Hardware-backed admin 2FA
Every Aevrix administrator authenticates to corporate identity with a phishing-resistant FIDO2 security key. SMS, TOTP-only, and push-only flows are disabled for admin accounts.
Security controls
The actual controls. Not slogans.
This page is the canonical technical and organisational measures (TOMs) for Aevrix Group services, mapped to CIS Controls v8 and NIST CSF 2.0. Snapshot 2026-05-20.
Identity & access
Who can touch what.
Least-privilege by default
Production access is per-role, time-bounded, and approved per request. No standing root. Break-glass accounts have hardware token + paper recovery + audit.
Bastion-only SSH
Production servers do not accept SSH from the public internet. All shell access is through a hardened bastion with port-knocking and rate-limited fail2ban.
Separated recovery chain
Registrar accounts, identity provider, and break-glass accounts are not recoverable from a single primary inbox. Compromising one mailbox does not let an attacker pivot to control all assets.
Application security
Hardening at the edge.
HTTPS-only, HSTS preload
Every Aevrix-owned hostname is on the HSTS preload list with a two-year max-age. Plaintext HTTP is rejected at the edge.
Tight CSP everywhere
default-src 'self' base. No unsafe-inline for scripts. frame-ancestors 'none'. Object-src locked. CSP applies to every page, not just sensitive ones.
Modern TLS only
TLS 1.2 and 1.3 only. SHA-1, RC4, 3DES, and weak DH parameters refused. SSLLabs grade A+ across the surface.
Permissions-Policy locked
Camera, microphone, geolocation, USB, payment, browsing-topics, and interest-cohort all explicitly denied at the edge unless the surface needs them.
Data protection
Encryption everywhere it matters.
Encryption at rest
Volumes are LUKS-encrypted; backups (Restic) are encrypted client-side with keys we hold; Backblaze B2 never sees plaintext.
End-to-end encryption for users
For Axion messaging, content is end-to-end encrypted with MLS / Signal-protocol primitives. Aevrix infrastructure cannot read message content even when the law tries to compel us.
Encrypted backups, off-site
Restic snapshots are signed, immutable for the retention window, and replicated across at least two geographic regions.
Secrets management
HashiCorp Vault for runtime secrets. Secrets never live in source control. Pre-commit hooks block accidental check-in.
Network
Defence in layers.
Edge WAF + DDoS
Cloudflare WAF with managed rules, plus custom rules for Aevrix-specific patterns. Volumetric attacks absorbed at the global edge.
nftables on every host
Default-deny inbound, allow-listed outbound, with rate-limiting on management ports. CrowdSec consensus blocklist applied at edge and host.
Private networks for everything internal
Service-to-service traffic on Tailscale or wireguard mesh. No internal service speaks to the public internet directly.
fail2ban + recidive jail
Repeat offenders escalated automatically. Manual review for sustained patterns.
Monitoring & response
We see what we run.
Structured audit logging
auditd on every production host. Logs are signed, shipped, and retained for at least one year.
Real-time alerting
Grafana Alloy → Grafana Cloud for metrics; alerts route to on-call engineer over multiple paths. UptimeRobot black-box probes from outside our own network.
AIDE file integrity
File-integrity monitoring with hash database. Daily diff alerts on production hosts.
Incident commander rotation
A named incident commander is on rotation 24/7. Run-book drilled twice a year. Status page driven from a separate provider.
Supply chain
Trust nothing by default.
SBOM for every release
CycloneDX SBOM attached to every signed release artefact. Reviewers can map dependencies one-by-one.
Signed releases
Sigstore / cosign signatures on release artefacts where supported. Reproducible builds where the language ecosystem permits.
Locked dependency policy
cargo-deny / OSV-Scanner / Dependabot configured to fail CI on known-vulnerable or unmaintained dependencies above an explicit threshold.
Pinned base images
Container base images pinned by digest, not tag. Rebuilds rolled forward deliberately, not silently.
People & process
Human controls matter most.
Confidentiality & data handling training
Every Aevrix contributor is bound by written confidentiality terms and must complete data-handling training before production access is granted.
Vulnerability disclosure programme
The programme described at /policy/ is the formal channel; we triage every report. No paid bounty yet — see policy.
Annual third-party assessment
Independent penetration testing scheduled annually for the production surface once we have publicly-paying enterprise customers under contract.
Customer-driven audit on request
Enterprise customers under a signed DPA can request a directed assessment with reasonable notice — see /compliance/.
Need the long version?
Detailed evidence (configurations, logs, audit attestations) is available under a signed NDA to active enterprise customers.