Skip to main content
The Physical Security Policy protects the equipment and physical media that botBrains personnel use, and defines how botBrains relies on certified providers for data center physical security. botBrains is fully remote with no office and no self-operated infrastructure, so physical security splits into two layers: the home-office and device controls botBrains operates directly, and the data center controls inherited from infrastructure providers.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to both botBrains team members, all devices they use to access botBrains systems or data, and the locations from which they work. It also covers the inherited physical security of the cloud infrastructure that hosts production data. botBrains operates no offices, server rooms, badge readers, or visitor logs of its own, so traditional perimeter controls don’t apply.

Home-office and remote-work security

Personnel work from home or another private, trusted location. botBrains doesn’t claim controls it can’t enforce, such as building access systems, but personnel must apply the following.
RequirementDetail
Trusted environmentWork from a private location. Don’t leave devices unattended or visible to others in public or shared spaces
Full-disk encryptionAll laptops use full-disk encryption (FileVault on macOS, BitLocker on Windows), so a lost or stolen device doesn’t expose data
Screen lockScreens lock automatically when idle and require authentication to resume, supporting a clean-screen practice in shared homes
Device authenticationA strong credential protects login, and access to botBrains systems requires MFA as defined in the Access Control Policy
ReportingPersonnel must report a lost, stolen, or potentially compromised device immediately under the Incident Management Policy

Device handling and media

Laptops are the primary endpoints, and the Asset Management Policy tracks them as assets. botBrains avoids storing production data on endpoints; work happens against cloud systems. botBrains doesn’t use removable media for production data. When a device reaches end of life or changes hands, botBrains securely erases its storage or destroys the encryption keys before disposal or reassignment.

Data center physical security (inherited)

botBrains stores and processes all production data in third-party cloud data centers and doesn’t operate any physical processing facility. Physical security of those facilities, including perimeter control, access logging, surveillance, fire suppression, climate control, and power redundancy, remains the providers’ responsibility, and their independent certifications cover it.
ProviderRegionIndependent certification relied upon
AWSGermany (primary), Ireland (backup)ISO 27001, SOC 2
HetznerNuremberg, FalkensteinISO 27001
DigitalOceanFrankfurtISO 27001, SOC 2
botBrains relies on these certifications as evidence of data center physical security and doesn’t duplicate or re-attest these controls. botBrains assesses provider assurance as part of the Supplier Management Policy, and the full infrastructure map lives in the subprocessor list.

Enforcement

Personnel who don’t follow this policy are subject to corrective action. Personnel must report suspected unauthorized physical access to any device or to botBrains data immediately, and botBrains handles it as an incident.

ISO 27001 mapping

ControlCoverage
A.7.1 Physical security perimetersInherited from certified data center providers; botBrains operates no facilities
A.7.2 Physical entry; A.7.3 Securing offices, rooms and facilitiesInherited (data centers); home-office trusted-location requirement
A.7.4 Physical security monitoringInherited from providers
A.7.5 Protecting against physical and environmental threats; A.7.6 Working in secure areasInherited (fire, power, climate controls at data centers)
A.7.7 Clear desk and clear screenIdle screen lock and clean-screen practice
A.7.8 Equipment siting and protection; A.7.9 Security of assets off-premisesDevices kept in trusted locations, not left unattended
A.7.10 Storage mediaRemovable media not used for production data
A.7.11 Supporting utilities; A.7.12 Cabling security; A.7.13 Equipment maintenanceInherited (power, cabling, and equipment maintenance at certified data centers)
A.7.14 Secure disposal or re-use of equipmentSecure erase or key destruction before disposal or reassignment

Review

The CISO owns this policy and reviews it at least annually and whenever a hosting provider, device fleet, or remote-work arrangement changes materially.