Trust and Security Center

Asset Management

ID.AM-1

Physical devices and systems within the organization are inventoried

Evidence:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-2

Software platforms and applications are inventoried

Evidence:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-3

Organizational communication and data flows are mapped

Evidence:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-4

External information systems are catalogued

Evidence:

Third-party service documentation, integration records

ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

Evidence:

Data Classification Policy.md), Database Encryption Architecture.

ID.AM-6

Cybersecurity roles and responsibilities are established

Business Environment

ID.BE-1

The organization's role in the supply chain is identified and communicated

Evidence:

Service provider documentation, TSA integration, Stripe payment processing

ID.BE-2

The organization's place in critical infrastructure is identified

Evidence:

Service architecture documentation, critical service monitoring

ID.BE-3

Priorities for organizational mission, objectives, and activities are established

Evidence:

NIST compliance framework, GDPR compliance, service SLAs

ID.BE-4

Dependencies and critical functions are established

Evidence:

Service dependency mapping, critical function documentation

ID.BE-5

Resilience requirements to support delivery of critical services are established

Evidence:

Service status dashboard, maintenance mode system, error handling framework

Governance

ID.GV-1

Organizational cybersecurity policy is established and communicated

Evidence:

Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records

ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

Evidence:

Internal security coordination, admin role structure

ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

Evidence:

NIST compliance dashboard, risk assessment through compliance monitoring

Risk Assessment

ID.RA-1

Asset vulnerabilities are identified and documented

Evidence:

Past audit with Cloude Sonnet 4.5 in January 2026

ID.RA-2

Cyber threat intelligence is received from information sharing forums

Evidence:

Composer security advisories, dependency monitoring

ID.RA-3

Threats, both internal and external, are identified and documented

Evidence:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-4

Potential business impacts and likelihoods are identified

Evidence:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Evidence:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-6

Risk responses are identified and prioritized

Evidence:

Security improvements, vulnerability patching process

Risk Management Strategy

ID.RM-1

Risk management processes are established, managed, and agreed to

Evidence:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RM-2

Organizational risk tolerance is determined and clearly expressed

Evidence:

NIST CSF compliance, GDPR compliance, security headers implementation

ID.RM-3

The organization's determination of risk tolerance is informed by its role

Evidence:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

Access Control

PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

Evidence:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-2

Physical access to assets is managed and protected

Evidence:

Hetzner ISO 27001 certification, data center security documentation

PR.AC-3

Remote access is managed

Evidence:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-4

Access permissions and authorizations are managed

Evidence:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-5

Network integrity is protected (e.g., network segregation)

Evidence:

Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.

PR.AC-6

Identities are proofed and bound to credentials

Evidence:

Email verification system, email_verified column in users table

PR.AC-7

Users, devices, and assets are authenticated

Awareness and Training

PR.AT-1

All users are informed and trained on cybersecurity awareness

Evidence:

PR.AT-2

Privileged users understand their roles and responsibilities

Evidence:

Admin dashboard with security controls, role-based access documentation

PR.AT-3

Third-party stakeholders understand their roles and responsibilities

Evidence:

Vendor agreements, partner documentation, API documentation

PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

Evidence:

Admin role documentation, Hetzner security procedures

Data Security

PR.DS-1

Data-at-rest is protected

Evidence:

By Google Cloud (external provider)

PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

Evidence:

User data management, certified_emails retention, data export capabilities

PR.DS-4

Adequate capacity to ensure availability is maintained

Evidence:

Hetzner infrastructure monitoring, service status tracking

PR.DS-5

Protections against data leaks are implemented

Evidence:

HASH 256 AES bits in sensitive data

PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

Evidence:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.DS-8

Integrity checking mechanisms verify hardware integrity

Evidence:

Hetzner infrastructure security, ISO 27001 certification

Information Protection Processes and Procedures

PR.IP-1

A baseline configuration of systems is created and maintained

Evidence:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.IP-2

A System Development Life Cycle to manage systems is implemented

Evidence:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.IP-3

Configuration change control processes are in place

Evidence:

Git repository, .env file management, version control practices

PR.IP-4

Backups of information are conducted, maintained, and tested

Evidence:

Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.

PR.IP-5

Policy and regulations regarding the physical operating environment

Evidence:

Hetzner data center certifications, environmental controls documentation

PR.IP-6

Data is destroyed according to policy

Evidence:

Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.

PR.IP-7

Protection processes are improved

Evidence:

NIST compliance dashboard, regular security updates, dependency updates

PR.IP-8

Effectiveness of protection technologies is shared

Evidence:

Internal security reviews, NIST compliance public page

PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

Evidence:

Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.

PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

Evidence:

Vulnerability Management Policy.md), Composer.lock Security Scan History.

Maintenance

PR.MA-1

Maintenance and repair of assets are performed and logged

Evidence:

Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation

PR.MA-2

Remote maintenance of assets is approved, logged, and performed

Evidence:

Server access logs, admin activity monitoring

Protective Technology

PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

Evidence:

Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.

PR.PT-2

Removable media is protected and its use restricted

Evidence:

File upload validation, allowed file type restrictions

PR.PT-3

The principle of least functionality is incorporated

Evidence:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.PT-4

Communications and control networks are protected

Evidence:

Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.

PR.PT-5

Mechanisms are implemented to achieve resilience requirements

Evidence:

ErrorController, maintenance mode, service_status monitoring, Hetzner backups

Anomalies and Events

DE.AE-1

A baseline of network operations and expected data flows is established

Evidence:

Service status monitoring, normal operation baselines

DE.AE-2

Detected events are analyzed to understand attack targets and methods

Evidence:

Error logs, admin notification system, support ticket analysis

DE.AE-3

Event data are collected and correlated from multiple sources

Evidence:

Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.

DE.AE-4

Impact of events is determined

Evidence:

Service status levels, impact assessment in monitoring

DE.AE-5

Incident alert thresholds are established

Evidence:

PasswordResetLimiter.php, rate_limits table, API rate limiting

Security Continuous Monitoring

DE.CM-1

The network is monitored to detect potential cybersecurity events

Evidence:

Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity

DE.CM-2

The physical environment is monitored to detect cybersecurity events

Evidence:

Hetzner data center monitoring, environmental controls

DE.CM-3

Personnel activity is monitored to detect cybersecurity events

Evidence:

Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending

DE.CM-4

Malicious code is detected

Evidence:

File upload validation, MIME type checking, input sanitization

DE.CM-5

Unauthorized mobile code is detected

Evidence:

Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.

DE.CM-6

External service provider activity is monitored

Evidence:

Stripe webhook monitoring, email service status tracking

DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

Evidence:

Session tracking, authentication logs, rate limiting system

DE.CM-8

Vulnerability scans are performed

Evidence:

Vulnerability Management Policy.md), Composer.lock Security Scan History.

Detection Processes

DE.DP-1

Roles and responsibilities for detection are well defined

Evidence:

Admin role system, automated monitoring, alert notifications

DE.DP-2

Detection activities comply with all applicable requirements

Evidence:

GDPR compliance, privacy policy, data protection measures

DE.DP-3

Detection processes are tested

Evidence:

Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.

DE.DP-4

Event detection information is communicated

Evidence:

Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts

DE.DP-5

Detection processes are continuously improved

Evidence:

NIST compliance dashboard, continuous improvement process

Response Planning

RS.RP-1

Response plan is executed during or after an incident

Evidence:

Incident Response Disaster Recovery.md), Hetzner Backup Logs.

Communications

RS.CO-1

Personnel know their roles and order of operations

Evidence:

Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts

RS.CO-2

Incidents are reported consistent with established criteria

Evidence:

Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers

RS.CO-3

Information is shared consistent with response plans

Evidence:

Service status page, notification system, user communication channels

RS.CO-4

Coordination with stakeholders occurs

Evidence:

Support ticket system, admin dashboard, stakeholder communication

RS.CO-5

Voluntary information sharing occurs with external stakeholders

Evidence:

Internal incident communication, public status page

Analysis

RS.AN-1

Notifications from detection systems are investigated

Evidence:

Error logging system, admin monitoring dashboard, support ticket investigation

RS.AN-2

The impact of the incident is understood

Evidence:

Service status levels (operational/degraded/outage), impact tracking

RS.AN-3

Forensics are performed

Evidence:

Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.

RS.AN-4

Incidents are categorized consistent with response plans

Evidence:

Service status categories, support ticket types, incident classification

RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

Evidence:

Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement

Mitigation

RS.MI-1

Incidents are contained

Evidence:

Maintenance mode, rate limiting system, authentication controls

RS.MI-2

Incidents are mitigated

Evidence:

ErrorController, automatic error recovery, admin tools

RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

Evidence:

Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes

Improvements

RS.IM-1

Response plans incorporate lessons learned

Evidence:

Post Incident Review Protocol.md), Internal Security Testing Logs.

RS.IM-2

Response strategies are updated

Evidence:

NIST compliance updates, continuous security enhancements

Recovery Planning

RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

Evidence:

Incident Response Disaster Recovery.md), Hetzner Backup Logs.

Improvements

RC.IM-1

Recovery plans incorporate lessons learned

Evidence:

Post Incident Review Protocol.md), Internal Security Testing Logs.

RC.IM-2

Recovery strategies are updated

Evidence:

NIST compliance monitoring, recovery process updates

Communications

RC.CO-1

Public relations are managed

Evidence:

Public status page at /status, user notification system

RC.CO-2

Reputation is repaired after an incident

Evidence:

Service Status), Automated Incident Notification Templates.

RC.CO-3

Recovery activities are communicated to stakeholders

Evidence:

Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

Center of Trust and Security
LegallyMail

Committed to your Security

Our Security Posture

Identify

Protect

Detect

Respond

Recover

Implemented Controls

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

Access Control

Awareness and Training

Data Security

Information Protection Processes and Procedures

Maintenance

Protective Technology

Anomalies and Events

Security Continuous Monitoring

Detection Processes

Response Planning

Communications

Analysis

Mitigation

Improvements

Recovery Planning

Improvements

Communications

Have questions about our security?

Center of Trust and Security LegallyMail

Committed to your Security

Our Security Posture

Identify

Protect

Detect

Respond

Recover

Implemented Controls

🎯 ID - Identify

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

🛡️ PR - Protect

Access Control

Awareness and Training

Data Security

Information Protection Processes and Procedures

Maintenance

Protective Technology

🔍 DE - Detect

Anomalies and Events

Security Continuous Monitoring

Detection Processes

⚡ RS - Respond

Response Planning

Communications

Analysis

Mitigation

Improvements

♻️ RC - Recover

Recovery Planning

Improvements

Communications

Have questions about our security?

Center of Trust and Security
LegallyMail