Skip to main content
The Cryptography Policy defines the encryption botBrains uses to protect data at rest and in transit and how we manage the associated keys and certificates. It’s the canonical home for our encryption standards, and other policies link here rather than restate them.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to all botBrains systems that store or transmit business or customer data, across our cloud providers (AWS, Hetzner, DigitalOcean), the botBrains platform, and the laptops used to operate them.

Encryption standards

botBrains applies strong, current cryptography by default and relies on provider-managed implementations rather than building our own.
UseStandard
Data at restAES-256
Data in transitTLS 1.2 and above on public endpoints for compatibility with older clients; server-to-server traffic stays within a private network or uses TLS 1.3 and above
VPNTailscale (WireGuard and Noise protocols: Curve25519, XSalsa20, ChaCha20-Poly1305), required to reach production servers
PasswordsSalted, peppered one-way hashing (provider-side); see Access Control Policy
Laptop disksFull-disk encryption (FileVault or BitLocker)
We don’t use deprecated protocols or cipher suites. Public-facing endpoints offer TLS 1.3 and above and enforce a minimum of TLS 1.2 for older clients: employee and customer traffic reaches the API through the Hetzner load balancers, and the Vercel CDN serves static assets. Server-to-server traffic between the API and its downstream services stays within a private network or uses TLS 1.3 and above.

Key and certificate management

Our cloud providers’ managed key management services (for example AWS KMS) generate, store, rotate, and back up data-at-rest encryption keys, so keys never leave the provider’s hardened boundary. botBrains doesn’t operate its own key management infrastructure.
AspectHow botBrains handles it
Key generation and storageThe provider KMS performs this and backs up keys for their operational lifetime
Key rotationManaged keys rotate on the provider’s schedule, at least once every 12 months
Access to keysRestricted to the CISO and the minimum personnel, protected by the controls in the Access Control Policy
TLS certificatesLoad-balancer certificates for api.botbrains.io are provisioned through Terraform from Let’s Encrypt and served by our cloud provider. Other certificates, for example *.botbrains-cdn.com, are issued and renewed automatically by the cloud provider (AWS). All renew before expiry.
VPN keysTailscale provisions and rotates the WireGuard key pair on each enrolled device. The infrastructure operators administer the Tailscale network and its access controls.
Loss of key materialBecause keys are provider-managed and backed up, recovery follows the provider’s process; see Backup Policy and Business Continuity and Disaster Recovery
Customers can find which providers and regions process their data, all within the EU, in the subprocessor list.

ISO 27001 mapping

This policy supports Annex A 8.24 (use of cryptography). It also underpins the access controls in Annex A 8.5 by securing authentication channels.

Enforcement and exceptions

The CISO must approve and record any use of weaker cryptography than this policy requires, with the reason and an expiry date. The Incident Management Policy covers suspected key compromise.

Review

The CISO owns this policy and reviews it at least annually and on any material change.