Norme de Sécurité Internationale | 02/2026

Centre de Confiance et Sécurité
LegallyMail

Notre infrastructure est renforcée en suivant strictement le Cadre de Cybersécurité NIST.
Transparence radicale sur la protection de vos données les plus critiques.

Voir le Rapport Détaillé Contacter le DPO
Statut
100% Sécurisé
LegallyMail
Chiffrement E2E
Actif
100%
Conformité

Engagés pour votre Sécurité

Chez LegallyMail, nous alignons nos contrôles de sécurité avec le Cadre de Cybersécurité NIST (CSF), la référence internationale en matière de gestion des risques cybernétiques. Notre engagement est de protéger la confidentialité, l'intégrité et la disponibilité de vos communications certifiées.

Contrôles Mis en Œuvre: 103
Total des Contrôles: 103

Notre Posture de Sécurité

Répartition du Cadre de Cybersécurité NIST

🎯
Identifier
100% Mis en œuvre

Développer une compréhension organisationnelle pour gérer le risque de cybersécurité.

  • Gestion des Actifs
  • Business Environment
  • Gouvernance
  • Évaluation des Risques
  • Stratégie de Gestion des Risques
🛡️
Protéger
100% Mis en œuvre

Mettre en œuvre des mesures de sauvegarde pour assurer la livraison des services critiques.

  • Contrôle d'Accès
  • Sensibilisation et Formation
  • Sécurité des Données
  • Processus et Procédures de Protection de l'Information
  • Maintenance
  • Technologie de Protection
🔍
Détecter
100% Mis en œuvre

Développer des activités pour identifier l'occurrence d'un événement de cybersécurité.

  • Anomalies et Événements
  • Surveillance Continue de la Sécurité
  • Processus de Détection
Répondre
100% Mis en œuvre

Prendre des mesures concernant un incident de cybersécurité détecté.

  • Planification de la Réponse
  • Communications
  • Analyse
  • Atténuation
  • Améliorations
♻️
Récupérer
100% Mis en œuvre

Maintenir des plans de résilience et restaurer les capacités ou services affectés.

  • Planification de la Récupération
  • Améliorations
  • Communications

Contrôles Mis en Œuvre

Transparence détaillée sur nos contrôles de sécurité actifs

Gestion des Actifs
ID.AM-1

Physical devices and systems within the organization are inventoried

Preuve :
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-2

Software platforms and applications are inventoried

Preuve :
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-3

Organizational communication and data flows are mapped

Preuve :
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-4

External information systems are catalogued

Preuve :
Third-party service documentation, integration records
ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

Preuve :
Data Classification Policy.md), Database Encryption Architecture.
ID.AM-6

Cybersecurity roles and responsibilities are established

Business Environment
ID.BE-1

The organization's role in the supply chain is identified and communicated

Preuve :
Service provider documentation, TSA integration, Stripe payment processing
ID.BE-2

The organization's place in critical infrastructure is identified

Preuve :
Service architecture documentation, critical service monitoring
ID.BE-3

Priorities for organizational mission, objectives, and activities are established

Preuve :
NIST compliance framework, GDPR compliance, service SLAs
ID.BE-4

Dependencies and critical functions are established

Preuve :
Service dependency mapping, critical function documentation
ID.BE-5

Resilience requirements to support delivery of critical services are established

Preuve :
Service status dashboard, maintenance mode system, error handling framework
Gouvernance
ID.GV-1

Organizational cybersecurity policy is established and communicated

Preuve :
Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records
ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

Preuve :
Internal security coordination, admin role structure
ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

Preuve :
NIST compliance dashboard, risk assessment through compliance monitoring
Évaluation des Risques
ID.RA-1

Asset vulnerabilities are identified and documented

Preuve :
Past audit with Cloude Sonnet 4.5 in January 2026
ID.RA-2

Cyber threat intelligence is received from information sharing forums

Preuve :
Composer security advisories, dependency monitoring
ID.RA-3

Threats, both internal and external, are identified and documented

Preuve :
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-4

Potential business impacts and likelihoods are identified

Preuve :
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Preuve :
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-6

