Security policy

This policy summarises the practices that govern how we access and operate your infrastructure. For a fuller picture, see our security & trust page.

Access

We operate on least privilege: we hold only the access we need, granted by you and revocable at any time. Multi-factor authentication is mandatory for every engineer on every system, and access is attributable.

Credentials & secrets

Credentials are stored in a managed secrets vault. They are never kept in tickets, chat messages, or plain text, and are rotated in line with good practice.

Hardening & patching

Managed systems are hardened to a maintained baseline and patched on a managed schedule, closing the gaps attackers rely on. Vulnerabilities are tracked and remediated.

Incidents

We follow a structured, rehearsed incident process with clear communication and a blameless post-incident review. If a security incident affects you, we will tell you promptly and honestly.

Responsible disclosure

Found a security issue? Please report it to hello@hostoza.com. We appreciate responsible disclosure and will respond quickly.