Security
Organisational
ISO 27001 certified
An independent auditor reviews our security every year. Not because we love audits - it's not our favourite day of the year either - but because "trust us" isn't good enough. The certification covers the whole organisation, including risk assessments, access control, incident response and supplier management.
At the same time, it pays to be aware of what ISO is - and especially what it isn't (article in Dutch).
Download ISO 27001 certificate → Download Statement of Applicability →
ISO-certified data centres
Biometric access, diesel generators, fire suppression systems - your data lives in heavily secured buildings that would make Fort Knox take notes. Every facility is at least ISO-certified.
View our data centres →
European & GDPR-compliant
Your data sits in Europe, is managed by a European team and stays on European soil, on our own hardware. No American parent company quietly shuffling your data to "processing partners" in far-off lands.
Read what we think about Europe →
Screening
Everyone at Cyberfusion has been thoroughly screened and holds a government-issued Certificate of Conduct (VOG).
Security awareness
Every team member follows ongoing security-awareness training on phishing, social engineering, privacy and related topics. The point is to keep security continuously top of mind, so it gets weighed in on every daily decision. After all, most security incidents in history didn't start with a serious hack, but with someone kindly holding the door open for a stranger.
Identity verification via the platform
Want to request confidential information, or have a change pushed through? That always goes via the secured platform. If we do get such a request by email or phone, we redirect you: after all, anyone can pretend to be Bill Gates.
Technical
Multiple data centres
Our services run from geographically separated locations. If a whole data centre goes offline, we have the technical ability to move your services in exceptional cases. Backups also live elsewhere.
View our data centres →
Periodic maintenance
We continuously improve and update our infrastructure. We perform maintenance at least once a month.
Continuous security patching
We continuously monitor new security vulnerabilities. If a security update cannot wait, we apply it immediately to keep your data safe. You'll always hear about it from us.
Read about how we handled a recent vulnerability →
Modern internet standards
IPv6, DNSSEC, RPKI and a stack of other modern internet standards - the kind that make projects safer - are the default. Internet.nl added us to their Hall of Fame for it.
View the Internet.nl Hall of Fame → View RPKI on Routinator →
Core: namespacing
Core applies namespacing by default (for UNIX users and FPM pools) using Linux namespaces. Inside a namespace, all SUID binaries (like sudo) are unusable: that drops the risk of Local Privilege Escalation (LPE) vulnerabilities to effectively zero.
Your tools
Enforce two-factor authentication
Want all your team members to log in with two-factor authentication (2FA / TOTP)? Flip the switch and it's done.
Personal logins, full audit log
Every team member has their own set of credentials to log into the platform. That way you can see exactly who did what, and when. Under 'Activity log' in the platform, you'll also find every API call, session and change.
Core: MariaDB database encryption at rest
In Core, you can encrypt databases at rest: if anyone got hold of the raw database files, the data isn't readable and so isn't usable. Want to enable database encryption? Do so via Core, or ask us.
Transparency
Responsible disclosure
Found a flaw in one of our systems? We want to hear about it.
View our responsible disclosure policy →