Risk responses are identified and prioritized

Preuve :
Security improvements, vulnerability patching process
Stratégie de Gestion des Risques
ID.RM-1

Risk management processes are established, managed, and agreed to

Preuve :
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RM-2

Organizational risk tolerance is determined and clearly expressed

Preuve :
NIST CSF compliance, GDPR compliance, security headers implementation
ID.RM-3

The organization's determination of risk tolerance is informed by its role

Preuve :
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

Contrôle d'Accès
PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

Preuve :
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-2

Physical access to assets is managed and protected

Preuve :
Hetzner ISO 27001 certification, data center security documentation
PR.AC-3

Remote access is managed

Preuve :
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-4

Access permissions and authorizations are managed

Preuve :
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-5

Network integrity is protected (e.g., network segregation)

Preuve :
Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.
PR.AC-6

Identities are proofed and bound to credentials

Preuve :
Email verification system, email_verified column in users table
PR.AC-7

Users, devices, and assets are authenticated

Sensibilisation et Formation
PR.AT-1

All users are informed and trained on cybersecurity awareness

Preuve :
Privacy policy, terms of service, GDPR compliance documentation
PR.AT-2

Privileged users understand their roles and responsibilities

Preuve :
Admin dashboard with security controls, role-based access documentation
PR.AT-3

Third-party stakeholders understand their roles and responsibilities

Preuve :
Vendor agreements, partner documentation, API documentation
PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

Preuve :
Admin role documentation, Hetzner security procedures
Sécurité des Données
PR.DS-1

Data-at-rest is protected

Preuve :
By Google Cloud (external provider)
PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

Preuve :
User data management, certified_emails retention, data export capabilities
PR.DS-4

Adequate capacity to ensure availability is maintained

Preuve :
Hetzner infrastructure monitoring, service status tracking
PR.DS-5

Protections against data leaks are implemented

Preuve :
HASH 256 AES bits in sensitive data
PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

Preuve :
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.DS-8

Integrity checking mechanisms verify hardware integrity

Preuve :
Hetzner infrastructure security, ISO 27001 certification
Processus et Procédures de Protection de l'Information
PR.IP-1

A baseline configuration of systems is created and maintained

Preuve :
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-2

A System Development Life Cycle to manage systems is implemented

Preuve :
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-3

Configuration change control processes are in place

Preuve :
Git repository, .env file management, version control practices
PR.IP-4

Backups of information are conducted, maintained, and tested

Preuve :
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-5

Policy and regulations regarding the physical operating environment

Preuve :
Hetzner data center certifications, environmental controls documentation
PR.IP-6

Data is destroyed according to policy

Preuve :
Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.
PR.IP-7

Protection processes are improved

Preuve :
NIST compliance dashboard, regular security updates, dependency updates
PR.IP-8

Effectiveness of protection technologies is shared

Preuve :
Internal security reviews, NIST compliance public page
PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

Preuve :
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

Preuve :
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Maintenance
PR.MA-1

Maintenance and repair of assets are performed and logged

Preuve :
Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation
PR.MA-2

Remote maintenance of assets is approved, logged, and performed

Preuve :
Server access logs, admin activity monitoring
Technologie de Protection
PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

Preuve :
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
PR.PT-2

Removable media is protected and its use restricted

Preuve :
File upload validation, allowed file type restrictions
PR.PT-3

The principle of least functionality is incorporated

Preuve :
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.PT-4

Communications and control networks are protected

Preuve :
Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.
PR.PT-5

Mechanisms are implemented to achieve resilience requirements

Preuve :
ErrorController, maintenance mode, service_status monitoring, Hetzner backups

