Skip to main content
The Network Security Policy governs how botBrains segments, secures, and monitors the networks that connect its services. As a fully remote, cloud-hosted company, botBrains has no corporate office network. botBrains implements network security in our cloud providers and in the encrypted channels between our systems.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to all network paths into and between botBrains production systems, including provider virtual networks, administrative access, and the public endpoints that serve the product. Our subprocessors page lists the providers behind these networks.

Segmentation and isolation

botBrains separates its local, staging, and production environments and isolates production resources from each other by function. Application servers and background workers run on Hetzner, the managed database and object storage run in AWS, and the in-memory cache runs on DigitalOcean. Multi-tenant data is logically separated by tenant ID, as described in the Secure Development Policy. Databases and internal services are never exposed to the public internet. They’re reachable only from authorized application hosts within the provider network. Only the endpoints that must be public, such as the chat widget CDN and the platform API, are internet-facing.

Secure configuration and firewalls

Provider security groups and firewall rules restrict network access. They default to deny and permit only the ports and sources required for the service to function. botBrains reviews firewall and security-group rules when infrastructure changes and at least annually (Employees Only: Network & firewall evidence). Changes follow the Operations Security Policy.

Encryption in transit and administrative access

ChannelProtection
Public traffic.Runs over encrypted HTTPS, offering TLS 1.3 and above and enforcing a minimum of TLS 1.2 for older clients. End users and the platform reach the API through the load balancers, and the CDN serves static assets.
Administrative access.Team members reach production servers over the company VPN (Tailscale, built on the WireGuard and Noise protocols: Curve25519, XSalsa20, ChaCha20-Poly1305) with named individual accounts and MFA.
Service-to-service.Internal traffic between application components and managed services stays within a private network or is encrypted in transit over TLS 1.3 and above.
The Cryptography Policy defines encryption standards and key management. The Access Control Policy governs identity, multi-factor authentication, and least-privilege access for administrative connections.

Monitoring and intrusion detection

botBrains runs Wazuh for intrusion detection (IDS) and security information and event management (SIEM), centralizing security-relevant logs and monitoring them for intrusion indicators, as described in the Logging and Monitoring Policy. botBrains doesn’t currently run an active intrusion prevention system. botBrains alerts on detected anomalies and handles them through the Incident Management Policy. Firewalls, spam filtering, and virus scanning are in place across our systems. Provider-level controls add DDoS protection, load balancing, and network redundancy: Hetzner provides built-in DDoS protection for our servers, and the static website is served through a CDN with Vercel adding its own DDoS protection.

Physical network security

botBrains inherits the physical networks, cabling, and data center perimeters from AWS, Hetzner, and DigitalOcean under their own ISO 27001 and SOC 2 certifications. botBrains doesn’t operate its own network hardware.

ISO 27001 mapping

This policy supports Annex A controls 8.20 (networks security), 8.21 (security of network services), 8.22 (segregation of networks), 8.23 (web filtering), and 8.9 (configuration management) as it applies to network configuration.

Review

The CISO owns this policy and reviews it at least annually and whenever a material change to our network architecture or providers occurs.