Our approach to security

How we reduce risk

We operate systems that are as simple as possible, with the fewest components necessary. Every additional service, library, or integration is a potential point of failure. Keeping things simple is the most effective security measure there is.

We choose open source software that is widely deployed and actively maintained. This means vulnerabilities are more likely to be found and fixed quickly by the community, and we are able to validate or remedy issues ourselves without waiting for a vendor's priorities.

We do not rely on external third-party data services. This reduces the risk of supply chain attacks and eliminates unintended external data processing. Your data stays within the infrastructure we control.

Encryption

SSL/TLS certificates are provided for all email and hosting services, ensuring that data is encrypted in transit between your devices and our servers.

It is important to note that email encryption is not end-to-end by default. While connections to and from our servers are encrypted, messages may pass through other servers on the internet that do not support encryption. If end-to-end confidentiality is required, additional measures such as PGP or S/MIME should be considered.

Monitoring and maintenance

We conduct regular code scanning and dependency checks on hosted applications. Infrastructure is patched and updated on an ongoing basis. Monitoring alerts us to availability issues and unusual activity.

None of this eliminates risk. New vulnerabilities are discovered constantly, and every security failure is ultimately a human error somewhere in the chain — a user, a developer, or an operator. Our aim is to minimise the opportunities for that error and respond quickly when it happens.

Access control

For services that do not need to be publicly accessible, we offer IP-based access restrictions. This limits access to specified locations only. See our What's my IP address page to find your current address for access configuration.

For applications that require user authentication, we can configure multi-factor authentication (MFA) and centralised access management using open source identity tools.

Responsible disclosure

We do not assume our systems are free of issues. Our responsible disclosure policy sets out guidelines for what should be done if a problem is discovered with our services. This is a well-established approach across the industry — it provides a responsible path for managing issues as they are found.

What you can do

Security is a shared responsibility. The most common route into any system is through user credentials — a weak password, a reused password, or a successful phishing attempt. The steps you take to protect your own accounts make a significant difference.

• Use strong, unique passwords and enable multi-factor authentication — see our password policy guidance
• Plan for a breach — know what data you have and where, and consider the impact if it became public or unavailable
• Protect your email account above all — it is often the key to recovering access to every other service