PropOps Technologies Ltd (“PropOps”, “we”, “us”) is committed to transparent, verifiable software delivery practices. This page describes how PropOps Web is built, packaged, and distributed — giving customers, auditors, and partners confidence in the integrity of every release.Our supply chain practices are aligned with the (Supply-chain Levels for Software Artifacts) framework and follow industry guidance from the NCSC.
PropOps Web follows a strict, multi-gate promotion model. Code is never deployed directly from development to production. Every release must pass through each gate in sequence before it can reach a customer environment.
Every update is tracked via a transparent digital “Paper Trail,” linking every feature and security patch to a unique, auditable commit. No change enters the pipeline without a full version-controlled history.
Automated and ensure the codebase meets strict professional standards, eliminating logic flaws before they reach your server. This includes PHP syntax validation across all application files and verification that upload endpoints are properly hardened against dangerous file types.
PropOps integrates industry-leading Snyk AI to perform real-time code analysis. This ensures that every line of logic is screened for and regulatory non-compliance before it ever touches your data, providing a continuous safety net that legacy systems cannot offer.
Every build is first deployed to an isolated staging environment for manual to ensure flawless UI/UX performance. The staging environment is rebuilt from scratch on every deployment — not incrementally patched — eliminating configuration drift.
No code reaches production without a manual and Senior Sign-off, serving as a final human guard gate for stability. A is opened for review, and the merge must be explicitly approved before any code is promoted.
All development tools, test suites, build manifests, and non-essential files are stripped from the deployable artefact, creating a lean, hardened production asset with a reduced attack surface. The following are removed:
We use to digitally sign every release with , providing a seal of authenticity that guarantees the code is untampered. This cryptographic attestation proves what was built, where it was built, how it was built, and who triggered the build.
The verified code is delivered in a , ensuring the environment you host is identical to the one we secured and tested. Container images are published to a secure, private .
Customers and auditors can independently verify any PropOps Web container image to confirm it was built by our from the expected source code and has not been tampered with.
PropOps Web includes runtime file integrity checks via scheduled cron tasks. These compare the deployed file state against known-good checksums and alert administrators if unexpected modifications are detected.
All deployment credentials and API keys are stored in encrypted secret vaults within the build platform — never committed to source code
Environment files
Configuration files are excluded from the Docker image. On first container start, the entrypoint script generates a secure configuration from a template with auto-generated encryption keys
Encryption keys
Encryption and authentication keys are automatically generated on first boot if not provided, using
File permissions
Sensitive configuration files are restricted to owner read/write only inside the container
User uploads, configuration, and database data are stored on host-mounted volumes outside the container. Container rebuilds and updates do not affect persistent data.
We may update this page as our build and delivery practices evolve. Material changes will be reflected in the “Last updated” date at the top of this page.
