# Security Policy

**Version:** 1.0
**Effective:** January 2026
**Owner:** Johan Jongsma
**Review:** Annually

---

## 1. Purpose

Establish security requirements for inou systems, data, and operations.

---

## 2. Scope

- All inou systems (production, staging)
- All data processed by inou
- All administrative access

---

## 3. Roles and Responsibilities

| Role | Responsibilities |
|------|------------------|
| Owner (Johan Jongsma) | Security policy, incident response, system administration, compliance |

---

## 4. Access Control

### 4.1 Administrative Access

| System | Method | Requirements |
|--------|--------|--------------|
| Production server | SSH | Ed25519 key, admin subnet only |
| Staging server | SSH | Ed25519 key, admin subnet only |
| Database | Local only | No remote connections |
| Backups (Google Drive) | rclone | Encrypted credentials |
| Master key (Proton Pass) | Web/app | E2E encrypted, 2FA |

### 4.2 User Authentication

| Method | Specification |
|--------|---------------|
| Login | Email + 6-digit verification code |
| Code expiry | 10 minutes |
| Session duration | 30 days |
| API tokens | AES-256-GCM encrypted, 4-hour expiry |
| OAuth | Authorization code + PKCE |

### 4.3 Principle of Least Privilege

- Users access only their own data by default
- Explicit grants required for shared access
- RBAC enforced at data layer
- API tokens scoped to specific dossiers

---

## 5. Data Protection

### 5.1 Classification

| Level | Examples | Protection |
|-------|----------|------------|
| Critical | Medical images, genome data, lab results | Encrypted at rest and transit |
| Confidential | Names, emails, dates of birth | Encrypted at rest and transit |
| Internal | Logs, configs | Access restricted |

### 5.2 Encryption Standards

| Layer | Standard |
|-------|----------|
| Disk | Full disk encryption |
| Database fields | AES-256-GCM |
| Transit | TLS 1.3 |
| Tokens | AES-256-GCM |
| Compliance | FIPS 140-3 |

### 5.3 Key Management

| Key | Storage | Backup |
|-----|---------|--------|
| Master key | /tank/inou/master.key (chmod 600) | Proton Pass |
| TLS certificates | Caddy auto-managed | Let's Encrypt renewal |
| SSH keys | ~/.ssh/ | Local backup |

---

## 6. Infrastructure Security

### 6.1 Network Architecture

| Zone | Network | Purpose |
|------|---------|---------|
| Production | VLAN 10 (192.168.100.0/24) | Isolated production environment |
| Admin | 192.168.1.0/24 | Administrative access |
| DMZ | 192.168.0.0/24 | Reverse proxy (Caddy) |

### 6.2 Firewall Policy

**Default:** Deny all incoming

**Application Server (192.168.100.2):**

| Port | Source | Purpose |
|------|--------|---------|
| 22/tcp | Admin subnet only | SSH |
| 443/tcp | Any | HTTPS |
| 1080 | Caddy only | Internal proxy |

### 6.3 OS Hardening

| Control | Implementation |
|---------|----------------|
| Operating system | Ubuntu 24.04 LTS |
| Updates | Automatic (unattended-upgrades) |
| Firewall | UFW, default deny |
| SSH | Key-only, password disabled |
| MAC | AppArmor enforcing |
| Intrusion prevention | Fail2ban (sshd) |
| Kernel | SYN cookies, RP filter, ASLR |

---

## 7. Application Security

### 7.1 Secure Development

| Practice | Implementation |
|----------|----------------|
| SQL injection prevention | Parameterized queries only |
| Input validation | All external input validated |
| Output encoding | Context-appropriate encoding |
| Cryptography | Go standard library, FIPS 140-3 |
| Dependencies | Minimal, reviewed |

### 7.2 Prohibited Practices

- Direct database access outside `lib/db_queries.go`
- Hardcoded credentials or keys
- Logging of sensitive data
- Custom cryptography implementations
- Disabled security controls

