Back to Security

Security Document

Information Security Policy

How Simple Commenter protects the confidentiality, integrity, and availability of customer data, from encryption and access control to logging and incident reporting.

Ander Digital OÜ Document Version: 1.0 Effective Date: March 5, 2026 Last Reviewed: March 5, 2026 Owner: Aleksander Kaaberma, CEO / Information Security Officer

1. Purpose

This policy establishes the information security requirements for Ander Digital OÜ ("the Company") to protect the confidentiality, integrity, and availability of company and customer information assets. It applies to all systems, data, and personnel involved in the delivery of the Simple Commenter SaaS platform.

2. Scope

This policy applies to:

  • All company personnel (employees, contractors, partners)
  • All information systems used to deliver services
  • All customer data processed or stored on behalf of clients
  • All third-party services used in service delivery

3. Data Classification

All data handled by the Company is classified into the following categories:

ClassificationDescriptionExamplesHandling Requirements
PublicInformation intended for public accessMarketing content, public documentation, blog postsNo restrictions on access
InternalBusiness information not intended for public releaseInternal communications, operational procedures, analyticsAccess limited to authorized personnel
ConfidentialCustomer data and sensitive business informationUser accounts, comments, feedback data, integration credentials, email addressesEncrypted in transit and at rest; access restricted to authorized personnel; deletion upon customer request
RestrictedHighly sensitive security materialsEncryption keys, API secrets, JWT signing secrets, database credentials, authentication tokensStored only in environment variables or secrets managers; never committed to source code; access strictly limited

4. Access Control

4.1 Principles

  • Least Privilege: Access is granted only to the minimum level required to perform duties.
  • Individual Accounts: All systems use individual accounts with unique credentials. Shared accounts are prohibited.
  • Multi-Factor Authentication (MFA): Required on all cloud provider accounts (MongoDB Atlas, Hetzner, Vercel, GitHub, Stripe).

4.2 Access Management

  • Access privileges are reviewed quarterly.
  • Privileged accounts are reviewed quarterly.
  • Access for terminated personnel is revoked within 24 hours.
  • All access changes are documented.

4.3 Password Requirements

  • Minimum 16 characters using a password manager.
  • Unique password per service.
  • Passwords rotated at least annually.
  • MFA enabled wherever supported.

5. Encryption Standards

5.1 Data in Transit

  • All external communications use TLS 1.2 or higher.
  • MongoDB connections require TLS (mongodb+srv:// protocol).
  • All API endpoints served exclusively over HTTPS.
  • Internal service-to-service communication uses encrypted channels.

5.2 Data at Rest

  • MongoDB Atlas: AES-256 encryption at rest.
  • Hetzner Object Storage: Encryption at rest enabled.
  • Workstation storage: macOS FileVault (AES-256-XTS).
  • Passwords: bcrypt hashing with minimum 10-round cost factor.

6. Device Security

6.1 Workstation Requirements

  • Full-disk encryption (macOS FileVault) must be enabled.
  • macOS built-in firewall must be enabled.
  • Automatic OS security updates must be enabled.
  • XProtect and Gatekeeper malware protection must remain active.
  • Find My Mac must be enabled for remote wipe capability.
  • Screen lock must engage after 5 minutes of inactivity.

6.2 Data Handling

  • Customer data must not be stored on local workstations.
  • USB devices must not be used to transfer customer data.
  • All customer data must reside in approved cloud infrastructure.

7. Network Security

  • MongoDB Atlas IP allowlisting restricts database access to authorized networks.
  • No direct public access to databases.
  • SSRF protection implemented for proxy operations (blocks private IP ranges).
  • Rate limiting enforced on API endpoints and registration.
  • CORS configuration managed per service requirements.
  • Security headers enforced: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

8. Application Security

  • Input sanitization using DOMPurify and sanitize-html libraries.
  • JWT-based authentication with HS256 algorithm.
  • Integration tokens with scoped permissions (read/write/settings).
  • Stripe webhook signature verification for payment events.
  • Spam detection using rule-based pattern matching.
  • Dependency vulnerability scanning via npm audit and GitHub Dependabot.

9. Logging and Monitoring

  • Centralized log management via Better Stack with 365-day retention.
  • Application logs cover authentication events, API usage, rate limiting, and errors.
  • Cloud provider audit logs (MongoDB Atlas, Hetzner, Vercel) monitored.
  • Log data stored in EU region (Nuremberg, Germany).

10. Third-Party Management

  • All service suppliers evaluated for security certifications (SOC 2, ISO 27001).
  • Data Processing Agreements (DPAs) maintained with all data processors.
  • Sub-processor list maintained and reviewed annually.
  • Data residency verified during vendor onboarding (EU preferred).
  • Supplier security posture reviewed annually.

11. Change Management

  • All code changes tracked through Git version control.
  • Production deployments through Vercel CI/CD pipeline.
  • Preview deployments for review before production promotion.
  • No direct production modifications outside version control.
  • Database schema changes reviewed and documented.

12. Patch Management

  • Critical security patches applied within 72 hours of release.
  • High-severity patches applied within 14 days.
  • Routine updates applied within 30 days.
  • Automated vulnerability detection via GitHub Dependabot and npm audit.
  • Infrastructure patches managed by cloud providers (Vercel, MongoDB Atlas, Hetzner).

13. Incident Reporting

All suspected security incidents must be reported immediately and handled per the Incident Response Plan (see security/incident-response-plan.md). This includes:

  • Unauthorized access attempts
  • Data breaches or suspected data exposure
  • Malware detection
  • System compromises
  • Lost or stolen devices

14. Acceptable Use

  • Company systems and data must be used only for authorized business purposes.
  • Customer data must not be shared with unauthorized parties.
  • Security controls must not be bypassed or disabled.
  • All security vulnerabilities discovered must be reported and remediated promptly.

15. Compliance

This policy aligns with:

  • General Data Protection Regulation (GDPR)
  • OWASP Application Security best practices
  • CIS Controls framework
  • Cloud provider security best practices

16. Policy Review

This policy is reviewed annually or upon significant changes to the business, technology, or threat landscape. Updates require approval from the Information Security Officer.

Approval: Aleksander Kaaberma, CEO / Information Security Officer Date: March 5, 2026