Security Policy

Last updated: February 9, 2026

1. Our Security Commitment

At Faciotech, protecting the confidentiality, integrity, and availability of our clients' data is a core business priority. We invest continuously in security infrastructure, processes, and training to ensure that the web hosting, domain registration, SSL, website builder, CRM/ERP, and managed IT services we provide meet the highest standards of protection. This policy outlines the technical and organisational measures we employ across our platform.

2. Physical Security

Our hosting infrastructure is deployed in professionally managed data centres that maintain rigorous physical access controls. These facilities feature 24/7 on-site security personnel, biometric and key-card access systems, CCTV surveillance with retention policies, visitor escort requirements, and environmental protections including fire suppression, climate control, and redundant power supplies with uninterruptible power sources (UPS) and diesel generators.

Physical access to server hardware is restricted to authorised data centre personnel and Faciotech engineers who have completed background verification. All physical access events are logged and audited on a regular basis.

3. Network Security

Our network perimeter is defended by multiple layers of protection designed to detect and mitigate threats before they reach client workloads:

• Firewalls: Hardware and software firewalls segment our network and enforce strict ingress and egress rules. Only traffic required for the normal operation of hosted services is permitted.
• DDoS Protection: We employ upstream DDoS mitigation services capable of absorbing volumetric, protocol, and application-layer attacks. Traffic scrubbing occurs at the network edge, so malicious packets are dropped before they reach our infrastructure.
• Intrusion Detection and Prevention (IDS/IPS): Network traffic is continuously monitored for anomalous patterns and known attack signatures. Alerts are escalated to our operations team in real time, and automated blocking rules are applied when threats are confirmed.
• Network Monitoring: We use continuous uptime and performance monitoring to detect service degradation. Our monitoring platform checks infrastructure health at one-minute intervals and triggers automated incident workflows when thresholds are breached.

4. Server Security

Every server in our fleet is hardened before being placed into production. Our server security practices include:

• Operating System Hardening: We follow industry-standard hardening benchmarks, disabling unnecessary services, removing default accounts, and restricting SSH access to key-based authentication only.
• Automated Patch Management: Security patches for the operating system and critical software packages are applied within 48 hours of release for critical vulnerabilities and within 14 days for lower-severity issues. Kernel live-patching is used where supported to minimise reboot windows.
• Malware Scanning: All shared hosting environments are scanned daily for malware, web shells, and suspicious file modifications using signature-based and heuristic detection engines. Infected files are quarantined and the affected account holder is notified promptly.
• File Integrity Monitoring: Critical system files and binaries are monitored for unauthorised changes. Any modification triggers an immediate alert and investigation.

5. Application Security

We apply defence-in-depth at the application layer to protect client websites and web applications:

• Web Application Firewall (WAF): ModSecurity with the OWASP Core Rule Set is enabled on all shared and managed hosting accounts, providing protection against SQL injection, cross-site scripting (XSS), remote file inclusion, and other common web application vulnerabilities.
• PHP Version Management: Clients can select their preferred PHP version through their control panel. We maintain current, supported PHP branches and retire end-of-life versions on a published schedule, giving clients advance notice to upgrade.
• Application Isolation: Hosting accounts are isolated using CloudLinux CageFS or equivalent containerisation technology, preventing any single account from accessing another account's files or consuming disproportionate server resources.

6. Account Security

We provide and encourage multiple layers of account protection for our clients:

• Two-Factor Authentication (2FA): Two-factor authentication is available for all client portal accounts and is strongly recommended. We support time-based one-time passwords (TOTP) via authenticator apps.
• Password Policies: Passwords must meet minimum complexity requirements. We store passwords using strong, salted cryptographic hashing algorithms. Passwords are never stored in plain text.
• Login Verification: Our login flow includes email-based verification to confirm account holder identity, adding an additional layer of protection against credential theft.
• Session Management: Client sessions expire after periods of inactivity. Session tokens are rotated on privilege changes and are transmitted exclusively over encrypted connections.

7. SSL/TLS Encryption

All communication between clients and our platform is encrypted in transit. Our client portal, control panels, email interfaces, and API endpoints enforce HTTPS with TLS 1.2 or higher. We support modern cipher suites and disable deprecated protocols such as SSLv3 and TLS 1.0. Clients can provision free SSL certificates for their hosted domains through our automated Let's Encrypt integration, or purchase premium SSL certificates from our store.

8. Vulnerability Management

We conduct regular vulnerability assessments of our infrastructure and applications. Our vulnerability management programme includes periodic internal and external scanning, penetration testing by qualified assessors, prompt remediation of identified vulnerabilities ranked by severity, and tracking of remediation efforts to completion. When third-party software used in our platform discloses a vulnerability, we evaluate our exposure and apply patches or mitigations within the timeframes defined by our patch management policy.

9. Incident Response

Faciotech maintains a documented incident response plan that defines roles, responsibilities, communication protocols, and escalation paths. In the event of a security incident:

1. Detection and Triage: Automated monitoring and staff reports are triaged to confirm the scope and severity of the incident.
2. Containment: Affected systems are isolated to prevent further impact while preserving forensic evidence.
3. Eradication and Recovery: The root cause is identified and eliminated. Services are restored from verified clean backups or rebuilt as needed.
4. Notification: Affected clients are notified without undue delay, with clear information about what occurred, what data may have been affected, and what steps we are taking.
5. Post-Incident Review: Every significant incident is followed by a review to identify lessons learned and improvements to our defences.

10. Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue affecting Faciotech's infrastructure or services, please report it to security@faciotech.com. Include as much detail as possible, including steps to reproduce the issue. We ask that you refrain from publicly disclosing the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We will acknowledge receipt within two business days and aim to provide an initial assessment within five business days.

11. Client Responsibilities

Security is a shared responsibility. While we protect the infrastructure and platform, clients are responsible for:

• Keeping their application software, plugins, themes, and CMS installations up to date.
• Using strong, unique passwords and enabling two-factor authentication on their accounts.
• Maintaining secure coding practices in custom applications deployed on our platform.
• Performing regular backups of their data in addition to any backups provided by Faciotech.
• Promptly reporting any suspected security incidents or unusual account activity to our support team.
• Complying with our Acceptable Use Policy and refraining from activities that could compromise the security of shared infrastructure.

12. Compliance

Faciotech is committed to aligning our security practices with recognised standards and applicable regulations, including the Data Protection Act, 2012 (Act 843) of Ghana and relevant international data protection frameworks. We periodically review our policies and controls to ensure continued alignment with evolving regulatory requirements and industry best practices.

13. Contact

If you have questions about this Security Policy or wish to report a security concern, please contact us:

• Email: legal@faciotech.com
• Security Reports: security@faciotech.com
• Support: support@faciotech.com
• Phone: +233 553 132 279

Faciotech reserves the right to update this Security Policy at any time. Changes will be posted on this page with a revised "Last updated" date. Continued use of our services after changes are posted constitutes acceptance of the updated policy.