forked from sr2/cloud.sr2.uk
28 lines
1.7 KiB
Markdown
28 lines
1.7 KiB
Markdown
|
---
|
|||
|
|
title: Security
|
|||
|
|
sidebar_position: 50
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
## Application Security
|
|||
|
|
|
|||
|
|
Open Technology Funds’s Security Lab partner Assured Security Consultants performed a
|
|||
|
|
[white box audit of Link](/docs/link/Assured-AB-CDR001v_CDR_Link.pdf) between October 7 and October 22, 2024.
|
|||
|
|
A white box audit provides the tester with privileged access to the source code, testing infrastructure, and
|
|||
|
|
documentation.
|
|||
|
|
The audit included the Link application itself, its integrations with chat networks Signal and WhatsApp, as well as the
|
|||
|
|
deployment and hosting infrastructure underlying a typical Link instance. Auditors performed a verification test in
|
|||
|
|
December 2025 to validate fixes and mitigations in response to the original test.
|
|||
|
|
|
|||
|
|
## Infrastructure Security
|
|||
|
|
|
|||
|
|
Our Link instances run on SR2's vetted-access cloud, which in turn is hosted on servers rented from Hetzner Online GmbH.
|
|||
|
|
The datacenter runs on [100% green electricity](https://cdn.hetzner.com/assets/Uploads/oekostrom-zertifikat-2025.pdf)
|
|||
|
|
and has [stringent security measures](https://www.hetzner.com/assets/Uploads/downloads/Sicherheit-en.pdf) in place to
|
|||
|
|
prevent unauthorised access.
|
|||
|
|
Hetzner holds an [ISO 27001 certification](https://www.hetzner.com/assets/downloads/ISO-Certificate.pdf) relating to
|
|||
|
|
the security measures in place, and there are no exclusions from the scope in regard to measures mentioned in Annex A.
|
|||
|
|
|
|||
|
|
SR2 exclusively and manages the servers from Scotland via mutually authenticated, end-to-end encrypted channels.
|
|||
|
|
All CDR Link helpdesk data is stored on a LUKS-encrypted volume with a per-instance key to protect the data at rest.
|
|||
|
|
Hetzner staff have physical server access, but strict controls are in place to prevent unauthorised access.
|