Keeping things secure is an ongoing concern which warrants continuous monitoring, adjusting and improving, we have written up this document to communicate how we keep things as secure as possible to a broad, non-technical audience. Our clients and their customers security and protection of associated data is paramount.
We operate virtualised infrastructure on behalf of our clients through a range of third-party platforms and infrastructure service providers. We do not own or operate our own hardware or any data centres ourselves.
Hosting
We operate a mix of shared and dedicated services for web and database hosting, some with their very own dedicated agreements to cater for individual needs. For shared hosting customers, we utilise automation to help us keep software up to date, monitor intrusion and scan actively for malware and abuse.
Updating software (patching)
Keeping software up to date is amongst the best ways to thwart attackers and exploitations through known loopholes. While fixes to issues may introduce new issues themselves, we prefer to close the known ones as quickly as possible without impacting on providing a reliable and secure service.
Major updates to the software are always carefully tested on internal duplicates of running systems first and then applied once they pass our scrutiny successfully.
Firewalls and access
We employ software firewalls to protect our services, which includes utilising constantly updated blacklists to stop attacks from known sources. Locked-down firewalls, which open only for relevant ports combined with intrusion detection mechanisms provide our services with a strong line of defence.
Penetration testing
We irregularly run penetration tests using external services to validate our configurations are secure and can withstand attacks in a number of common scenarios.
Malware and Vulnerability scanning
Anti-virus and malware scans of the whole filesystem are complemented with application-specific vulnerability scans, some of which run continuously and automatically stop attacks or alert our system administrators.
Governance
Another layer in our approach to secure ourselves is strictly governing access to systems by authorised and known personnel. Currently, only Axel Segebrecht (director and co-founder of be braver Ltd) has system administrative access and control access unless specified in customer-specific agreements such as Service Level Agreements (SLA). Access to systems and security keys are monitored and revocable by Axel Segebrecht.
Passwords and encryption
We never store passwords in unencrypted or publicly accessible ways and utilise the strength of long, complex and unique sequences. Those codes along with encryption keys are carefully stored in secured software and on encrypted hard drives. We never use passwords inside scripts and follow best practice methods to safely authenticate systems and users.
Where possible we ask our customers to use an automated password reset on our services or send them passwords safely via encrypted communication channels, such as Signal, iMessage or Virtru encrypted email.
All customers have their code executed (e.g. their website) under their own username, separated from other customers. This helps against attacks on one impacting on another and gives us a way to lock down areas under threat.
We utilise services by LastPass.com and AgileBits 1Password in addition to GPG (Gnu Privacy Guard) and other open-source encryption tools.
SSL Certificates
All our web services use a valid, signed SSL certificate primarily from Let’s Encrypt (https://letsencrypt.org/) and depending on our client’s needs Namecheap and DigitCert.
By default visitors to hosted websites enjoy protection via SSL certificates free of charge from Let’s Encrypt.
External protection mechanisms
An additional layer of protection outside our internal systems is provided through Cloudflare, a service most of our customers are using and are encouraged to do so. It somewhat limits malicious use of their websites and gives us the means to control access before attackers reach our systems.
Open Source
We base our solutions on open-source software and unless client-specific requirements demand a closed-source software be installed, we can inspect code freely.
When customers require the source code of the software to be encrypted or otherwise protected from view, we undertake a security and vulnerability assessment to help assess risk factors and define and enact appropriate safeguards.
Plugins and customer-provided code
Customers are free to install and maintain their own code and we will work with them to provide support from a general web hosting service point of view as well as understand potential risks that could impact the wider network.
If we find vulnerable code or misconfigured software, we will either take immediate mitigation actions or advise the customer to take action themselves within an appropriate timeframe, if no urgent issue is identified.
We do not maintain or change customer-supplied code unless it is part of a service-level agreement in specific cases. We do not provide nor suggest providing any warranties or guarantees. However, we undertake our best effort to understand the potential for future risks and put in place appropriate mitigation plans.
Acceptable use
We have an acceptable use policy we enforce strictly.
As a general rule, we do not permit our services to be used for any activity considered illegal or in a ‘grey area’ with respect to UK and EU law.
We do not permit adult or gambling services.
ECommerce and PCI compliance
Customers operating e-commerce websites are recommended to not keep sensitive information about their customers on our systems and we work closely with them to assure they are compliant with regulations in the markets they operate in.
We ourselves do not store billing data directly and utilise compliant services like WHMCS. Stripe is our payment partner.
We, therefore, are compliant and only use providers who themselves are compliant with the required standards.
- Scaleway, Amazon AWS, DigitalOcean (servers and infrastructure)
- WHMCS (billing and customer information management)
- Stripe (payments by card)
Internal storage
Backups, including databases, are always stored encrypted at rest using secure cyphers, stored in a strictly controlled and secure manner.
We do not store sensitive data of any kind if we can avoid it. Where we cannot, we utilise strong encryption to protect data being accessed by unauthorised users.
Back-office services
We use Microsoft’s Office 365 for email, calendar, contact and collaboratively working on documents. The service operated by Microsoft is governed by its own policies:
We also utilise encryption services by:
- Signal Messenger (secure messaging) https://whispersystems.org/
Change log
Please consider subscribing to receive updates when this policy changes (non-marketing mailing list).
- Version 2023A – Updated 27 January 2023
- Version 2020A – First released 7 December 2018 and updated on 13 August 2020 in its current format only
