Your data deserves highest care and confidentiality. To make sure your critical business data is protected at all times, we implement hundreds of comprehensive security measures across all areas of our company.

We are committed to transparency and quick action in all security matters.

Measures#

To ensure that your highly sensitive business data remains protected even in critical situations, we consistently rely on the highest encryption standards, proven software development practices, regularly tested backups, automated remote monitoring, and much more. See for yourself:

• Physical Security: Data centers and servers
• Network Security
• Operating System
• Maintenance Access
• Transport Security
• Application Security
• Monitoring
• Authentication
• Passwords
• Sessions
• Clients
• Windows Clients
• Mobile Clients (iOS, Android)
• On-Premise / Customer Servers
• Software Development
• Automated Audits
• OpenPGP Encryption
• Keeping your data secure really is our #1 priority.
• Does this work for you?

Physical Security: Data centers and servers#

• Exclusively dedicated (non-shared) servers
• Located in Germany: Bavaria (Nuremberg) and Saxony (Falkenstein/Vogtland)
• Operated by Hetzner Online GmbH
• All data centers are ISO/IEC 27001 certified
• Security personnel, alarm systems, UPS, diesel generators, etc.
• Private fiber optic network between the data centers
• VLAN in the fiber optic network
• 24/7 phone support contract for each data center
• All hard drives in all servers run in RAID-1 configuration at a minimum
• Full disk encryption (LUKS) on every server
• SSH and GPG private keys are stored in hardware security modules (HSM)
• Backups are created at least daily, encrypted client-side immediately with AES-256, transferred off-site in encrypted form, and then deleted from the database server
• Backups are permanently deleted after one year

Network Security#

• All traffic in the VLAN is additionally encrypted with VPN (WireGuard)
• VPN uses Curve25519, ChaCha20, Poly1305, and symmetric keys
• Hardware firewall and software firewall for all servers with strict rules
• DDoS protection is active (Arbor)
• Failover IP with BGP announcements signed with Route Origin Authorizations (ROA) (AS 24940)
• DNS is signed with DNSSEC (Cloudflare)

Operating System#

• Hardened Ubuntu Linux in Long Term Support (LTS)
• Automatic security updates are enabled
• Canonical Livepatch is enabled
• Software runs under unprivileged users in containers (Docker)
• Managed with a configuration management tool (Ansible)

Maintenance Access#

• Maintenance access via SSH v2 is only possible through an additional bastion host
• SSH only allows Ed25519 or ecdsa-sha2-nistp256 public/private key pairs
• All private keys are stored in a hardware security module (HSM)
• All access attempts and executed commands are automatically logged (verbose)
• SSH daemon configuration complies with at least the Mozilla Guidelines for Modern OpenSSH
• Root login is forbidden
• Password, host-based, challenge-response, PAM authentication, and Rhosts are forbidden
• Key exchange, ciphers, and MACs exclusively use curve25519-sha256 and hmac-sha2-512-etm
• TCP wrapper for SSH only allows the bastion host

Transport Security#

• Only encrypted connections over TLS 1.2 or TLS 1.3 are allowed
• HTTP is permanently redirected to HTTPS
• Reverse proxy protects application servers
• TLS certificates from Let's Encrypt and/or Buypass
• Encryption with elliptic curves (EC) for Perfect Forward Secrecy (PFS)
• Exclusive use of P-521 (NIST FIPS 186-4) and P-384 (NSA Suite B)
• P-384 private key (equivalent to 7680-bit RSA)
• Active TLS 1.2 ciphers are exclusively ECDHE-ECDSA-ChaCha20-Poly1305 and ECDHE-ECDSA-AES256-GCM-SHA384
• OCSP stapling is active, and the certificates have the "Must Staple" flag set
• Certificates are valid for a maximum of 3 months and are renewed after two months
• Publication in the Certificate Transparency Log (CT) is required (Expect-CT header)
• DNS CAA record is set with a report address
• Entropy generator is active (Havege)

Application Security#

• The servers enforce the strictest HTTP headers
• Strict Transport Security for two years, including subdomains and preload directive
• Domains are included in the HSTS preload list
• Content Security Policy prohibits mixed content, framing, media tags, object tags, workers, and inline styles in enforce mode
• Connections, fonts, frames, images, scripts, and styles only from complete HTTPS domains (whitelist)
• Unique nonce for styles allowed
• No wildcards allowed in the Content Security Policy
• Expect-CT header for Certificate Transparency in enforce mode
• XSS filter in block mode
• Permissions Policy header disables all unnecessary features
• All policy actions are centrally collected via Report-URI directive (Sentry)
• No referrer headers set
• "robots.txt" prohibits all paths for all bots
• "security.txt" contains contact information and PGP public key
• PGP public key published on common key servers
• The database is distributed across both data centers
• Database is not accessible from outside (VPN)
• Database peers authenticate with each other using a 1024-character keyfile
• Server-side error messages are not forwarded to clients

