Security & Compliance#
The universe's greatest mistake was thinking "nobody would break through that door." We don't make that mistake. At VeriTeknik, security isn't an add-on package, a bullet point, or a marketing slogan — it's woven into the DNA of our infrastructure, a way of life.
This page explains how we protect your data, which standards we comply with, and what you can do on your end. Grab your towel — we're going deep.
Authentication#
Two-Factor Authentication (2FA)#
Your password is the key to your house. 2FA is the retina scanner at the door. It works on TOTP (Time-based One-Time Password) — compatible with Google Authenticator, Authy, or any TOTP app you fancy.
- Go to Settings > Security
- Click Enable 2FA
- Scan the QR code with your authenticator app
- Enter the verification code to confirm
Save your backup codes
When you enable 2FA, save the backup codes somewhere safe. If your phone falls into an Infinite Improbability Drive (or, more likely, a puddle), those codes will be your only way back in. Store them next to your towel, perhaps.
Magic Link (Passwordless Login)#
Remembering passwords shouldn't be as painful as listening to Vogon poetry. With Magic Link, a one-time login link is sent to your email — click it and you're in. No password, no stress.
- On the login page, select Sign in with Magic Link
- Enter your email address
- Click the link in your inbox (valid for 5 minutes)
Is Magic Link secure?
Yes. The link is single-use, expires in 5 minutes, and is sent only to your email address. The security of your email account is therefore critical — we strongly recommend enabling 2FA on your email as well.
Encryption#
AES-256-GCM Data Encryption#
Some data is so sensitive that storing it in plain text should be a galactic crime. We treat it as such:
| Data Type | Encryption | Details |
|---|---|---|
| Domain auth codes | AES-256-GCM | Each code encrypted with a unique IV |
| Payment tokens | AES-256-GCM | Card details are never stored in plain text |
| Session data | Server-side | Signed, HTTP-only cookies |
What is AES-256-GCM?
The Hitchhiker's Guide to the Galaxy's security section describes it as "encryption that would take longer than the lifetime of the universe to crack." The 256-bit key length combined with GCM (Galois/Counter Mode) provides both confidentiality and integrity. Nobody can read your data, nobody can tamper with it, and nobody can do either without being noticed.
Access Control#
RBAC (Role-Based Access Control)#
A system where everyone can access everything is a spaceship with no doors — things get sucked out into the void rather quickly. With RBAC, every user accesses only the resources they need.
| Role | Access Scope |
|---|---|
| Account Owner | Full management, billing, user management |
| Technical Admin | Server management, DNS, monitoring |
| Accounting | Invoices, balance, payment methods |
| Read-Only | View only, no modifications |
Roles are managed under Settings > Team Members. Each role can be customised with granular permissions.
SSH Key Management#
Logging into your VPS servers with a password is like calling a locksmith every time you want to open your front door. SSH keys are both more secure and far more practical.
- Go to Settings > SSH Keys
- Click Add New Key
- Paste your public key (ed25519 or RSA 4096-bit recommended)
- Give the key a name and save
Added keys are automatically injected into new VPS instances during provisioning.
Use ed25519
RSA is still secure, but ed25519 is shorter, faster, and the darling of modern cryptography. Generate one with ssh-keygen -t ed25519. It's the best practice in this corner of the galaxy.
Auditing & Monitoring#
Audit Trail#
Our PCI-DSS compliant, immutable audit trail records everything. Logs are written to Elasticsearch in a write-only fashion — once written, nobody can alter, delete, or claim "that wasn't me."
Recorded events include:
- Every API call and response
- Login and logout events (successful and failed)
- Payment and invoicing operations
- Permission and role changes
- Server power actions (start, stop, restart)
- DNS record changes
- SSH key additions and removals
Logs are immutable
This is a design decision, not a bug. If there's a log entry saying an event occurred, it occurred. No debate. Stricter than Vogon bureaucracy, but necessary for your security.
Login History#
View your recent login activity under Settings > Security:
- Date and time of login
- IP address
- Browser and device information
- Success/failure status
If you spot a login you don't recognise, change your password immediately and enable 2FA.
Change Management#
Our PCI-DSS compliant change management process ensures every infrastructure change is documented, approved, and traceable. When a server configuration changes, the who, when, and why are recorded alongside it.
Protection Layers#
CSRF Protection#
All mutation endpoints are protected by CSRF token validation. This prevents a malicious website from performing actions on your behalf. In technical terms: a unique token is generated with every form submission and validated server-side. If the token doesn't match, the request is rejected. Full stop.
Rate Limiting#
Our Redis-based rate limiting operates on both per-IP and per-user levels. Brute-force attacks, API abuse, and DDoS attempts are automatically detected and blocked.
| Endpoint Type | Limit | Window |
|---|---|---|
| Login attempts | 5 attempts | 15 minutes |
| API calls | 100 requests | 1 minute |
| Password reset | 3 attempts | 1 hour |
What happens when I hit the limit?
You'll receive an HTTP 429 (Too Many Requests) response. Take a moment, have a cup of tea, contemplate the meaning of the universe (it's 42, you know), and try again. Limits reset automatically.
Compliance#
PCI-DSS#
Every system handling payment card data must comply with PCI-DSS standards. At VeriTeknik, this standard extends beyond payment systems — it permeates the entire infrastructure:
- Immutable audit trail — write-only logs in Elasticsearch
- Encrypted data storage — sensitive data encrypted with AES-256-GCM
- Access control — RBAC enforcing the principle of least privilege
- Change management — every infrastructure change documented and approved
- Regular security testing — vulnerability scans and penetration tests
KVKK (Turkish GDPR)#
Turkey's data protection legislation, KVKK (the Turkish equivalent of Europe's GDPR), grants you rights over your personal data. We take those rights seriously:
| Right | Description |
|---|---|
| Right to information | Learn what personal data we process |
| Right to correction | Request correction of inaccurate data |
| Right to deletion | Request deletion of your personal data |
| Right to object | Object to data processing activities |
| Data portability | Receive your data in a structured format |
You can submit KVKK requests via Support > New Request under the "KVKK Request" category.
Data deletion process
Deletion requests are processed within 30 days of receipt. Data subject to legal retention obligations (such as invoice records) is anonymised and retained until the legal period expires. Faster than galactic bureaucracy, we promise.
Your Security Settings#
Manage all your security settings from one place: Settings (/hub/settings)
| Setting | Location |
|---|---|
| Enable/disable 2FA | Settings > Security |
| Manage SSH keys | Settings > SSH Keys |
| View login history | Settings > Security |
| Security notifications | Settings > Notification Preferences |
Security notifications
You can receive instant notifications for security events (new login, password change, 2FA change, SSH key addition). Enable the security category under Settings > Notification Preferences. Because the most dangerous thing in the universe isn't the threat lurking in the darkness of the unknown — it's the one you didn't notice.
"Don't Panic." — But when it comes to security, a healthy dose of paranoia goes a long way. For questions, reach out to our support team.