Security Statement

About this statement

This Security Statement describes the technical and organisational measures Kapsule Group Limited ("Kapsule Cloud") implements to protect the data hosted on our platform. It is referenced by the Data Processing Agreement and is updated from time to time to reflect improvements to our security posture.

Our core principle is defence in depth: we layer multiple independent controls so that no single failure exposes customer data.

1. Information security governance

We maintain documented information security and privacy policies, reviewed at least annually and updated when material changes to the platform or threat landscape require it.

A designated Privacy Officer holds responsibility for data protection compliance. Security responsibilities are assigned to named individuals on the infrastructure team.

All personnel receive privacy and security training on induction and annually thereafter. Personnel with access to production systems are subject to background checks where permitted by law.

Security incidents and near-misses are recorded, reviewed, and used to improve controls on an ongoing basis.

2. Access controls

Access to production systems and customer data is governed by strict role-based access controls built on least-privilege principles: personnel are granted only the access they need to perform their specific role.

Mandatory two-factor authentication (2FA) is enforced for all personnel with access to production infrastructure, the hosting control panel, source code, and cloud provider consoles.

Access rights are reviewed periodically and revoked promptly on role change or departure. Access events and privilege escalations are logged.

Production and non-production environments are strictly separated. Customer environments are logically isolated from each other within the hosting platform.

All administrative access to production servers is authenticated via SSH key pairs; password-based SSH authentication is disabled.

3. Encryption and data protection

All data in transit between customers and our platform is encrypted using TLS 1.2 or higher. TLS certificates are issued automatically and renewed before expiry.

Off-site backups are encrypted using restic with AES-256. Encryption keys are stored separately from backup data and backed up offline. Loss of the key makes backup data unrecoverable, which is why keys are held in multiple secure offline locations.

Encrypted backups are stored in Cloudflare R2 object storage, Oceania region, providing geographic separation from our primary Hetzner infrastructure.

Sensitive platform data (including secrets, API keys, and credentials) is stored in dedicated secrets management systems and is never embedded in source code or configuration files checked into version control.

4. Network and system security

Customer-facing services are protected by Cloudflare's web application firewall (WAF) and DDoS mitigation, which absorbs volumetric and application-layer attacks before they reach our infrastructure.

Customer hosting environments are network-segmented: each site runs in an isolated context and cannot access other customers' data at the network layer.

Operating systems, platform software, and application dependencies are patched on a regular cadence. Critical security patches are applied within 24–72 hours of release. Internet-facing infrastructure is scanned for known vulnerabilities on a regular basis.

Firewall rules restrict inbound access to the minimum necessary ports and services. Unnecessary services are disabled by default.

Periodic penetration testing is conducted by independent qualified testers. Material findings are remediated and retested.

5. Logging, monitoring, and incident response

Access events, configuration changes, authentication attempts, and security-relevant system events are logged to a centralised logging system. Logs are retained for a minimum of 90 days.

Platform health and security signals are monitored 24x7. Alerts are routed to on-call personnel for immediate investigation.

We maintain a documented incident response plan with defined severity levels, escalation paths, and communication procedures. The plan is reviewed and tested at least annually.

In the event of a confirmed Notifiable Privacy Breach affecting Customer Personal Information, we will notify affected customers within 72 hours of becoming aware, as required by the Privacy Act 2020 and the Data Processing Agreement.

Sentry is used for real-time error tracking and application performance monitoring across the platform stack.

6. Backup and disaster recovery

Customer site files, databases, and email data are backed up daily to Cloudflare R2 (Oceania region) using restic. Backups are encrypted at rest with AES-256.

Backup retention is a minimum of 30 days on all paid plans. Higher plans include additional weekly and monthly snapshots. See the Service Level Agreement for plan-specific retention details.

Restore procedures are documented in our internal runbooks and tested periodically. The platform team conducts restore drills to validate backup integrity.

The Kapsule Cloud platform codebase (including configuration and provisioning scripts) is backed up daily to private GitHub repositories in the kapsulenz organisation, providing an independent recovery path for the platform itself.

Disaster recovery procedures for each infrastructure component (hosting server, mail server, portal) are documented with target recovery times of 2–4 hours depending on component and data size.

7. Personnel and sub-processors

All personnel with access to customer data are bound by confidentiality obligations, either by contract or by law.

We maintain written data processing agreements with all sub-processors. These agreements require sub-processors to implement protections no less protective than those in our Data Processing Agreement, including confidentiality, security, and limited-purpose processing obligations.

Our sub-processor list is reviewed at least annually for continued suitability. Sub-processors are assessed against our minimum security requirements before engagement.

The current list of sub-processors is published at kapsulecloud.com/legal/sub-processors.

8. Physical security

Production servers are operated in Hetzner data centres in Germany. Hetzner's facilities are rated Tier III or equivalent and provide: controlled physical access with multi-factor authentication at entry points; 24x7 on-site security personnel; redundant power (UPS and diesel generators); redundant cooling systems; fire detection and suppression.

Physical access to server hardware is restricted to authorised Hetzner personnel. Kapsule Cloud personnel do not have routine physical access to production hardware; all administrative access is performed remotely over encrypted channels.

Decommissioned storage media is securely wiped or destroyed in accordance with Hetzner's data centre procedures before reuse or disposal.

9. Application security

We follow a secure software development lifecycle. All production code changes require mandatory peer code review before deployment. Automated dependency scanning runs on every build to identify known vulnerabilities in third-party packages.

Secrets are managed using a dedicated secrets management system. No credentials, API keys, or sensitive configuration values are committed to source code repositories.

Pre-release testing includes functional, regression, and security-focused test runs. Changes to authentication, payment, or data-handling flows receive additional scrutiny.

Customer-facing input is validated and sanitised at all application boundaries. We apply standard defences against OWASP Top 10 risks including SQL injection, cross-site scripting, and cross-site request forgery.

KPanel authentication: passwords are hashed with Argon2id (memory-hard, resistant to GPU cracking). New passwords are checked against the Have I Been Pwned database via k-anonymity prefix lookup before acceptance. Sign-in supports TOTP-based two-factor authentication, SMS one-time codes, and hardware passkeys (WebAuthn/FIDO2). OAuth sign-in is supported via Google, GitHub, and Apple Sign In, each verified against the provider's JWKS endpoint. Magic-link email sign-in is rate-limited to three requests per hour per address and is available as a recovery method. Session tokens are cryptographically random, stored hashed in the database, and expire after 30 days of inactivity.

10. Data segregation and deletion

Customer data is logically segregated at the hosting, database, and application layers. Each customer's files, databases, and email accounts are isolated under separate system accounts with no cross-customer access.

When a customer terminates their service, Customer Personal Information is made available for export for 30 days, then permanently deleted from live systems. Encrypted backup copies are purged on the next scheduled rotation cycle, within 30 days of deletion from live systems.

Documented data deletion procedures ensure that data is removed from all relevant systems, including live databases, caches, and application storage, not just the primary datastore.

Procedures for handling Data Subject requests (access, correction, deletion) are documented and tested. KPanel export tools allow customers to retrieve their data at any time during the service term.

Questions and reporting

If you have questions about our security practices, or wish to report a suspected vulnerability, please contact us at [email protected].

Kapsule Group Limited, Christchurch, New Zealand.