> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Network Security Policy

> Network Security Policy governs segmentation, secure configuration, and protection of our networks and network services

export const PolicyVersion = ({version, effective}) => <p><strong>Version {version}</strong> · Effective {effective}. Change history is tracked in version control.</p>;

The Network Security Policy governs how botBrains segments, secures, and monitors the networks that connect its services. As a fully remote, cloud-hosted company, botBrains has no corporate office network. botBrains implements network security in our cloud providers and in the encrypted channels between our systems.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<PolicyVersion version="1.0" effective="July 1, 2026" />

## Scope

This policy applies to all network paths into and between botBrains production systems, including provider virtual networks, administrative access, and the public endpoints that serve the product. Our [subprocessors](/trust/subprocessors) page lists the providers behind these networks.

## Segmentation and isolation

botBrains separates its **local, staging, and production** environments and isolates production resources from each other by function. Application servers and background workers run on Hetzner, the managed database and object storage run in AWS, and the in-memory cache runs on DigitalOcean. Multi-tenant data is logically separated by tenant ID, as described in the [Secure Development Policy](/trust/policies/secure-development-policy).

Databases and internal services are **never exposed to the public internet**. They're reachable only from authorized application hosts within the provider network. Only the endpoints that must be public, such as the chat widget CDN and the platform API, are internet-facing.

## Secure configuration and firewalls

Provider **security groups** and firewall rules restrict network access. They default to deny and permit only the ports and sources required for the service to function. botBrains reviews firewall and security-group rules when infrastructure changes and at least annually ([Employees Only: Network & firewall evidence](https://app.notion.com/p/390481da93cf8113aca6f2083ee22e82)). Changes follow the [Operations Security Policy](/trust/policies/operations-security-policy).

## Encryption in transit and administrative access

| Channel                    | Protection                                                                                                                                                                                                                 |
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Public traffic.**        | Runs over encrypted HTTPS, offering **TLS 1.3 and above** and enforcing a minimum of **TLS 1.2** for older clients. End users and the platform reach the API through the load balancers, and the CDN serves static assets. |
| **Administrative access.** | Team members reach production servers over the company **VPN** (Tailscale, built on the WireGuard and Noise protocols: Curve25519, XSalsa20, ChaCha20-Poly1305) with named individual accounts and MFA.                    |
| **Service-to-service.**    | Internal traffic between application components and managed services stays within a private network or is encrypted in transit over **TLS 1.3 and above**.                                                                 |

The [Cryptography Policy](/trust/policies/cryptography-policy) defines encryption standards and key management. The [Access Control Policy](/trust/policies/access-control-policy) governs identity, multi-factor authentication, and least-privilege access for administrative connections.

## Monitoring and intrusion detection

botBrains runs **Wazuh** for intrusion detection (IDS) and security information and event management (SIEM), centralizing security-relevant logs and monitoring them for intrusion indicators, as described in the [Logging and Monitoring Policy](/trust/policies/logging-and-monitoring-policy). botBrains **doesn't** currently run an active intrusion prevention system. botBrains alerts on detected anomalies and handles them through the [Incident Management Policy](/trust/policies/incident-management-policy). Firewalls, spam filtering, and virus scanning are in place across our systems. Provider-level controls add DDoS protection, load balancing, and network redundancy: Hetzner provides built-in DDoS protection for our servers, and the static website is served through a CDN with Vercel adding its own DDoS protection.

## Physical network security

botBrains inherits the physical networks, cabling, and data center perimeters from AWS, Hetzner, and DigitalOcean under their own ISO 27001 and SOC 2 certifications. botBrains doesn't operate its own network hardware.

## ISO 27001 mapping

This policy supports Annex A controls 8.20 (networks security), 8.21 (security of network services), 8.22 (segregation of networks), 8.23 (web filtering), and 8.9 (configuration management) as it applies to network configuration.

## Review

The CISO owns this policy and reviews it at least annually and whenever a material change to our network architecture or providers occurs.
