicable. A human operator will review your request within 7 business days.<\/li>\n<\/ul>\n<p>No block is permanent without human intervention; you always have the option to request a review.<\/p>\n\n<h2>10. Report Abuse<\/h2>\n<p>If you notice abusive behavior on the Site (fake Pro, organized fake reviews, harassment, illegal content), report it:<\/p>\n<ul>\n<li>Via the <strong>&#8220;Report&#8221;<\/strong> button present on each listing and each review;<\/li>\n<li>By email to <a href=\"mailto:contact@promastro.be\">contact@promastro.be<\/a> with screenshot and URL.<\/li>\n<\/ul>\n<p>All reports are processed confidentially. The identity of the reporter is never communicated to the reported person, except by legal obligation.<\/p>\n\n<h2>11. Contact<\/h2>\n<p>For any questions regarding Site security or a block: <a href=\"mailto:contact@promastro.be\">contact@promastro.be<\/a>.<\/p>\n<p>For any RGPD questions: <a href=\"mailto:rgpd@promastro.be\">rgpd@promastro.be<\/a>.<\/p>\n\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Last updated: [TO BE COMPLETED: publication date]. This policy describes the technical and organizational measures implemented by Promastro to prevent abuse, fraud, and malicious behavior on the website promastro.be. It is published for transparency purposes and constitutes the legal basis for legitimate interest (RGPD Art. 6.1.f) under which certain technical data are processed. 1. Why [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-138","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/pages\/138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":0,"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/pages\/138\/revisions"}],"wp:attachment":[{"href":"https:\/\/promastro.be\/en\/wp-json\/wp\/v2\/media?parent=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}