Security Information - Dashboard Application

Last Updated: June 2025

Security Overview

This security information applies specifically to our Dashboard Application. Building Better Teams operates with a security-first approach for our dashboard service. Our infrastructure is self-hosted in the EU, no personal information is stored on our servers, and access is strictly limited to essential personnel. We follow industry best practices for system hardening, regular updates, encryption, and monitoring. All systems are designed with privacy by default and data minimization principles. Companies and users are anonymized at rest to ensure privacy protection.

EU Hosted End-to-End Encryption No Personal Data Storage Regular Security Updates SSH Key Authentication Rate Limiting

1. Infrastructure Security

1.1 Hosting Environment

Infrastructure: Our infrastructure operates on dedicated servers in Hetzner's ISO 27001 certified datacenters in Finland. With the exception of physical access (which is limited ot Hetzner), pe maintain direct control over all server management, security configurations, and data processing - no third parties have access to customer data or application systems. We shorten this to "the datacenter" elsewhere in this document.
Virtualization: Proxmox hypervisor with LXC containers for isolation and resource management
Operating System: Debian 12 with regular security patches
Network Security: Firewall configured to allow only necessary ports
Physical Security: The datacenter facilities provide 24/7 monitoring and access control
Web Application Firewall: BunkerWeb with rate limiting (maximum 60 requests per minute per IP) and DDoS protection

1.2 System Hardening

Minimal software installation (only required packages)
Automatic security updates enabled
SSH access restricted to key-based authentication only
Regular system monitoring and log analysis

2. Application Security

Technology Stack

Backend: Next.js and Python with secure frameworks and libraries
Frontend: Next.js and React with security best practices
Database: PostgreSQL with encrypted connections
Web Server: Nginx with security headers and SSL/TLS
Version Control: Self-hosted Forgejo instance

2.1 Data Protection

No Personal Data Storage: We do not store names or business names in our application as all data is highly confidential and anonymized
User Identification: Users receive anonymized user IDs for system access
Data Anonymization: All stored data is anonymized at rest for privacy protection
Database Security: Single PostgreSQL database server with encrypted connections and access controls
Data Encryption: All data encrypted in transit (TLS 1.3) and at rest
Authentication: Secure session management with HTTP-only cookies for authentication purposes only
Password Security: Users must generate secure passwords following strong password requirements
Input Validation: All user inputs validated and sanitized
SQL Injection Protection: Parameterized queries and ORM usage
XSS Prevention: Content Security Policy and output encoding
Certificate Management: Let's Encrypt with automated renewal
No API Exposure: No external APIs are exposed for security purposes

2.2 Development Security

Automated deployment pipeline through dedicated Git infrastructure
Code review process for all changes
Secure coding practices following OWASP guidelines
Regular security testing and code audits
No third-party integrations or external dependencies

3. Access Control

3.1 Administrative Access

Principle of Least Privilege: Only Brian Graham has administrative access
SSH Key Authentication: Strong RSA/Ed25519 keys, no password authentication
Multi-Factor Authentication: Required for critical system access
Session Management: Automatic timeout and secure session handling
Audit Logging: All administrative actions logged and monitored

3.2 Application Access

Role-based access control where applicable
Secure password policies for user accounts
Account lockout protection against brute force attacks
Regular access review and cleanup of unused accounts

4. Monitoring and Incident Response

4.1 System Monitoring

Uptime Monitoring: Continuous availability monitoring via dedicated infrastructure
Log Analysis: Centralized logging with security event detection
Log Retention: Dashboard application logs retained for 30 days, other services 7 days
Performance Monitoring: Resource usage and application performance tracking
Security Monitoring: Intrusion detection and anomaly detection
Backup Monitoring: Automated backup verification and testing

