ISMS Compliance
CyFun BasicProtect

PR.AC-5: Network integrity

Network integrity (network segregation, network segmentation) is protected

PROTECTPR.AC-5Key Measure

Requirement

Firewalls shall be installed and activated on all the organisation's networks. Where appropriate, the network integrity of the organisation's critical systems shall be protected by incorporating network segmentation and segregation.

Our Implementation

Network integrity is managed through cloud-provider platform controls across all 11 cloud providers. Each provider implements its own firewall, network segmentation, and DDoS protection:

  • Edge security: Vercel and Cloudflare provide DDoS protection, WAF capabilities, and edge-level traffic filtering
  • Database isolation: Supabase, Turso, Qdrant, and Upstash databases are not publicly exposed — access is restricted to application-layer connections only, with no direct internet-facing database ports
  • Compute isolation: Modal and Trigger.dev run workloads in isolated serverless containers
  • Network segmentation: Production and development environments use separate credentials, projects, and infrastructure across all providers

There are no self-managed networks, routers, or firewalls — all network-level security is delegated to the cloud platforms under their respective security certifications (SOC 2, ISO 27001).

Gaps / Planned improvements:

  • No centralised network monitoring dashboard across all 11 providers (NEX-368)
  • No endpoint firewall policy for team member devices (NEX-355)

Evidence

ImplementedL2 — Repeatable

PR.AC-4: Access permissions

Access permissions and authorisations are managed with least privilege and separation of duties

PR.AT-1: Security awareness training

All users are informed and trained

On this page

RequirementOur ImplementationEvidence