SECURITY POLICY

How we protect your data

Badex maintains a comprehensive security program across infrastructure, application, identity, data, and operations.

0
Open critical vulnerabilities
32
Vulnerabilities resolved May 2026
13
MITRE detection rules active
8/8
Servers Arc-managed
1

Infrastructure Security

  • Azure Arc-managed servers with continuous health monitoring
  • Microsoft Defender for Cloud Plan 2 with FIM, agentless scanning, configuration drift alerts
  • Wazuh File Integrity Monitoring (FIM) with VirusTotal integration
  • Automated OS patching with maintenance windows
  • DDoS protection via Cloudflare (Anycast network, 300+ PoPs)
2

Application Security

  • Laravel 12 with built-in CSRF, XSS, SQL injection protection
  • Forced HTTPS with TLS 1.2+ minimum, HSTS enabled
  • Content Security Policy (CSP) headers configured
  • Rate limiting on all public API endpoints
  • Authentication via Microsoft Identity Platform (OAuth 2.0 + OIDC)
  • Session encryption with rotating keys stored in Azure Key Vault
3

Code & Supply Chain

  • GitHub Enterprise with branch protection on main
  • Dependabot automated security updates (weekly scans: composer + npm + actions)
  • Required code review via Pull Requests
  • Signed commits via GitHub-verified actor
  • 32 vulnerabilities resolved in May 2026 alone (1 critical, 11 high, 19 moderate, 1 low)
4

Identity & Access Management

  • Entra ID with Multi-Factor Authentication (MFA) enforced for all administrators
  • Conditional Access policies (location, device compliance, sign-in risk)
  • Identity Protection enabled (Risky users, sign-ins, service principals)
  • Just-in-Time elevation via Privileged Identity Management
  • Quarterly access reviews of all privileged accounts
5

Data Protection

  • Encryption at rest (AES-256) on all databases and storage
  • Encryption in transit (TLS 1.2+) for all data communications
  • Azure Key Vault HSM-backed for cryptographic key management
  • Customer data isolation per company_id (tenant boundary enforced)
  • Daily encrypted backups to Azure Blob (60-day retention)
  • Point-in-time database recovery available within 7-day window
6

Monitoring & Response

  • Microsoft Sentinel SIEM with 13 MITRE ATT&CK-mapped analytics rules
  • UEBA (User Entity Behavior Analytics) enabled
  • 11 active data connectors: Entra ID, Microsoft 365, Defender XDR, Office Activity, Threat Intelligence
  • Real-time incident alerts to security team via Telegram + email
  • Application Insights centralized telemetry across 5 Laravel apps
  • Mean Time To Detection (MTTD): < 5 minutes
  • Mean Time To Response (MTTR): < 1 hour for critical incidents
7

Business Continuity

  • Disaster Recovery: documented runbook with < 4 hour RTO
  • Backup verification: automated monthly restore tests
  • Git-based deployment with < 1 minute rollback capability
  • Critical secrets backed up in Vaultwarden (encrypted)
  • Off-site backup replication to Azure Storage (geo-redundant)

Found a security issue?

We appreciate responsible disclosure. Please review our vulnerability disclosure policy before reporting.

Email security@badex.app →