4.2 Incident Response

24/7 automated alerting for critical security events
Documented incident response procedures
Regular backup testing and disaster recovery planning
Security incident escalation process
Post-incident analysis and improvement process
Incident Notification: Brian will notify customers within 30 days of any data security incident
Service Response: Brian is actively working on resolving any service issues (single operator)
Backup Restoration: System restoration from backups may take up to 3 days

5. Data Governance

5.1 Data Processing Principles

No Personal Data: We do not collect or store personal information or business names
Data Anonymization: All stored data is anonymized at rest for confidentiality
Service Improvement: Anonymized non-personal data may be used to improve our services
Purpose Limitation: Data used only for stated business purposes
Data Retention Policy: Data retained for business continuity unless deletion requested
Access Removal: Your access and data will be soft-removed for data protection purposes after 12 months unless requested otherwise
Data Sovereignty: All data remains within EU jurisdiction
No Third-Party Sharing: Data never shared with external parties
Data Portability: Customers can download their data as CSV or PDF directly from the dashboard at any time
Access Recovery: If access was removed, customers can request re-enablement to access their data

5.2 Data Location and Transfers

All data stored and processed in EU (the datacenter in Finland)
No international data transfers outside EU/EEA
No cloud service providers with access to application data
Direct control over all data processing activities
Data deletion requests can be made by emailing brian@buildingbetterteams.de

6. Backup and Recovery

Automated Backups: Daily encrypted backups of all critical data
Backup Security: All backups encrypted at rest and in transit
Backup Storage: Encrypted backups stored in secure office location in Berlin
Physical Security: Backup drive enclosure has tamper-evident seals
Backup Testing: Regular restore testing to ensure data integrity
Retention Policy: Backups retained for 7 days, then securely deleted
Disaster Recovery: Documented procedures for system restoration
Business Continuity: Plans for maintaining service during incidents
Recovery Time: System restoration from backups may take up to 3 days

7. Compliance and Standards

Security Framework Alignment

Our security practices align with industry standards including:

GDPR: Full compliance with EU data protection regulations
OWASP: Web application security best practices
Industry Standards: Following established cybersecurity principles

7.1 Regular Security Reviews

Quarterly security posture assessments
Quarterly vulnerability assessments
Regular security policy and procedure updates
Continuous security monitoring and improvement

8. Security Contact

Security Vulnerability Disclosure

If you discover a security vulnerability or have security concerns about our dashboard application, please contact us immediately:

Email: brian@buildingbetterteams.de
Response Time: We aim to respond to security reports within 24 hours

Responsible Disclosure Policy

We appreciate responsible disclosure of security vulnerabilities. Please:

Contact us before publicly disclosing any security issues
Provide sufficient detail to reproduce the issue
Allow reasonable time for us to address the issue before disclosure
Do not access or modify data belonging to others
Do not perform actions that could harm the service or other users

9. Architecture Overview

Note: Detailed system architecture diagrams are available upon request for authorized parties conducting security assessments.

10. Security Certifications and Assessments

OWASP Top 10: Application security controls implemented
GDPR Compliance: Full compliance with EU data protection regulations

Security Information Requests

For enterprise customers requiring detailed security documentation or specific security questionnaire responses, please contact:

Email: brian@buildingbetterteams.de

Vendor

The vendor of this internet presence is in the legal sense:

Building Better Teams - Brian Graham
Mühlenstraße 8a
14167 Berlin, Germany

Contact

USt-ID: DE354152177
brian@buildingbetterteams.de
+491783212891

Interstate Broadcasting Agreement

Responsible for content within the meaning of section 55 (2) RStV (Rundfunkstaatsvertrag): Brian Graham

Representative

Building Better Teams is legally represented by Brian Graham

Legal Structure

"Building Better Teams - Brian Graham" is an independent consulting practice from Brian Graham, serving technology companies since 2022, registered (Gewerbeanmeldung) as a sole proprietorship (Einzelunternehmer) at the district office (Bezirksamt) Steglitz-Zehlendorf, Berlin, Germany. Registration with HRB has not been required for this sole proprietorship.