Security, plainly
No buzzwords. Here's what we do — and what we don't claim — to keep your sites, customers and revenue safe.
Encryption in transit
Every connection uses TLS 1.3. HSTS preloaded. We refuse TLS 1.0 / 1.1 and weak cipher suites. No exceptions for legacy clients.
Encryption at rest
Database volumes and S3 buckets are AES-256 encrypted. Backups are encrypted before they leave the production network.
2-Factor Authentication
TOTP-based 2FA is included on every plan, with optional email-OTP fallback. 8 single-use recovery codes per user. Admins are required to enable it.
EU-only hosting
Primary region: Frankfurt. Secondary: Stockholm. No data ever transits to non-EEA jurisdictions without a documented Standard Contractual Clause.
Tenant isolation
Each customer site runs in its own DB scope. Plugins execute inside a sandbox with disable_functions + open_basedir profile — one tenant cannot affect another.
Rate limiting + audit log
Per-IP rate limits on every public form. Every admin action is recorded in the activity log with subject, actor, IP and a full diff of changed fields.
Practices we follow
Annual external pen-test
Independent EU-based firm. Critical findings are remediated before the report is signed off.
SAST in CI
Every PR runs static analysis (Psalm + Larastan). PRs cannot merge with security severity > medium.
Dependency monitoring
Composer + npm dependencies scanned daily. Critical CVEs trigger a same-day patch release.
Secrets management
No secrets in the repo. Production secrets live in HashiCorp Vault with quarterly rotation.
Backups + restore drills
Daily encrypted snapshots retained for 30 days. We run a full restore drill once per quarter.
Incident response
Documented runbook. Severity 1 incidents get a public post-mortem within 14 days at /blog.
Signed webhooks
Outbound webhooks signed with HMAC-SHA256. Customers verify per-request to prevent forgery.
Password hashing
bcrypt at cost 12 (configurable). No password ever leaves the request boundary unhashed.
Responsible disclosure
Found a vulnerability? Email security@radcms.io with reproduction steps. Encrypt with our PGP key for sensitive findings.
Our commitment
- Acknowledge your report within 48 hours.
- Provide a triage decision within 5 business days (in scope / out of scope / duplicate).
- Keep you updated until the issue is resolved.
- Credit you publicly (if you want) when the fix ships.
- Pay a bounty for valid critical/high findings (case-by-case, currently up to €5,000).
Please do not test against customer data, do not run automated scanners that generate volume, and give us reasonable time to remediate before public disclosure.
Audit in progress · 2026 target
Available for Enterprise plans