You’ll be in good company

IT Security and GDPR

Keeping up with optimal security standards is a constant challenge, as web security is a fast-moving target. With GoPublic, you are aligned with like-minded organisations that have zero tolerance for not adhering to security regulations and best practices. Rest assured, you are in a community committed to maintaining the highest standards of IT security and GDPR compliance.

Join the Authorities Responsible

When you use GoPublic, you are utilising the same CMS as the authorities responsible for setting the rules and monitoring compliance with web standards. This ensures that your website adheres to the highest levels of regulation and best practices, keeping you aligned with the very organisations that define and enforce these standards.

Logo Referencer

Anti DDoS

GoPublic provides two options for DDoS protection depending on the assessment of the appropriate security level.

Standard anti DDoS measures include:

  • Active hardware protection using Arbor and Juniper hardware provided by our hosting partner, Hetzner
  • Dynamic IP-filtering solution provided by our hosting partner, Hetzner 
  • In the event of an attack, further IP-restrictions are set on both firewall-level and client solution level. The restriction often includes geo-fencing. 

Advanced anti DDoS measures include:

  • On top of the above we provide the leading DDoS protection from Akamai
  • In this scenario all front-end end user traffic is served through Akamai's many Edge-servers as close to the user as possible. 
  • In the advent of a DDoS attack, Akamai's world leading IP-filtering technology kicks in and scrubs bad traffic as close to the request as possible.
  • Furthermore traffic is served in a cached version eliminating the need to request and render page load from GoPublic infrastructure. 
  • The setup has been tested multiple times in real life major DDoS attacks with great success.  
  • Concerning GDPR and the use of Akamai: 
    • All traffic between Hetzner infrastructure and Akamai is encrypted and IP-addresses are pseudonymised. Only Akamai servers placed within the EU are used to serve traffic. 

IT security

Among the security guidelines we always comply with are:

  • Technical Minimum Requirements for Danish Government Clients.
  • OWASP Top 10 (The Open Worldwide Application Security Project)
  • Sikker På Nettet

These requirements ensures the following among other things:

  • Log files are kept for 12 month
  • Back-up websites (snap shots) at least every 24 hours and being able to recover in less than 30 minutes.  
  • Patch security updates within 24 hours
  • Regularly update and review our internal IT security policy and conduct awareness training of employees. 

GDPR

Every client has a Data Processing Agreement with GoPublic. Our Data Processing agreement is based on the official template from the Danish Data Protection Agency.

When using GoPublic we make sure that no data leaves the EU.

You can download our latest DPA here: 

  • Data Processing Agreement for Clients hosted at Hetzner
  • Data Processing Agreement for Clients hosted at Hetzner and Akamai

Cookies

GoPublic lives up to EU regulations regarding cookies. GoPublic comes with built-in cookie banner functionality. Our aim is that our clients use as little tracking cookies as possible and don’t use advertising cookies at all. In order to not track individuals using cookies, but still get analytics data to improve content creation, we’ve done the following:

  • The built in analytics section in GoPublic has been built in order to support these standards and is not cookie based but created using anonymised server data. 
  • Likewise, the built-in analytics in our built-in newsletter service don’t use spy pixels to track individual but only uses anonymised server data to track deliveries and open rates.  

Security and GDPR certificates and audits

GoPublic is audited yearly by an independent IT Auditor. We’re audited on the ISAE 3000 standard. All earlier audits are available here. 

Our hosting partner, Hetzner, has an ISO 27001 Certification.

Infrastructure Overview

GoPublic runs on dedicated physical servers to eliminate risks associated with external access and prevent data from being sent to third parties. The servers are located in Germany and are hosted by Hetzner.

The servers are virtualized into a high availability environment. This means that even if one of the physical servers stops working the virtual environment will keep working. 

Application Overview

GoPublic is built from the ground up using the latest stable version of Microsoft's programming language .NET (currently version 8).

Designed as a Headless CMS based on Composable Architecture principles, GoPublic offers an editor-friendly way to create content in structured formats. The content is stored in a database and can be easily utilised anywhere through the GoPublic API.

Our front-end application, the Content Delivery Application, leverages this API to display content as a responsive web solution. Editors can use the Grid editor in GoPublic CMS to build custom-designed web pages with extensive flexibility and design versatility.

SSL / HTTPS

We use the Non Profit service Let’s encrypt to issue, maintain and ongoingly validate SSL certificates for each site hosted on GoPublic.