Version 10 April 2019
Keeping things secure is an ongoing concern which warrants continuous monitoring, adjusting and improving, we have written up this document to communicate how we keep things as secure as possible to a broad, non-technical audience. Our clients and their customers security and protection of associated data is paramount.
We operate virtualised infrastructure on behalf of our clients through a range of third party platforms and infrastructure service providers. We do not own or operate our own hardware nor any data centres ourselves.
We operate a mix of shared and dedicated services for web and database hosting, some with their very own and dedicated agreements to cater for individual needs. For shared hosting customers, we utilise automation to help us keep software up to date, monitor intrusion and scan actively for malware and abuse.
Updating software (patching)
Keeping software up to date is amongst the best ways to thwart attackers and exploitations through known loopholes. While fixes to issues may introduce new issues themselves, we prefer to close the known ones as quickly as possible without impacting on providing a reliable and secure service.
Major updates to software are always carefully tested on internal duplicates of running systems first and then applied once they pass our scrutiny successfully.
Firewalls and acces
We employ software firewalls to protect our services, which includes utilising constantly updated blacklists to stop attacks from known sources. Locked down firewalls, which open only for relevant ports combined with intrusion detection mechanisms provide our services with a strong line of defence.
We irregularly run penetration tests using external services to validate our configurations are secure and can withstand attacks in a number of common scenarios.
Malware and Vulnerability scanning
Anti-virus and malware scans of the whole filesystem are complemented with application-specific vulnerability scans, some of which run continuously and automatically stop attacks or alert our system administrators.
Another layer in our approach to secure ourselves is strictly governing access to systems by authorised and known personnel. Currently only Axel Segebrecht (director and co-founder of be braver Ltd) has system administrative access and controls access.
Passwords and encryption
We never store password in unencrypted or publicly accessible ways and utilise the strength of long, complex and unique sequences. Those codes along with encryption keys are carefully stored in secured software and on encrypted hard drives. We never use passwords inside scripts and follow best practice methods to safely authenticate systems and users.
Where possible we ask our customers to use an automated password reset on our services or send them passwords safely via encrypted communication channels, such as Signal, iMessage, WhatsApp or Virtru and Protonmail encrypted email.
All customers have their code executed (e.g. their website) under their own username, separated from other customers. This helps against attacks on one impacting on another and gives us a way to lock down areas under threat.
We utilise services by LastPass.com and AgileBits 1Password in addition to GPG (Gnu Privacy Guard) and other open source encryption tools.
All our web services use a valid, signed SSL certificate primarily from Let’s Encrypt (https://letsencrypt.org/) and depending on our client’s needs Namecheap and DigitCert.
By default visitors to hosted websites enjoy protection via SSL certificates free of charge from Let’s Encrypt.
External protection mechanisms
An additional layer of protection outside our internal systems is provided through Cloudflare, a service most our customer are using and are encouraged to do so. It somewhat limits malicious use of their websites and gives us a means to control access before attackers reach our systems.
We base our solutions on open source software and unless a client specific requirements demand a closed source software be installed, we can inspect code freely.
When customers require source-code of software be encrypted or otherwise protected from view, we undertake a security and vulnerability assessment to help asses risk factors, define and enact appropriate safe guards.
Plugins and customer provided code
Customers are free to install and maintain their own code and we will work with them to provide support from a general web hosting service point of view as well as understanding potential risks that could impact the wider network.
If we find vulnerable code or misconfigured software, we will either take immediate mitigation actions or advise the customer to take action themselves within an appropriate timeframe, if no urgent issue is identified.
We do not maintain or change customer supplied code unless it is part of a service level agreement in specific cases. We do no provide nor suggest to provide any warranties or guarantees. However, we undertake our best effort to understand potential for future risks and put in place appropriate mitigation plans.
We have an acceptable use policy we enforce strictly: https://www.bebraver.uk/acceptable-use-policy/
As a general rule, we do not permit our services to be used for any activity considered illegal or in a ‘grey area’ with respect to UK and EU law.
We do not permit adult or gambling services.
ECommerce and PCI compliance
Customers operating ecommerce websites are recommended to not keep sensitive information about their customers on our systems and we work closely with them to assure they are compliant with regulations in the markets they operate in.
We ourselves do not store billing data directly and utilise compliant services like Invoice Ninja. Stripe and GoCardless as our partners.
We, therefore, are compliant and only use providers who themselves are compliant to the required standards.
eUK, Squarespace & DigitalOcean (servers and infrastructure)
Cloudflare (DNS, security, domains)
Stripe (payments by card) https://stripe.com/docs/security
GoCardless (payments by direct debit) Security – GoCardless
Backups, including databases, are always stored encrypted at rest using secure cyphers, stored in a strictly controlled and secure manner.
We do not store sensitive data of any kind if we can avoid it. Where we cannot, we utilise strong encryption to protect data being accessed by unauthorised users.
We use Google’s G Suite for email, calendar, contact and collaboratively working on documents. The service operated by Google is governed by its own policies:
We also utilise encryption services by:
Agile CRM https://www.agilecrm.com/
Signal Messenger (secure messaging) https://whispersystems.org/
Apple (messaging, disk encryption) Privacy – Approach to Privacy – Apple (UK)
Virtru (messaging) https://www.virtru.com/privacy-policy/