Monitoring#

• Continuous monitoring of all systems with various services
• Centralized logging and alerting
• Centralized collection of error messages
• Logs, error messages, and performance data are transmitted exclusively in encrypted form
• Logs, error messages, and performance data contain no personally identifiable information (pseudonymized and filtered)
• Pseudonyms are randomly generated (random IDs) and are not guessable or predictable
• Logs are archived securely and encrypted
• The Certificate Transparency Log is continuously monitored for issued certificates
• Critical error messages via email and chatbot contain no details (filtered)
• Multiple filters (client- and server-side) ensure that no personal data is logged even in unforeseen error cases

Authentication#

• Employees have only the minimum necessary rights for their tasks
• Certain groups of employees can only log in at specific workstations (clients)
• Aggressive rate limiting for login attempts
• Login error messages without detailed information to avoid user enumeration

Passwords#

• Password requirements follow the NIST 800-63B standard
• Passwords must be at least twelve characters long
• Passwords must not be reused
• Passwords are checked against reuse and known lists upon creation and each login
• The client hashes the password, and the first five characters of the SHA-1 hash are sent to the server for checking against known passwords
• The server downloads a list from HIBP with all known passwords whose SHA-1 hash prefix matches (k-anonymity)
• The server checks if the given full password hash is in this list
• Passwords are stored in the database as a hash with salt (bcrypt with 2¹⁵ = 32768 rounds)

Sessions#

• The session token is stored in the HTML5 local storage on the clients
• The session token is only valid for the same day
• Clients delete local storage on exit
• If cookies are used, they have at least the following attributes set: Secure, HttpOnly, SameSite=strict, Path=/, and the name prefix __Host-

Clients#

• Allow only secure connections (HTTPS) to known URLs (whitelist)
• Logs, errors, and crashes are collected and monitored centrally in encrypted form
• Prohibit navigation, new windows, WebView tags, and all permission requests
• Plugins, experimental features, WebGL, and audio are disabled
• Clients authenticate with the server using a 512-character key

Windows Clients#

• Implemented based on Electron
• Program and installer are each double-signed (SHA-1 and SHA-256 with Authenticode OV or EV certificates) with a timestamp
• Auto-updater (NSIS) checks code signature and only downloads over HTTPS
• Code runs in context isolation and without Node integration
• Whitelist for IPC communication
• Follows the Electron Best Practices

Mobile Clients (iOS, Android)#

• Centralized configuration management and locking capability
• Only secure (HTTPS) connections to known domains (whitelist)
• Operating system has all unnecessary features disabled
• Automatic security updates enabled
• Usage statistics disabled
• Screenshots disabled where possible
• Permissions for microphone, location, etc., disabled

On-Premise / Customer Servers#

• Hardened Ubuntu LTS Linux with automatic security updates and Canonical Livepatch (See Operating System)
• Fully encrypted RAID-1 (LUKS)
• Key for booting is not stored in the same building
• Strong BIOS/UEFI password set
• Unused ports disabled
• Software firewall only allows port 443
• Only accessible within the local network
• TLS certificates for internal network as well (configuration see Transport Security)
• Centralized monitoring as described above
• Managed with a configuration management tool (Ansible)
• Reverse proxy protects the application
• Authentication via HMAC signature (AWSv4)
• Off-site backup is locally encrypted with AES-256 before transmission

Software Development#

• Two-factor authentication (2FA) is enabled everywhere
• Only services supporting 2FA are used
• Full disk encryption on all development devices
• All code changes (commits) are signed with PGP
• PGP private key is stored in an HSM (4096-bit RSA or 3072-bit DSA)
• Central repository only accepts commits with a valid signature
• All changes to the central repository are logged
• Dependencies are automatically checked for known vulnerabilities every four hours and updated as quickly as possible
• Dependencies are pinned to a fixed version along with the hash of the files
• Various security advisories for used components are subscribed to
• Only official Docker base images are used
• Continuous Delivery with reproducible builds
• Minimal necessary dependencies, consistently clean code
• Adherence to common standards
• SANS CWE Top 25
• OWASP Top 10 (PDF)
• MITRE Common Weaknesses
• MITRE Common Vulnerabilities

Automated Audits#

• A+ Mozilla HTTP Observatory
• A+ CryptCheck
• A+ Qualys SSLabs
• A+ Security Headers
• A+ High-Tech Bridge SA SSL
• A High-Tech Bridge SA Website Security
• A Mozilla SSH Observatory
• OK Report-URI Content Security Policy
• OK HSTS Preload

For any security-related inquiries please contact us at security@fixpoint.co.at

OpenPGP Encryption#

Please encrypt security critical communication with our OpenPGP key (right click > save as).

Its fingerprint is: 9B72 A8C3 71C9 6BC0 DEB9 FBC4 51BE E163 824A 7441

Keeping your data secure really is our #1 priority.#

If you notice anything, please contact us at security@fixpoint.co.at.

We will respond as quickly as possible.

Does this work for you?#

Great! Then write to us and let's talk about your project.

Free, confidential and without obligation.

We'll get back to you within 48 hours.