Security — Frostmoln

At Frostmoln, security is foundational to everything we build. Our platform is designed from the ground up to protect your data and infrastructure with defence-in-depth principles, operating exclusively within the EU/EEA under Swedish jurisdiction.

Physical Infrastructure Security

Our datacenters are located exclusively within Sweden and the EU/EEA, providing physical security controls including: • 24/7 on-site security personnel and surveillance • Biometric and multi-factor physical access controls • Dedicated server cages with individual access logging • Redundant power with UPS and diesel generator backup • Environmental monitoring (temperature, humidity, water detection) • Fire detection and suppression systems

Encryption

All data is encrypted both at rest and in transit: At rest: AES-256 encryption for all block storage (Ceph RBD), object storage (MinIO), and database storage. Encryption keys are managed through HashiCorp Vault with automatic rotation. In transit: TLS 1.2+ for all external communications. Internal service-to-service communication is encrypted via mutual TLS (mTLS). We support and recommend TLS 1.3 for client connections. Key management: Centralised key management through HashiCorp Vault with strict access controls, audit logging, and automated key rotation policies.

Identity and Access Management

Our identity system provides robust authentication and authorisation: • Multi-factor authentication (MFA) supported for all customer accounts • API key authentication with scoped permissions and automatic expiration • Role-based access control (RBAC) for fine-grained resource permissions • OpenID Connect (OIDC) integration through Keycloak for enterprise identity federation • Session management with configurable timeouts and concurrent session limits • Comprehensive audit logging of all authentication events

Network Security

Multiple layers of network security protect our infrastructure: • Software-defined networking (OVN) provides complete tenant isolation through virtual private clouds (VPCs) • Customer security groups with stateful firewall rules for granular traffic control • DDoS detection and mitigation at the network edge • Intrusion detection and prevention systems (Suricata IDS/IPS) • Network segmentation between management, storage, and customer traffic planes • Annual network penetration testing

Monitoring and Observability

Continuous monitoring across all layers of our infrastructure: • Real-time metrics collection and alerting (Prometheus/Grafana) • Centralised log aggregation and analysis (Loki) • Distributed tracing for request path visibility (Jaeger) • Host-based intrusion detection (Wazuh) • Security event correlation and alerting • Security event correlation and rule-based alerting for suspicious access patterns

Incident Response

We maintain a formal incident response process: • Documented incident response plan with clear escalation procedures • 24/7 on-call engineering team for critical incidents • Post-incident reviews with root cause analysis for all significant events • Customer notification within 24 hours for security incidents affecting their data, in accordance with our Data Processing Agreement • Coordination with the Swedish Authority for Privacy Protection (IMY) and CERT-SE as required • Regular incident response drills and tabletop exercises

Standards we are actively working toward

Our security programme is designed in line with the standards and regulations Europe expects. Frostmoln is a young platform and we do not yet hold formal certifications, but we are actively working toward each of the frameworks below: • GDPR: Operated in line with the EU General Data Protection Regulation, with all data processed within the EU/EEA • Swedish data protection legislation: Operated under Swedish jurisdiction in line with Swedish implementations of EU data protection law • ISO/IEC 27001: Information security practices designed against the standard. We are actively working toward certification; we are not currently certified • SOC 2: Controls modelled on the Trust Services Criteria. We are actively working toward an external SOC 2 audit, which is not yet completed • NIS2 / Cybersäkerhetslagen: Actively working toward alignment with the EU NIS2 directive and its Swedish transposition All data is stored and processed under Swedish and EU jurisdiction — not subject to foreign surveillance orders such as the US CLOUD Act or FISA Section 702.

Vulnerability Management

Proactive approach to identifying and addressing vulnerabilities: • Regular automated vulnerability scanning of infrastructure and applications • Dependency scanning and automated security updates (Renovate) • Timely patching of operating systems and platform components • Security-focused code review for all changes • Static analysis and security linting integrated into CI/CD pipelines

Employee Security

Our team follows strict security practices: • Security awareness training for all team members • Principle of least privilege for all system access • Multi-factor authentication required for all internal systems • Confidentiality agreements and data protection obligations • Secure development practices following OWASP guidelines

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in our platform, please report it to security@frostmoln.se. We commit to: • Acknowledging your report within 2 business days • Providing regular updates on our investigation and remediation • Not pursuing legal action against researchers who act in good faith • Crediting researchers (with permission) in our security advisories Please do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it.

Contact

For security-related questions or to report a vulnerability: Email: security@frostmoln.se For general enquiries about our security practices: Svenska Moln AB Email: info@frostmoln.se Box 10074 434 21 Kungsbacka Sweden