nist.hero_badge | 02/2026

nist.hero_title_prefix nist.hero_title_highlight
nist.hero_title_suffix

nist.hero_subtitle

nist.view_report nist.contact_dpo
nist.status_label
nist.status_secure
LegallyMail
nist.encryption
nist.active
100%
nist.compliance_rate

nist.committed_title

nist.committed_desc

nist.implemented_controls: 103
nist.total_controls: 103

nist.security_posture

nist.framework_breakdown

🎯
Identify
100% nist.implemented

Develop organizational understanding to manage cybersecurity risk

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
🛡️
Protect
100% nist.implemented

Develop and implement safeguards to ensure delivery of services

  • Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes
  • Maintenance
  • Protective Technology
🔍
Detect
100% nist.implemented

Develop and implement activities to identify occurrence of cybersecurity events

  • Anomalies and Events
  • Continuous Monitoring
  • Detection Processes
Respond
100% nist.implemented

Develop and implement activities to take action regarding detected cybersecurity incidents

  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements
♻️
Recover
100% nist.implemented

Develop and implement activities to maintain resilience and restore capabilities

  • Recovery Planning
  • Improvements
  • Communications

nist.controls_implemented_title

nist.controls_implemented_desc

Asset Management
ID.AM-1

Physical devices and systems within the organization are inventoried

nist.evidence_label
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-2

Software platforms and applications are inventoried

nist.evidence_label
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-3

Organizational communication and data flows are mapped

nist.evidence_label
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-4

External information systems are catalogued

nist.evidence_label
Third-party service documentation, integration records
ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

nist.evidence_label
Data Classification Policy.md), Database Encryption Architecture.
ID.AM-6

Cybersecurity roles and responsibilities are established

Business Environment
ID.BE-1

The organization's role in the supply chain is identified and communicated

nist.evidence_label
Service provider documentation, TSA integration, Stripe payment processing
ID.BE-2

The organization's place in critical infrastructure is identified

nist.evidence_label
Service architecture documentation, critical service monitoring
ID.BE-3

Priorities for organizational mission, objectives, and activities are established

nist.evidence_label
NIST compliance framework, GDPR compliance, service SLAs
ID.BE-4

Dependencies and critical functions are established

nist.evidence_label
Service dependency mapping, critical function documentation
ID.BE-5

Resilience requirements to support delivery of critical services are established

nist.evidence_label
Service status dashboard, maintenance mode system, error handling framework
Governance
ID.GV-1

Organizational cybersecurity policy is established and communicated

nist.evidence_label
Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records
ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

nist.evidence_label
Internal security coordination, admin role structure
ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

nist.evidence_label
NIST compliance dashboard, risk assessment through compliance monitoring
Risk Assessment
ID.RA-1

Asset vulnerabilities are identified and documented

nist.evidence_label
Past audit with Cloude Sonnet 4.5 in January 2026
ID.RA-2

Cyber threat intelligence is received from information sharing forums

nist.evidence_label
Composer security advisories, dependency monitoring
ID.RA-3

Threats, both internal and external, are identified and documented

nist.evidence_label
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-4

Potential business impacts and likelihoods are identified

nist.evidence_label
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

nist.evidence_label
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-6

Risk responses are identified and prioritized

nist.evidence_label
Security improvements, vulnerability patching process
Risk Management Strategy
ID.RM-1

Risk management processes are established, managed, and agreed to

nist.evidence_label
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RM-2

Organizational risk tolerance is determined and clearly expressed

nist.evidence_label
NIST CSF compliance, GDPR compliance, security headers implementation
ID.RM-3

The organization's determination of risk tolerance is informed by its role

nist.evidence_label
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

Access Control
PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

nist.evidence_label
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-2

Physical access to assets is managed and protected

nist.evidence_label
Hetzner ISO 27001 certification, data center security documentation
PR.AC-3

Remote access is managed

nist.evidence_label
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-4

Access permissions and authorizations are managed

nist.evidence_label
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-5

Network integrity is protected (e.g., network segregation)

nist.evidence_label
Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.
PR.AC-6

Identities are proofed and bound to credentials

nist.evidence_label
Email verification system, email_verified column in users table
PR.AC-7

Users, devices, and assets are authenticated

Awareness and Training
PR.AT-1

All users are informed and trained on cybersecurity awareness

nist.evidence_label
Privacy policy, terms of service, GDPR compliance documentation
PR.AT-2

Privileged users understand their roles and responsibilities

nist.evidence_label
Admin dashboard with security controls, role-based access documentation
PR.AT-3

Third-party stakeholders understand their roles and responsibilities

nist.evidence_label
Vendor agreements, partner documentation, API documentation
PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

nist.evidence_label
Admin role documentation, Hetzner security procedures
Data Security
PR.DS-1

Data-at-rest is protected

nist.evidence_label
By Google Cloud (external provider)
PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

nist.evidence_label
User data management, certified_emails retention, data export capabilities
PR.DS-4

Adequate capacity to ensure availability is maintained

nist.evidence_label
Hetzner infrastructure monitoring, service status tracking
PR.DS-5

Protections against data leaks are implemented

nist.evidence_label
HASH 256 AES bits in sensitive data
PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

nist.evidence_label
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.DS-8

Integrity checking mechanisms verify hardware integrity

nist.evidence_label
Hetzner infrastructure security, ISO 27001 certification
Information Protection Processes
PR.IP-1

A baseline configuration of systems is created and maintained

nist.evidence_label
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-2

A System Development Life Cycle to manage systems is implemented

nist.evidence_label
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-3

Configuration change control processes are in place

nist.evidence_label
Git repository, .env file management, version control practices
PR.IP-4

