Security

Organisational

ISO 27001 certified
01 / 06

ISO 27001 certified

An independent auditor reviews our security every year. Not because we love audits - it's not our favourite day of the year either - but because "trust us" isn't good enough. The certification covers the whole organisation, including risk assessments, access control, incident response and supplier management.

At the same time, it pays to be aware of what ISO is - and especially what it isn't (article in Dutch).

Download ISO 27001 certificate → Download Statement of Applicability →
Data centres
02 / 06

ISO-certified data centres

Biometric access, diesel generators, fire suppression systems - your data lives in heavily secured buildings that would make Fort Knox take notes. Every facility is at least ISO-certified.

View our data centres →
GDPR compliant
03 / 06

European & GDPR-compliant

Your data sits in Europe, is managed by a European team and stays on European soil, on our own hardware. No American parent company quietly shuffling your data to "processing partners" in far-off lands.

Read what we think about Europe →
Screening
04 / 06

Screening

Everyone at Cyberfusion has been thoroughly screened and holds a government-issued Certificate of Conduct (VOG).

Security awareness
05 / 06

Security awareness

Every team member follows ongoing security-awareness training on phishing, social engineering, privacy and related topics. The point is to keep security continuously top of mind, so it gets weighed in on every daily decision. After all, most security incidents in history didn't start with a serious hack, but with someone kindly holding the door open for a stranger.

Identity verification
06 / 06

Identity verification via the platform

Want to request confidential information, or have a change pushed through? That always goes via the secured platform. If we do get such a request by email or phone, we redirect you: after all, anyone can pretend to be Bill Gates.

Technical

Multiple data centres
01 / 08

Multiple data centres

Our services run from geographically separated locations. If a whole data centre goes offline, we have the technical ability to move your services in exceptional cases. Backups also live elsewhere.

View our data centres →
Periodic maintenance
02 / 08

Periodic maintenance

We continuously improve and update our infrastructure. We perform maintenance at least once a month.

Continuous security patching
03 / 08

Continuous security patching

We continuously monitor new security vulnerabilities. If a security update cannot wait, we apply it immediately to keep your data safe. You'll always hear about it from us.

Read about how we handled a recent vulnerability →
Internet.nl compliant hoster
04 / 08

Modern internet standards

IPv6, DNSSEC, RPKI and a stack of other modern internet standards - the kind that make projects safer - are the default. Internet.nl added us to their Hall of Fame for it.

View the Internet.nl Hall of Fame → View RPKI on Routinator →
One service per server
05 / 08

One service per server

On a typical control-panel server (cPanel, DirectAdmin), DNS, mail, web and database all run on one machine. One critical vulnerability in one service hands an attacker the keys to everything: a leaky mail server becomes a leaked customer database. We make it easy to put each service on its own server, so an intrusion in one can't spread to the next.

Core: namespacing
06 / 08

Core: namespacing

Core applies namespacing by default (for UNIX users and FPM pools) using Linux namespaces. Inside a namespace, all SUID binaries (like sudo) are unusable: that makes the risk of Local Privilege Escalation (LPE) vulnerability exploitation negligible. Core was therefore not vulnerable to the majority of LPEs (Copy Fail, Dirty Frag, Fragnesia, etc.)

Core: Address Space Layout Randomization
07 / 08

Core: Address Space Layout Randomization (ASLR)

Some exploits work like a burglar who already knows exactly where the safe is. Address Space Layout Randomization shuffles the memory around, so an attack that used to take one click now requires thousands of attempts that almost never succeed.

Core: daily malware scan
08 / 08

Core: daily malware scan

Every project on Core is scanned every 24 hours for malware, backdoors and suspicious file changes. We pay extra attention to known infections in widely used CMSes like WordPress - that is where most of them turn up.

If we find something, you hear about it right away in Core. From there: restore a backup, update the project, and you are back in the clear before the day is out.

Your tools

Security tools
01 / 07

Enforce two-factor authentication

Want all your team members to log in with two-factor authentication (2FA / TOTP)? Flip the switch and it's done.

Personal logins, full audit log
02 / 07

Personal logins, full audit log

Every team member has their own set of credentials to log into the platform. That way you can see exactly who did what, and when. Under 'Activity log' in the platform, you'll also find every API call, session and change.

Core: MariaDB database encryption at rest
03 / 07

Core: MariaDB database encryption at rest

In Core, you can encrypt databases at rest: if anyone got hold of the raw database files, the data isn't readable and so isn't usable. Want to enable database encryption? Do so via Core, or ask us.

Core: force SSH keys instead of passwords
04 / 07

Core: force SSH keys instead of passwords

Want SSH access keys-only? In the platform: Advanced > UNIX Users > pick one > SFTP & SSH > Update password > switch 'Enable Password Authentication' off. Passwords won't get anyone in after that.

Core: lock phpMyAdmin down per user
05 / 07

Core: lock phpMyAdmin down per user

In Core you control which IP addresses can log in to phpMyAdmin - and uniquely among hosting platforms, Core lets you set this per database user, rather than per server.

Core: bulk security.txt-policies
06 / 07

Core: bulk security.txt policies

A security.txt file is essential for any serious site: it sits at /.well-known/security.txt on your domain and tells security researchers where to report a vulnerability they've found.

In Core, add a security.txt policy to every domain you host in one action. We were one of the first - and still one of the only - hosting providers to make this easy, without having to touch each project individually.

Read about security.txt policies in Core →
Core: internet standards scans
07 / 07

Core: internet standards scans

Scan any domain you host against modern internet standards - IPv6, DNSSEC, RPKI, DMARC, TLS, and the rest. You see immediately which ones pass, which don't, and what you need to fix to work with organisations that require them, such as (semi-)government bodies.

Read about standards scans in Core →

Transparency

Responsible disclosure

Responsible disclosure

Found a flaw in one of our systems? We want to hear about it.

View our responsible disclosure policy →
William David Edwards

Got a question? Call or email William.

William David Edwards · founder

See more contact options →