Home Legal Security

Security Policy

Last updated: March 20, 2026

1. Our Commitment to Security

Security is foundational to everything we build and operate at Global Services. We implement defense-in-depth strategies across all our systems, from application code to infrastructure.

2. Infrastructure Security

2.1 Server Hardening

  • SSH key-only authentication (password login disabled on all servers)
  • Fail2Ban intrusion prevention for SSH and web services
  • UFW firewall with deny-by-default rules
  • Automated security updates (unattended-upgrades)
  • Minimal installed packages — only required services enabled

2.2 Network Security

  • SSL/TLS encryption for all web traffic (Let's Encrypt with auto-renewal)
  • HTTP Strict Transport Security (HSTS) headers
  • NinjaFirewall Web Application Firewall (WAF) on web-facing applications
  • Rate limiting on API endpoints and form submissions

3. Application Security

  • Input validation and output encoding to prevent injection attacks
  • CSRF token protection on all forms
  • Parameterized database queries (no raw SQL concatenation)
  • Content Security Policy headers where applicable
  • Honeypot fields and rate limiting on public forms
  • OWASP Top 10 alignment in code review practices

4. Data Protection

4.1 Encryption

  • Data in transit: TLS 1.2+ for all connections
  • Data at rest: Server-side encryption on S3 buckets (AES-256)
  • Backup encryption: All backups stored encrypted in AWS S3

4.2 Access Controls

  • Principle of least privilege — minimal permissions for all accounts
  • Dedicated IAM users for each service/bot with bucket-only S3 policies
  • Regular access review and credential rotation
  • Session management with secure cookie flags (HttpOnly, Secure, SameSite)

5. Backup and Recovery

  • Daily automated database backups to AWS S3
  • Weekly full file system backups with configurable retention
  • 7-day local retention + 30-day S3 retention for databases
  • Monthly full system backups with 6-month retention
  • Periodic backup restoration testing

6. Incident Response

Our incident response process includes:

  1. Detection: Automated monitoring, log analysis, and anomaly detection
  2. Assessment: Classify severity and determine scope of impact
  3. Containment: Isolate affected systems to prevent further damage
  4. Remediation: Apply fixes, patches, and restore from clean backups if needed
  5. Communication: Notify affected parties within 48 hours of confirmed data breach
  6. Post-mortem: Document root cause, timeline, and preventive measures

7. Vulnerability Disclosure

If you discover a security vulnerability in any of our services, we encourage responsible disclosure. Please contact us with:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact

We will acknowledge receipt within 2 business days and work with you to address the issue. We do not pursue legal action against researchers who follow responsible disclosure practices.

8. Compliance

We align our security practices with industry standards including:

  • OWASP Top 10 for application security
  • CIS Benchmarks for server hardening
  • AWS Well-Architected Framework for cloud security
  • GDPR guidelines for data protection (see our Privacy Policy and Data Processing Agreement)

9. Contact

For security-related inquiries, please contact us.