Backups of information are conducted, maintained, and tested

nist.evidence_label
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-5

Policy and regulations regarding the physical operating environment

nist.evidence_label
Hetzner data center certifications, environmental controls documentation
PR.IP-6

Data is destroyed according to policy

nist.evidence_label
Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.
PR.IP-7

Protection processes are improved

nist.evidence_label
NIST compliance dashboard, regular security updates, dependency updates
PR.IP-8

Effectiveness of protection technologies is shared

nist.evidence_label
Internal security reviews, NIST compliance public page
PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

nist.evidence_label
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

nist.evidence_label
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Maintenance
PR.MA-1

Maintenance and repair of assets are performed and logged

nist.evidence_label
Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation
PR.MA-2

Remote maintenance of assets is approved, logged, and performed

nist.evidence_label
Server access logs, admin activity monitoring
Protective Technology
PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

nist.evidence_label
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
PR.PT-2

Removable media is protected and its use restricted

nist.evidence_label
File upload validation, allowed file type restrictions
PR.PT-3

The principle of least functionality is incorporated

nist.evidence_label
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.PT-4

Communications and control networks are protected

nist.evidence_label
Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.
PR.PT-5

Mechanisms are implemented to achieve resilience requirements

nist.evidence_label
ErrorController, maintenance mode, service_status monitoring, Hetzner backups

Anomalies and Events
DE.AE-1

A baseline of network operations and expected data flows is established

nist.evidence_label
Service status monitoring, normal operation baselines
DE.AE-2

Detected events are analyzed to understand attack targets and methods

nist.evidence_label
Error logs, admin notification system, support ticket analysis
DE.AE-3

Event data are collected and correlated from multiple sources

nist.evidence_label
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
DE.AE-4

Impact of events is determined

nist.evidence_label
Service status levels, impact assessment in monitoring
DE.AE-5

Incident alert thresholds are established

nist.evidence_label
PasswordResetLimiter.php, rate_limits table, API rate limiting
Continuous Monitoring
DE.CM-1

The network is monitored to detect potential cybersecurity events

nist.evidence_label
Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity
DE.CM-2

The physical environment is monitored to detect cybersecurity events

nist.evidence_label
Hetzner data center monitoring, environmental controls
DE.CM-3

Personnel activity is monitored to detect cybersecurity events

nist.evidence_label
Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending
DE.CM-4

Malicious code is detected

nist.evidence_label
File upload validation, MIME type checking, input sanitization
DE.CM-5

Unauthorized mobile code is detected

nist.evidence_label
Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.
DE.CM-6

External service provider activity is monitored

nist.evidence_label
Stripe webhook monitoring, email service status tracking
DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

nist.evidence_label
Session tracking, authentication logs, rate limiting system
DE.CM-8

Vulnerability scans are performed

nist.evidence_label
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Detection Processes
DE.DP-1

Roles and responsibilities for detection are well defined

nist.evidence_label
Admin role system, automated monitoring, alert notifications
DE.DP-2

Detection activities comply with all applicable requirements

nist.evidence_label
GDPR compliance, privacy policy, data protection measures
DE.DP-3

Detection processes are tested

nist.evidence_label
Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.
DE.DP-4

Event detection information is communicated

nist.evidence_label
Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts
DE.DP-5

Detection processes are continuously improved

nist.evidence_label
NIST compliance dashboard, continuous improvement process

Response Planning
RS.RP-1

Response plan is executed during or after an incident

nist.evidence_label
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Communications
RS.CO-1

Personnel know their roles and order of operations

nist.evidence_label
Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts
RS.CO-2

Incidents are reported consistent with established criteria

nist.evidence_label
Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers
RS.CO-3

Information is shared consistent with response plans

nist.evidence_label
Service status page, notification system, user communication channels
RS.CO-4

Coordination with stakeholders occurs

nist.evidence_label
Support ticket system, admin dashboard, stakeholder communication
RS.CO-5

Voluntary information sharing occurs with external stakeholders

nist.evidence_label
Internal incident communication, public status page
Analysis
RS.AN-1

Notifications from detection systems are investigated

nist.evidence_label
Error logging system, admin monitoring dashboard, support ticket investigation
RS.AN-2

The impact of the incident is understood

nist.evidence_label
Service status levels (operational/degraded/outage), impact tracking
RS.AN-3

Forensics are performed

nist.evidence_label
Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.
RS.AN-4

Incidents are categorized consistent with response plans

nist.evidence_label
Service status categories, support ticket types, incident classification
RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

nist.evidence_label
Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement
Mitigation
RS.MI-1

Incidents are contained

nist.evidence_label
Maintenance mode, rate limiting system, authentication controls
RS.MI-2

Incidents are mitigated

nist.evidence_label
ErrorController, automatic error recovery, admin tools
RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

nist.evidence_label
Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes
Improvements
RS.IM-1

Response plans incorporate lessons learned

nist.evidence_label
Post Incident Review Protocol.md), Internal Security Testing Logs.
RS.IM-2

Response strategies are updated

nist.evidence_label
NIST compliance updates, continuous security enhancements

Recovery Planning
RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

nist.evidence_label
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Improvements
RC.IM-1

Recovery plans incorporate lessons learned

nist.evidence_label
Post Incident Review Protocol.md), Internal Security Testing Logs.
RC.IM-2

Recovery strategies are updated

nist.evidence_label
NIST compliance monitoring, recovery process updates
Communications
RC.CO-1

Public relations are managed

nist.evidence_label
Public status page at /status, user notification system
RC.CO-2

Reputation is repaired after an incident

nist.evidence_label
Service Status), Automated Incident Notification Templates.
RC.CO-3

Recovery activities are communicated to stakeholders

nist.evidence_label
Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

nist.cta_title

nist.cta_desc

nist.cta_button
Echtzeit