Legal

Security

Last updated: 4 May 2026

This page describes the security posture of our public-facing properties — the marketing site, the licensing portal, and the help docs site. Product-deployment security (your trust's KeystoneOps instance) is documented separately on the procurement guidance page and in the procurement pack PDF.

Independent verification

We re-test our public sites quarterly with the standard external scanners. Most recent results, May 2026:

• Mozilla HTTP Observatory: A+ (125 / 100). Scores hash-based Content Security Policy, CORP, X-Frame-Options, Referrer-Policy.
• Qualys SSL Labs: A+. TLS 1.3, modern cipher suites only, HSTS preload-eligible, DNS CAA configured.

If you are evaluating us and would like a fresh scan, run one yourself — both tools are free and open. We don't embed the badges on the site because static badges age poorly; we'd rather you see today's posture, not last year's.

Web hardening (this site and its siblings)

• TLS: 1.2 minimum, 1.3 preferred. Modern cipher suites only; legacy TLS and weak ciphers disabled at the edge.
• HSTS: max-age 2 years, includeSubDomains, preload. Submitted to the browser preload list once stability is confirmed.
• Content Security Policy: hash-based, per-page. Every inline script and style is SHA-256 pinned at build time; 'unsafe-inline' is not used. Generated natively by Astro 6's security.csp feature.
• Other headers: X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Cross-Origin-Resource-Policy: same-origin, restrictive Permissions-Policy.
• Rate limiting: the few dynamic API endpoints (contact form, procurement-pack PDF render) are rate-limited at the edge to 20 req/min/IP with a small burst.
• SSRF guards: the procurement-pack PDF renderer accepts only same-origin URLs (host allowlist).

Build-time security

• Dependency auditing: npm audit runs on every pipeline. Moderate-severity advisories are surfaced informationally; high-severity advisories block the release.
• Locked dependencies: all installs use npm ci against a committed lockfile. No floating versions in production.
• Reproducible builds: GitLab CI pipeline is the single deployment path. No "scp from my laptop" deploys.

Operational security

• Patch cadence: Ubuntu unattended-upgrades enabled. High-severity OS or framework CVEs patched within 14 days; critical within 72 hours.
• Least privilege: the deploy user has NOPASSWD sudo for exactly one command (systemctl restart keystoneops-web) and nothing else. The runtime service runs as an unprivileged user with systemd hardening (NoNewPrivileges, ProtectSystem=strict, PrivateTmp).
• Secrets: live in a root-owned /etc/keystoneops-web.env (chmod 600), never in the git repo. CI uses scoped SSH keys, not shared credentials.
• Atomic deploys: each release lands in a timestamped directory; deployment is a single-inode symlink swap so there is no half-deployed window. Rollback is one command.

Hosting

All our public properties run on UK-based, single-tenant infrastructure provided by Mythic Beasts Ltd — a UK-owned, UK-staffed hosting partner with datacentres in London (Sovereign House) and Cambridge. No US parent. No third-country transfers. Detailed in the privacy policy.

Certifications

• Cyber Essentials: application in progress, target Q3 2026.
• Cyber Essentials Plus: target Q4 2026.
• ISO 27001: on the 2027 roadmap.

These dates are honest, not aspirational. Until each certificate is in hand we don't claim it. We hold ourselves to the controls the standard requires (patch SLAs, MFA on administrative access, unprivileged service accounts, audited deployment) ahead of formal accreditation.

Reporting a vulnerability

If you believe you have found a security issue affecting any KeystoneOps property, please email security@keystoneops.education. We acknowledge within one working day, communicate openly with affected parties, and never threaten legal action against good-faith researchers. Coordinates also published at /.well-known/security.txt per RFC 9116.

Product security

The above describes our public properties. Security of the KeystoneOps product itself, when deployed into your trust, is documented in the procurement guidance page and in the procurement-pack PDF (architecture, encryption, audit log, subprocessors, DPIA scaffolding). For a copy with your trust's specific shape pre-filled, use the contact form.