### 7.3 Deployment Security

| Control | Implementation |
|---------|----------------|
| Pre-deploy validation | `make check-db` (mandatory) |
| Testing | 18 integration tests |
| Staging | Required before production |
| Rollback | ZFS snapshots available |

---

## 8. Physical Security

### 8.1 Facility

| Control | Implementation |
|---------|----------------|
| Location | Private secure facility |
| Access control | Alarm system with monitoring |
| Power | UPS + natural gas generator |
| Connectivity | Fiber + Starlink backup |

### 8.2 Server Security

| Control | Implementation |
|---------|----------------|
| Disk encryption | Full disk encryption |
| Physical access | Owner only |
| Console | Headless, no KVM |

### 8.3 Media Disposal

Failed or decommissioned storage media is physically destroyed.

---

## 9. Incident Response

See: [Incident Response Plan](incident-response-plan.md)

**Contact:** security@inou.com

### Severity Classification

| Severity | Response Time |
|----------|---------------|
| Critical | < 1 hour |
| High | < 4 hours |
| Medium | < 24 hours |
| Low | < 72 hours |

---

## 10. Business Continuity

See: [Disaster Recovery Plan](disaster-recovery-plan.md)

| Metric | Target |
|--------|--------|
| RTO | 4 hours |
| RPO | 24 hours |
| SLA | 99.9% (excluding maintenance) |

---

## 11. Compliance

### Regulatory Framework

| Regulation | Applicability |
|------------|---------------|
| HIPAA | US health data |
| GDPR | EU residents |
| FADP | Swiss residents |
| CCPA | California residents |

### Audit Requirements

- Maintain audit logs for 7 years
- Annual security review
- Document all security incidents

---

## 12. Third-Party Services

| Vendor | Service | Data Exposure | Controls |
|--------|---------|---------------|----------|
| Proton | SMTP | Verification codes only | E2E encryption |
| Google | Backup storage | Encrypted blobs | Pre-encryption |
| Openprovider | DNS | None | N/A |

### LLM Integration (Anthropic Claude)

- User-initiated queries only
- Data flows from inou to user's AI session
- No PHI stored by Anthropic
- No BAA required (conduit model)

---

## 13. Monitoring and Logging

### Logged Events

| Event | Retention |
|-------|-----------|
| HTTP requests | 90 days |
| Authentication | 90 days |
| Data access | 7 years |
| Security events | 7 years |

### Alerting

| Event | Alert Method |
|-------|--------------|
| Suspicious 404s | System notification |
| Tarpit triggers | Logged |
| Failed logins | Fail2ban action |
| Service outage | Uptime Kuma → James AI → Signal |
| Critical vulnerability | Nuclei → James AI → Signal |

### External Monitoring (Zurich)

| Service | Location | Purpose |
|---------|----------|---------|
| Uptime Kuma | zurich.inou.com:3001 | 24/7 availability monitoring |
| Nuclei | zurich.inou.com | Vulnerability scanning |

---

## 13a. Vulnerability Management

### Scanning Program

| Schedule | Type | Tool | Action |
|----------|------|------|--------|
| Monthly (1st, 9am ET) | Full scan | Nuclei | Report + remediate |
| Weekly (Sun, 10am ET) | Critical/High/Medium | Nuclei | Alert if found |
| Pre-release | Full scan | Nuclei | Gate deployment |

### Remediation SLAs

| Severity | Response | Resolution |
|----------|----------|------------|
| Critical | 4 hours | 24 hours |
| High | 24 hours | 7 days |
| Medium | 7 days | 30 days |
| Low | 30 days | 90 days |

### Scan Results

Results stored in: `docs/soc2/scans/YYYY-MM/`

---

## 14. Policy Maintenance

### Review Schedule

| Review | Frequency |
|--------|-----------|
| Full policy review | Annually |
| Risk assessment | Annually |
| Incident review | After each incident |
| Control testing | Quarterly |

### Change Management

Policy changes require:
1. Risk assessment of change
2. Documentation update
3. Version increment
4. Effective date notation

---

*Document end*