Security & sovereignty
Systematic penetration testing, data hosted in Europe outside the US Cloud Act, encrypted secrets, edge WAF - a documented, verifiable security posture.
Security is not an annual audit: it is a continuous posture, from architecture to the edge. Our projects are tested before every major release, hosted on ISO 27001-certified European infrastructure, and protected by independent layers of defence.
Pentest before every launch
Penetration test in grey-box mode (simulated limited access) or black-box mode (external attacker) before every major go-live. Report delivered to the client with vulnerabilities classified by OWASP Top 10 and a costed remediation plan.
Data sovereignty
Hosted on BSO, a European Kubernetes infrastructure certified ISO 27001 and HDS. Data does not fall under the US Cloud Act. Secrets are managed in Bitwarden Secrets Manager (EU instance), not in plain-text environment variables.
Defence in depth
Cloudflare Access and WAF in front of the origin, OWASP rules enabled in block mode, automatic TLS, rate limiting, DDoS mitigation. Kubernetes pods are isolated by namespace with NetworkPolicies and strict RBAC. The Docker image is rebuilt on every deployment.
Security posture by layer
Edge layer (Cloudflare):
- WAF with OWASP Top 10 rules enabled in block mode.
- Cloudflare Access in front of non-public environments (staging, back office): mandatory SSO authentication, zero-trust model.
- Automatic TLS (Let's Encrypt via Cloudflare), HSTS preloaded.
- Rate limiting on sensitive endpoints (forms, authentication APIs).
- DDoS protection at layers 3, 4 and 7.
Infrastructure layer (BSO Kubernetes):
- Namespaces isolated per project: no pod can communicate with another namespace without an explicit NetworkPolicy.
- Strict RBAC: application service accounts hold only the permissions they need.
- Docker images rebuilt on every deployment from the private GitLab registry. No unvalidated third-party image.
- Secrets injected at runtime by the Bitwarden Secrets Manager CLI (BWS) via the CI job: they never transit in plain text through GitLab environment variables and are never committed to the codebase.
- ArgoCD GitOps declarative: every infrastructure state is versioned and auditable.
Application layer:
- Security headers:
Content-Security-Policy,X-Frame-Options,X-Content-Type-Options,Referrer-Policyconfigured systematically. - OAuth2/Keycloak or OIDC authentication (e.g. Okta for enterprise accounts): no WordPress credentials exposed directly on the public network.
- SecuPress Pro on WordPress projects: anti-brute-force, malware scanning, Move Login, 2FA.
- Forms: server-side validation, CSRF protection, explicit GDPR consent before any data processing.
Penetration testing
Before every major go-live, a security test is conducted in grey-box mode (simulated limited access, reproducing an insider threat or a compromised partner) or black-box mode (external attacker with no access). Scope covers:
- Publicly exposed REST/GraphQL endpoints.
- The CMS back office (authentication, file upload, injections).
- Secrets and environment variables (verifying no secret is exposed in headers, logs or API responses).
- npm and Composer dependencies (CVE audit via
npm auditandcomposer auditintegrated in CI).
The pentest report is delivered to the client with vulnerabilities classified by severity (OWASP Top 10, CVSS) and a remediation plan with a time estimate.
Sovereignty and compliance
- European hosting: BSO is a physically France-based infrastructure certified ISO 27001 and HDS. Health data, sensitive HR data and contractual data remain on European soil.
- Outside the Cloud Act: data does not transit through servers under US jurisdiction (no AWS, Azure or GCP by default on our BSO projects).
- Bitwarden Secrets Manager: EU instance (
api.bitwarden.eu), end-to-end encryption, secret rotation without redeployment. - Audit logging: all access and write actions are logged (Loki on BSO), auditable at any time.