Wiki source code of Security Policy
Last modified by Robert Schaub on 2025/12/24 21:53
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | = Security Policy = | ||
| 2 | **Last Updated:** December 17, 2025 | ||
| 3 | == 1. Purpose == | ||
| 4 | This Security Policy outlines how FactHarbor protects user data and maintains platform security. | ||
| 5 | == 2. Security Principles == | ||
| 6 | * **Defense in depth**: Multiple layers of security controls | ||
| 7 | * **Least privilege**: Minimal access rights by default | ||
| 8 | * **Transparency**: Open about security practices | ||
| 9 | * **Continuous improvement**: Regular security assessments | ||
| 10 | == 3. Data Protection == | ||
| 11 | === 3.1 Encryption === | ||
| 12 | * All connections use TLS/HTTPS | ||
| 13 | * Sensitive data encrypted at rest | ||
| 14 | * Secure key management practices | ||
| 15 | === 3.2 Access Controls === | ||
| 16 | * Role-based access control (RBAC) | ||
| 17 | * Strong authentication requirements | ||
| 18 | * Two-factor authentication available | ||
| 19 | * Regular access reviews | ||
| 20 | === 3.3 Data Minimization === | ||
| 21 | * Collect only necessary data | ||
| 22 | * Automatic deletion per retention schedule | ||
| 23 | * Regular data cleanup processes | ||
| 24 | == 4. Infrastructure Security == | ||
| 25 | === 4.1 Hosting === | ||
| 26 | * Secure hosting environment | ||
| 27 | * Regular security updates | ||
| 28 | * Network security controls | ||
| 29 | * DDoS protection | ||
| 30 | === 4.2 Monitoring === | ||
| 31 | * Security event logging | ||
| 32 | * Anomaly detection | ||
| 33 | * Regular log reviews | ||
| 34 | * Incident alerting | ||
| 35 | === 4.3 Backups === | ||
| 36 | * Regular automated backups | ||
| 37 | * Encrypted backup storage | ||
| 38 | * Tested restoration procedures | ||
| 39 | == 5. Application Security == | ||
| 40 | === 5.1 Secure Development === | ||
| 41 | * Security code reviews | ||
| 42 | * Dependency vulnerability scanning | ||
| 43 | * Secure coding practices | ||
| 44 | * Regular security testing | ||
| 45 | === 5.2 Authentication === | ||
| 46 | * Strong password requirements | ||
| 47 | * Password hashing (bcrypt or better) | ||
| 48 | * Account lockout protection | ||
| 49 | * Session management | ||
| 50 | === 5.3 Input Validation === | ||
| 51 | * All user input validated | ||
| 52 | * Protection against injection attacks | ||
| 53 | * Content security policies | ||
| 54 | * XSS prevention | ||
| 55 | == 6. Vulnerability Management == | ||
| 56 | === 6.1 Vulnerability Disclosure === | ||
| 57 | **How to Report:** | ||
| 58 | * Email: [Security contact to be established] | ||
| 59 | * Provide detailed description | ||
| 60 | * Include reproduction steps if possible | ||
| 61 | * We respond within reasonable timeframe | ||
| 62 | **What to Expect:** | ||
| 63 | * Acknowledgment of report | ||
| 64 | * Investigation and validation | ||
| 65 | * Fix development and deployment | ||
| 66 | * Public disclosure after fix (coordinated) | ||
| 67 | === 6.2 Bug Bounty === | ||
| 68 | * May be established in the future | ||
| 69 | * Details to be announced | ||
| 70 | === 6.3 Responsible Disclosure === | ||
| 71 | We request: | ||
| 72 | * Reasonable time to fix vulnerabilities | ||
| 73 | * No public disclosure before fix | ||
| 74 | * No exploitation of vulnerabilities | ||
| 75 | * Good faith security research | ||
| 76 | == 7. Incident Response == | ||
| 77 | === 7.1 Incident Handling === | ||
| 78 | * Immediate containment | ||
| 79 | * Investigation and assessment | ||
| 80 | * User notification (if required) | ||
| 81 | * Regulator notification (if required) | ||
| 82 | * Public transparency report | ||
| 83 | === 7.2 Data Breaches === | ||
| 84 | Per [[Privacy Policy>>FactHarbor.Organisation.How-We-Work-Together.Privacy-Policy]]: | ||
| 85 | * Immediate FDPIC notification (if high risk) | ||
| 86 | * User notification (if required) | ||
| 87 | * Public incident report | ||
| 88 | * Root cause analysis | ||
| 89 | == 8. Compliance == | ||
| 90 | === 8.1 Standards === | ||
| 91 | * Swiss FADP compliance | ||
| 92 | * EU GDPR compliance (if serving EU users) | ||
| 93 | * Industry best practices | ||
| 94 | === 8.2 Audits === | ||
| 95 | * Regular internal security reviews | ||
| 96 | * External audits when feasible | ||
| 97 | * Penetration testing | ||
| 98 | * Compliance assessments | ||
| 99 | == 9. User Responsibilities == | ||
| 100 | === 9.1 Account Security === | ||
| 101 | * Use strong, unique passwords | ||
| 102 | * Enable two-factor authentication | ||
| 103 | * Keep credentials confidential | ||
| 104 | * Report suspicious activity | ||
| 105 | === 9.2 Security Awareness === | ||
| 106 | * Verify official communications | ||
| 107 | * Be cautious of phishing | ||
| 108 | * Report security concerns | ||
| 109 | * Follow security guidelines | ||
| 110 | == 10. Third-Party Services == | ||
| 111 | * Vet security practices of partners | ||
| 112 | * Contractual security requirements | ||
| 113 | * Regular vendor assessments | ||
| 114 | * Data protection agreements | ||
| 115 | == 11. Updates to This Policy == | ||
| 116 | This Security Policy may be updated as security practices evolve. Major changes will be announced. | ||
| 117 | == 12. Contact == | ||
| 118 | **Security Issues:** [Contact to be established] | ||
| 119 | **Related Policies:** | ||
| 120 | * [[Privacy Policy>>FactHarbor.Organisation.How-We-Work-Together.Privacy-Policy]] | ||
| 121 | * [[Transparency Policy>>FactHarbor.Organisation.How-We-Work-Together.Transparency-Policy]] | ||
| 122 | **Version:** Draft | ||
| 123 | **Status:** To be finalized before launch |