Anomalies et Événements
DE.AE-1

A baseline of network operations and expected data flows is established

Preuve :
Service status monitoring, normal operation baselines
DE.AE-2

Detected events are analyzed to understand attack targets and methods

Preuve :
Error logs, admin notification system, support ticket analysis
DE.AE-3

Event data are collected and correlated from multiple sources

Preuve :
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
DE.AE-4

Impact of events is determined

Preuve :
Service status levels, impact assessment in monitoring
DE.AE-5

Incident alert thresholds are established

Preuve :
PasswordResetLimiter.php, rate_limits table, API rate limiting
Surveillance Continue de la Sécurité
DE.CM-1

The network is monitored to detect potential cybersecurity events

Preuve :
Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity
DE.CM-2

The physical environment is monitored to detect cybersecurity events

Preuve :
Hetzner data center monitoring, environmental controls
DE.CM-3

Personnel activity is monitored to detect cybersecurity events

Preuve :
Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending
DE.CM-4

Malicious code is detected

Preuve :
File upload validation, MIME type checking, input sanitization
DE.CM-5

Unauthorized mobile code is detected

Preuve :
Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.
DE.CM-6

External service provider activity is monitored

Preuve :
Stripe webhook monitoring, email service status tracking
DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

Preuve :
Session tracking, authentication logs, rate limiting system
DE.CM-8

Vulnerability scans are performed

Preuve :
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Processus de Détection
DE.DP-1

Roles and responsibilities for detection are well defined

Preuve :
Admin role system, automated monitoring, alert notifications
DE.DP-2

Detection activities comply with all applicable requirements

Preuve :
GDPR compliance, privacy policy, data protection measures
DE.DP-3

Detection processes are tested

Preuve :
Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.
DE.DP-4

Event detection information is communicated

Preuve :
Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts
DE.DP-5

Detection processes are continuously improved

Preuve :
NIST compliance dashboard, continuous improvement process

Planification de la Réponse
RS.RP-1

Response plan is executed during or after an incident

Preuve :
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Communications
RS.CO-1

Personnel know their roles and order of operations

Preuve :
Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts
RS.CO-2

Incidents are reported consistent with established criteria

Preuve :
Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers
RS.CO-3

Information is shared consistent with response plans

Preuve :
Service status page, notification system, user communication channels
RS.CO-4

Coordination with stakeholders occurs

Preuve :
Support ticket system, admin dashboard, stakeholder communication
RS.CO-5

Voluntary information sharing occurs with external stakeholders

Preuve :
Internal incident communication, public status page
Analyse
RS.AN-1

Notifications from detection systems are investigated

Preuve :
Error logging system, admin monitoring dashboard, support ticket investigation
RS.AN-2

The impact of the incident is understood

Preuve :
Service status levels (operational/degraded/outage), impact tracking
RS.AN-3

Forensics are performed

Preuve :
Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.
RS.AN-4

Incidents are categorized consistent with response plans

Preuve :
Service status categories, support ticket types, incident classification
RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

Preuve :
Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement
Atténuation
RS.MI-1

Incidents are contained

Preuve :
Maintenance mode, rate limiting system, authentication controls
RS.MI-2

Incidents are mitigated

Preuve :
ErrorController, automatic error recovery, admin tools
RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

Preuve :
Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes
Améliorations
RS.IM-1

Response plans incorporate lessons learned

Preuve :
Post Incident Review Protocol.md), Internal Security Testing Logs.
RS.IM-2

Response strategies are updated

Preuve :
NIST compliance updates, continuous security enhancements

Planification de la Récupération
RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

Preuve :
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Améliorations
RC.IM-1

Recovery plans incorporate lessons learned

Preuve :
Post Incident Review Protocol.md), Internal Security Testing Logs.
RC.IM-2

Recovery strategies are updated

Preuve :
NIST compliance monitoring, recovery process updates
Communications
RC.CO-1

Public relations are managed

Preuve :
Public status page at /status, user notification system
RC.CO-2

Reputation is repaired after an incident

Preuve :
Service Status), Automated Incident Notification Templates.
RC.CO-3

Recovery activities are communicated to stakeholders

Preuve :
Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

Des questions sur notre sécurité ?

Notre équipe de sécurité et de conformité est disponible pour répondre à vos questions.

Contacter la Sécurité
Temps Réel