The Cryptography Policy defines the encryption botBrains uses to protect data at rest and in transit and how we manage the associated keys and certificates. It’s the canonical home for our encryption standards, and other policies link here rather than restate them.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
Scope
This policy applies to all botBrains systems that store or transmit business or customer data, across our cloud providers (AWS, Hetzner, DigitalOcean), the botBrains platform, and the laptops used to operate them.
Encryption standards
botBrains applies strong, current cryptography by default and relies on provider-managed implementations rather than building our own.
| Use | Standard |
|---|
| Data at rest | AES-256 |
| Data in transit | TLS 1.2 and above on public endpoints for compatibility with older clients; server-to-server traffic stays within a private network or uses TLS 1.3 and above |
| VPN | Tailscale (WireGuard and Noise protocols: Curve25519, XSalsa20, ChaCha20-Poly1305), required to reach production servers |
| Passwords | Salted, peppered one-way hashing (provider-side); see Access Control Policy |
| Laptop disks | Full-disk encryption (FileVault or BitLocker) |
We don’t use deprecated protocols or cipher suites. Public-facing endpoints offer TLS 1.3 and above and enforce a minimum of TLS 1.2 for older clients: employee and customer traffic reaches the API through the Hetzner load balancers, and the Vercel CDN serves static assets. Server-to-server traffic between the API and its downstream services stays within a private network or uses TLS 1.3 and above.
Key and certificate management
Our cloud providers’ managed key management services (for example AWS KMS) generate, store, rotate, and back up data-at-rest encryption keys, so keys never leave the provider’s hardened boundary. botBrains doesn’t operate its own key management infrastructure.
| Aspect | How botBrains handles it |
|---|
| Key generation and storage | The provider KMS performs this and backs up keys for their operational lifetime |
| Key rotation | Managed keys rotate on the provider’s schedule, at least once every 12 months |
| Access to keys | Restricted to the CISO and the minimum personnel, protected by the controls in the Access Control Policy |
| TLS certificates | Load-balancer certificates for api.botbrains.io are provisioned through Terraform from Let’s Encrypt and served by our cloud provider. Other certificates, for example *.botbrains-cdn.com, are issued and renewed automatically by the cloud provider (AWS). All renew before expiry. |
| VPN keys | Tailscale provisions and rotates the WireGuard key pair on each enrolled device. The infrastructure operators administer the Tailscale network and its access controls. |
| Loss of key material | Because keys are provider-managed and backed up, recovery follows the provider’s process; see Backup Policy and Business Continuity and Disaster Recovery |
Customers can find which providers and regions process their data, all within the EU, in the subprocessor list.
ISO 27001 mapping
This policy supports Annex A 8.24 (use of cryptography). It also underpins the access controls in Annex A 8.5 by securing authentication channels.
Enforcement and exceptions
The CISO must approve and record any use of weaker cryptography than this policy requires, with the reason and an expiry date. The Incident Management Policy covers suspected key compromise.
Review
The CISO owns this policy and reviews it at least annually and on any material change.