Security

Security is a core design principle at MinSide, not an afterthought. We apply a defence-in-depth strategy across all layers of our platform — from infrastructure to application to user accounts — to keep your data safe.

MinSide uses industry-standard encryption to protect your data at every stage of its lifecycle.

• At rest: all database data is encrypted with AES-256
• In transit: all client–server communication is protected by TLS 1.3; older protocols are disabled
• Passwords: stored as salted hashes using ASP.NET Core Identity's PBKDF2-based algorithm — never in plain text
• Secrets and keys: managed through Azure Key Vault; never hard-coded or stored in application configuration files
• Backups: encrypted with the same standards as production data

We enforce strong authentication practices to prevent unauthorised access to accounts and internal systems.

• Multi-factor authentication (MFA / 2FA) is available and strongly recommended for all accounts
• Passwords must meet minimum complexity requirements enforced at registration and change
• Sessions use short-lived tokens with automatic expiry
• OAuth 2.0 / OpenID Connect is used for third-party login providers (Microsoft, Google)
• Role-based access control (RBAC) restricts internal system access to authorised personnel only
• All failed login attempts are logged and monitored for brute-force patterns

MinSide is hosted on Microsoft Azure, which provides a certified, enterprise-grade cloud infrastructure.

• Hosted in Azure data centres with ISO 27001, SOC 2, and GDPR compliance
• Network traffic is controlled via virtual network isolation and Azure Firewall rules
• Web Application Firewall (WAF) protects against common web attacks including OWASP Top 10
• DDoS protection is enabled at the platform level
• Automated vulnerability scanning runs on all infrastructure components
• Access to production environments is restricted to authorised engineers via MFA-protected VPN

Security is built into our software development lifecycle (SDLC) from the ground up.

• Code reviews are required for all changes before deployment
• Static analysis tools scan for security vulnerabilities in every build
• Dependencies are monitored for known vulnerabilities and updated promptly
• CSRF, XSS, SQL injection, and other common attack vectors are mitigated by framework-level controls
• Antiforgery tokens are enforced on all state-changing operations
• Content Security Policy (CSP) headers are applied to all pages

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in any MinSide service, please notify us before public disclosure so we can investigate and remediate.

Researchers who follow these guidelines will not face legal action from MinSide for their good-faith research.

MinSide maintains a formal incident response plan to detect, contain, and recover from security incidents promptly.

• Security incidents are classified by severity and trigger defined response procedures
• Affected users are notified within 72 hours of a confirmed data breach, as required by GDPR Article 33/34
• Notifications will include the nature of the breach, data affected, and steps you can take to protect yourself
• Post-incident reviews are conducted to identify root causes and prevent recurrence
• All incidents are documented and retained for audit purposes

Our team is trained and held to strict security standards to reduce the risk of insider threats and human error.

• All employees complete mandatory security awareness training at onboarding and annually
• Access to production data is granted on a least-privilege, need-to-know basis
• All employee devices are enrolled in mobile device management (MDM) with full-disk encryption enabled
• Background checks are conducted for roles with access to sensitive systems
• Employee access is revoked immediately upon departure

MinSide carefully evaluates the security posture of third-party providers before integration.

• All third-party processors are bound by Data Processing Agreements (DPAs) compliant with GDPR
• Cloud and AI service providers (including Microsoft Azure and Azure OpenAI) are assessed against our security standards
• Third-party dependencies and libraries are monitored for vulnerabilities using automated tooling
• Annual security reviews are conducted for critical suppliers

For vulnerability reports, security concerns, or questions about our security practices, please reach out directly: