Security Policy
Version: 1.0
Effective: January 2026
Owner: Johan Jongsma
Review: Annually
1. Purpose
Establish security requirements for inou systems, data, and operations.
2. Scope
- All inou systems (production, staging)
- All data processed by inou
- All administrative access
3. Roles and Responsibilities
| Role |
Responsibilities |
| Owner (Johan Jongsma) |
Security policy, incident response, system administration, compliance |
4. Access Control
4.1 Administrative Access
| System |
Method |
Requirements |
| Production server |
SSH |
Ed25519 key, admin subnet only |
| Staging server |
SSH |
Ed25519 key, admin subnet only |
| Database |
Local only |
No remote connections |
| Backups (Google Drive) |
rclone |
Encrypted credentials |
| Master key (Proton Pass) |
Web/app |
E2E encrypted, 2FA |
4.2 User Authentication
| Method |
Specification |
| Login |
Email + 6-digit verification code |
| Code expiry |
10 minutes |
| Session duration |
30 days |
| API tokens |
AES-256-GCM encrypted, 4-hour expiry |
| OAuth |
Authorization code + PKCE |
4.3 Principle of Least Privilege
- Users access only their own data by default
- Explicit grants required for shared access
- RBAC enforced at data layer
- API tokens scoped to specific dossiers
5. Data Protection
5.1 Classification
| Level |
Examples |
Protection |
| Critical |
Medical images, genome data, lab results |
Encrypted at rest and transit |
| Confidential |
Names, emails, dates of birth |
Encrypted at rest and transit |
| Internal |
Logs, configs |
Access restricted |
5.2 Encryption Standards
| Layer |
Standard |
| Disk |
Full disk encryption |
| Database fields |
AES-256-GCM |
| Transit |
TLS 1.3 |
| Tokens |
AES-256-GCM |
| Compliance |
FIPS 140-3 |
5.3 Key Management
| Key |
Storage |
Backup |
| Master key |
/tank/inou/master.key (chmod 600) |
Proton Pass |
| TLS certificates |
Caddy auto-managed |
Let's Encrypt renewal |
| SSH keys |
~/.ssh/ |
Local backup |
6. Infrastructure Security
6.1 Network Architecture
| Zone |
Network |
Purpose |
| Production |
VLAN 10 (192.168.100.0/24) |
Isolated production environment |
| Admin |
192.168.1.0/24 |
Administrative access |
| DMZ |
192.168.0.0/24 |
Reverse proxy (Caddy) |
6.2 Firewall Policy
Default: Deny all incoming
Application Server (192.168.100.2):
| Port |
Source |
Purpose |
| 22/tcp |
Admin subnet only |
SSH |
| 443/tcp |
Any |
HTTPS |
| 1080 |
Caddy only |
Internal proxy |
6.3 OS Hardening
| Control |
Implementation |
| Operating system |
Ubuntu 24.04 LTS |
| Updates |
Automatic (unattended-upgrades) |
| Firewall |
UFW, default deny |
| SSH |
Key-only, password disabled |
| MAC |
AppArmor enforcing |
| Intrusion prevention |
Fail2ban (sshd) |
| Kernel |
SYN cookies, RP filter, ASLR |
7. Application Security
7.1 Secure Development
| Practice |
Implementation |
| SQL injection prevention |
Parameterized queries only |
| Input validation |
All external input validated |
| Output encoding |
Context-appropriate encoding |
| Cryptography |
Go standard library, FIPS 140-3 |
| Dependencies |
Minimal, reviewed |
7.2 Prohibited Practices
- Direct database access outside
lib/db_queries.go
- Hardcoded credentials or keys
- Logging of sensitive data
- Custom cryptography implementations
- Disabled security controls
7.3 Deployment Security
| Control |
Implementation |
| Pre-deploy validation |
make check-db (mandatory) |
| Testing |
18 integration tests |
| Staging |
Required before production |
| Rollback |
ZFS snapshots available |
8. Physical Security
8.1 Facility
| Control |
Implementation |
| Location |
Private secure facility |
| Access control |
Alarm system with monitoring |
| Power |
UPS + natural gas generator |
| Connectivity |
Fiber + Starlink backup |
8.2 Server Security
| Control |
Implementation |
| Disk encryption |
Full disk encryption |
| Physical access |
Owner only |
| Console |
Headless, no KVM |
8.3 Media Disposal
Failed or decommissioned storage media is physically destroyed.
9. Incident Response
See: Incident Response Plan
Contact: security@inou.com
Severity Classification
| Severity |
Response Time |
| Critical |
< 1 hour |
| High |
< 4 hours |
| Medium |
< 24 hours |
| Low |
< 72 hours |
10. Business Continuity
See: Disaster Recovery Plan
| Metric |
Target |
| RTO |
4 hours |
| RPO |
24 hours |
| SLA |
99.9% (excluding maintenance) |
11. Compliance
Regulatory Framework
| Regulation |
Applicability |
| HIPAA |
US health data |
| GDPR |
EU residents |
| FADP |
Swiss residents |
| CCPA |
California residents |
Audit Requirements
- Maintain audit logs for 7 years
- Annual security review
- Document all security incidents
12. Third-Party Services
| Vendor |
Service |
Data Exposure |
Controls |
| Proton |
SMTP |
Verification codes only |
E2E encryption |
| Google |
Backup storage |
Encrypted blobs |
Pre-encryption |
| Openprovider |
DNS |
None |
N/A |
LLM Integration (Anthropic Claude)
- User-initiated queries only
- Data flows from inou to user's AI session
- No PHI stored by Anthropic
- No BAA required (conduit model)
13. Monitoring and Logging
Logged Events
| Event |
Retention |
| HTTP requests |
90 days |
| Authentication |
90 days |
| Data access |
7 years |
| Security events |
7 years |
Alerting
| Event |
Alert Method |
| Suspicious 404s |
System notification |
| Tarpit triggers |
Logged |
| Failed logins |
Fail2ban action |
| Service outage |
Uptime Kuma → James AI → Signal |
| Critical vulnerability |
Nuclei → James AI → Signal |
External Monitoring (Zurich)
| Service |
Location |
Purpose |
| Uptime Kuma |
zurich.inou.com:3001 |
24/7 availability monitoring |
| Nuclei |
zurich.inou.com |
Vulnerability scanning |
13a. Vulnerability Management
Scanning Program
| Schedule |
Type |
Tool |
Action |
| Monthly (1st, 9am ET) |
Full scan |
Nuclei |
Report + remediate |
| Weekly (Sun, 10am ET) |
Critical/High/Medium |
Nuclei |
Alert if found |
| Pre-release |
Full scan |
Nuclei |
Gate deployment |
Remediation SLAs
| Severity |
Response |
Resolution |
| Critical |
4 hours |
24 hours |
| High |
24 hours |
7 days |
| Medium |
7 days |
30 days |
| Low |
30 days |
90 days |
Scan Results
Results stored in: docs/soc2/scans/YYYY-MM/
14. Policy Maintenance
Review Schedule
| Review |
Frequency |
| Full policy review |
Annually |
| Risk assessment |
Annually |
| Incident review |
After each incident |
| Control testing |
Quarterly |
Change Management
Policy changes require:
- Risk assessment of change
- Documentation update
- Version increment
- Effective date notation
Document end