Transport and response headers
The production site is designed for HTTPS with TLS 1.2 or later. Its Cloudflare deployment sets Content-Security-Policy, HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, and a restrained Referrer-Policy. These controls are verified against the live site after each production deployment.
Disclosure and supply chain
The software repository contains a bilingual SECURITY.md, a coordinated-disclosure SLA, a threat model, an adversarial security review, a deployment-hardening checklist, and a CycloneDX SBOM. Public copies still require a MayaUPS security address and release approval before launch.
Accessibility
Bilingual in-app conformance pages document WCAG 2.1 AA and SGQRI 008 alignment. The website mirrors that posture with semantic landmarks, keyboard-operable navigation and forms, visible focus states, contrast-conscious tokens, and reduced-motion handling.
Privacy and data residency
MayaUPS operates locally. Monitoring data stays on the customer network, and the download form is designed to collect only the details needed for verification and site-key delivery. The final notice must identify the legal entity and privacy contact and be reviewed for Quebec Law 25 before production launch.
Operational controls
MayaUPS includes encrypted SNMP credential profiles, SNMPv3 authentication and privacy, viewer/operator/admin roles, daily backups with rotation, restore, disk-space protection, graceful stop, optional file logging, and a watchdog. These controls affect how the tool is operated after installation.
Procurement dossier
The bilingual conformity pages are intended as tender evidence for public-sector review. They should stay precise: no unsupported uptime statistics, no customer logos, no SaaS claim, and no completed legal policy until the missing legal inputs are supplied.