feat(link): more docs

docs/link/security.md

@@ -0,0 +1,27 @@
+---
+title: Security
+sidebar_position: 50
+---
+
+## Application Security
+
+Open Technology Funds’s Security Lab partner Assured Security Consultants performed a
+[white box audit of Link](/docs/link/Assured-AB-CDR001v_CDR_Link.pdf) between October 7 and October 22, 2024.
+A white box audit provides the tester with privileged access to the source code, testing infrastructure, and
+documentation.
+The audit included the Link application itself, its integrations with chat networks Signal and WhatsApp, as well as the
+deployment and hosting infrastructure underlying a typical Link instance. Auditors performed a verification test in
+December 2025 to validate fixes and mitigations in response to the original test.
+
+## Infrastructure Security
+
+Our Link instances run on SR2's vetted-access cloud, which in turn is hosted on servers rented from Hetzner Online GmbH.
+The datacenter runs on [100% green electricity](https://cdn.hetzner.com/assets/Uploads/oekostrom-zertifikat-2025.pdf)
+and has [stringent security measures](https://www.hetzner.com/assets/Uploads/downloads/Sicherheit-en.pdf) in place to
+prevent unauthorised access.
+Hetzner holds an [ISO 27001 certification](https://www.hetzner.com/assets/downloads/ISO-Certificate.pdf) relating to
+the security measures in place, and there are no exclusions from the scope in regard to measures mentioned in Annex A.
+
+SR2 exclusively and manages the servers from Scotland via mutually authenticated, end-to-end encrypted channels.
+All CDR Link helpdesk data is stored on a LUKS-encrypted volume with a per-instance key to protect the data at rest.
+Hetzner staff have physical server access, but strict controls are in place to prevent unauthorised access.