Security - CostPlusDB

Security How we protect your data	Page	← Home

Security First

Security isn't an afterthought at CostPlusDB. It's built into everything we do, from server hardening to transparent operations.

Our Security Practices

Server Hardening

SSH key authentication only (Ed25519 encryption)
Root login disabled
Custom SSH port (non-default)
Firewall (UFW) with minimal open ports
fail2ban intrusion prevention
Automatic security updates
NTP time synchronization
Log rotation and monitoring

PostgreSQL Security

SSL/TLS enforced on all connections
scram-sha-256 password encryption
Customer database isolation
Connection pooling (pgBouncer)
Connection logging enabled
Separate users per customer
Principle of least privilege

Backup Security & Transparency

Backup Schedule: Backup infrastructure configured (automated scheduling in progress)

Feature	Details
Backup Tool	pgBackRest (industry standard)
Encryption	AES-256-CBC encryption on all backups
Local Storage	/var/lib/pgbackrest (primary backup location)
Cloud Storage	Wasabi S3 (us-east-1) - multi-region redundancy
Retention	7-day retention (Shared/Dedicated), 30-day retention (Pro/Enterprise or +$15/mo add-on)
Point-in-Time Recovery	7 days of WAL archives for transaction-level restore
Restoration Testing	Regular restoration tests to verify backups actually work
Recovery Time	Full restore: ~15-30 minutes depending on database size

What this means for you:

Your data will be backed up every single day automatically (infrastructure configured, automation in progress)
Backup retention: 7 days (Shared/Dedicated), 30 days (Pro/Enterprise or +$15/mo add-on)
All backups are encrypted before storage (even we can't read them without the key)
Backups are stored in 2 locations (local server + cloud S3)
Point-in-time recovery capability via WAL archives (7 days)
We regularly test restores to ensure backups actually work when needed

Automated Monitoring & Alerts

Our security monitoring runs automatically 24/7. Here's exactly what's monitored and when:

Monitor	Frequency	Alert Trigger	Action
Failed Login Attempts	Every 5 minutes	>5 failed PostgreSQL logins	Email alert + log IP addresses
Disk Space	Every 15 minutes	>85% usage	Email alert to operator
Memory Usage	Every 15 minutes	>90% usage	Email alert to operator
SSL Certificate Expiry	Every 6 hours	<30 days until expiry	Email warning to renew
Security Events	Every hour	fail2ban bans, suspicious queries, SSH failures	Email alert with details
Security Hardening Score	1st of month at 3 AM	Lynis score <70	Email report + remediation

Note: Additional monitoring capabilities (real-time uptime checks, automated backup verification) are currently in development and will be added soon.

All alerts include:

Detailed description of the issue
Server hostname and IP address
Timestamp of detection
Recommended actions
Direct contact information

Alert delivery: Real-time email alerts via Resend API to operator. Customer notifications sent within minutes of detection for critical issues (P0/P1).

Security Standards We Follow

We don't reinvent the wheel. We follow industry-proven security standards and best practices:

Standard	Description
Linux Server Security Guide	Comprehensive server hardening procedures
Mozilla OpenSSH Guidelines	SSH configuration best practices
PostgreSQL Security	Official database security documentation
CIS Benchmarks	Industry-standard security configurations

Transparency

Unlike most database providers, we publish our security procedures publicly:

Why publish security procedures?

Accountability: If we publish our SOPs, we have to follow them
Trust: You can verify we're doing what we say
Education: Help other solo operators learn secure practices
Peer Review: Security experts can spot gaps and help us improve

View our complete security procedures:

Operations Manual - SOPs we follow
GitHub Repository - Full documentation (requires access)

What We Don't Do

Honest security means admitting what we can't provide:

What	Why
99.999% uptime SLA	Unrealistic for bootstrapped service. We guarantee 99.9%
Instant phone support	Email only (base). Slack available: +$29/mo (Shared/Dedicated) or included (Pro/Enterprise)
HIPAA compliance (now)	Requires legal review. Available Month 12+ only
SOC 2 certification	Expensive audit process. Following standards without certification
Penetration testing	Can't afford external pentest. Following documented hardening instead

Incident Response

If something goes wrong, here's what happens:

P0: Database Down (Critical)

Automatic alert to operator (SMS + email)
Email to customer promptly upon detection
Investigation and fix in progress
Regular updates until resolved
Post-mortem report within 24 hours
SLA credit if downtime > 1 hour (pro-rated refund)

Security Incident

Isolate affected systems immediately
Email all affected customers within 1 hour
Forensic analysis
Remediation and hardening
Detailed incident report to customers
Public disclosure (if data breach)

View our complete incident response procedures: Operations Manual

Reporting Security Issues

Found a security vulnerability? Please report it responsibly:

How to Report

Email: jeremy@intentsolutions.io
Subject: "SECURITY: [brief description]"
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)

What to Expect

Acknowledgment: Within 24 hours
Assessment: Within 72 hours
Fix: Critical issues within 7 days, others within 30 days
Credit: We'll credit you (if you want) in our security changelog

Please do NOT:

Post publicly before we've had a chance to fix
Attempt to access customer data
Use automated vulnerability scanners without permission

Security Audit History

Date	Type	Result
2025-10-19	Internal Security Audit	Rating: 75/100 (Good) - 12 improvements identified
Future	External Pentest	Planned once revenue supports cost
Monthly	Automated Scans (Lynis)	Planned

Security Credits

Our security practices are based on proven industry guides and open-source standards. We're grateful to the security community for sharing their knowledge:

How To Secure A Linux Server by imthenachoman - Comprehensive Linux server hardening guide (CC-BY-SA License)
Mozilla OpenSSH Security Guidelines - SSH configuration best practices
Center for Internet Security (CIS) - Security benchmarks and standards
PostgreSQL Global Development Group - Database security documentation

Standing on the shoulders of giants.

Questions?

Security concerns: jeremy@intentsolutions.io
General inquiries: jeremy@intentsolutions.io