forked from sr2/cloud.sr2.uk
27 lines
1.7 KiB
Markdown
27 lines
1.7 KiB
Markdown
---
|
||
title: Security
|
||
sidebar_position: 50
|
||
---
|
||
|
||
## Application Security
|
||
|
||
Open Technology Funds’s Security Lab partner Assured Security Consultants performed a
|
||
[white box audit of Link](/docs/link/Assured-AB-CDR001v_CDR_Link.pdf) between October 7 and October 22, 2024.
|
||
A white box audit provides the tester with privileged access to the source code, testing infrastructure, and
|
||
documentation.
|
||
The audit included the Link application itself, its integrations with chat networks Signal and WhatsApp, as well as the
|
||
deployment and hosting infrastructure underlying a typical Link instance. Auditors performed a verification test in
|
||
December 2025 to validate fixes and mitigations in response to the original test.
|
||
|
||
## Infrastructure Security
|
||
|
||
Our Link instances run on SR2's vetted-access cloud, which in turn is hosted on servers rented from Hetzner Online GmbH.
|
||
The datacenter runs on [100% green electricity](https://cdn.hetzner.com/assets/Uploads/oekostrom-zertifikat-2025.pdf)
|
||
and has [stringent security measures](https://www.hetzner.com/assets/Uploads/downloads/Sicherheit-en.pdf) in place to
|
||
prevent unauthorised access.
|
||
Hetzner holds an [ISO 27001 certification](https://www.hetzner.com/assets/downloads/ISO-Certificate.pdf) relating to
|
||
the security measures in place, and there are no exclusions from the scope in regard to measures mentioned in Annex A.
|
||
|
||
SR2 exclusively and manages the servers from Scotland via mutually authenticated, end-to-end encrypted channels.
|
||
All CDR Link helpdesk data is stored on a LUKS-encrypted volume with a per-instance key to protect the data at rest.
|
||
Hetzner staff have physical server access, but strict controls are in place to prevent unauthorised access.
|