Every claim on this page maps to a real control we operate — not marketing copy. We're independently audited and publish exactly how the platform is defended.
The authentication and authorization controls that sit between an attacker and your dashboard.
TOTP (RFC 6238) via any authenticator app — Google Authenticator, 1Password, Authy. Enable in Settings → Security.
Passwords are hashed with bcrypt at cost factor 12. The plaintext never touches our database or logs.
Every account must verify its email before it can deploy infrastructure or access sensitive operations.
Destroying a server requires a 6-digit code from your authenticator app, or an email code if 2FA is off.
Changing your password immediately invalidates every existing session across every device. No lingering tokens.
Every login, deploy, power action, reinstall, deletion, and 2FA change is logged and visible in your dashboard.
Isolation and network-level defences for the servers, IPs, and DNS we operate on your behalf.
Customer workloads run as fully isolated virtual machines on a telco-grade enterprise hypervisor. No shared kernels, no noisy-neighbour effects.
Every customer IP is cryptographically pinned to its VM at the network edge with static L2 bindings. Spoofed packets are dropped before they reach any host.
Telco-grade DDoS mitigation is included by default on every service. Layer 3/4 volumetric attacks are absorbed upstream at the carrier level before they reach your server.
ns1.otwadns.com and ns2.otwadns.com are dedicated nameservers we run on hardened hosts. No third-party DNS dependency.
10 login attempts / minute, 5 registrations / minute, strict throttle on password reset and 2FA endpoints.
Host-level firewalling and intrusion-prevention on every node, SSH key-only with no password auth, and strict HTTP security headers on every response (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
How we protect the data you trust us with — in transit, at rest, and in our logs.
Every byte between your browser and our platform is encrypted with TLS 1.3. HTTP redirects to HTTPS with HSTS preload.
Sensitive settings — API keys, payment gateway secrets, registrar credentials — are encrypted at rest with AES-256-GCM before being written to the database.
Every database query enforces ownership at the persistence layer. One customer cannot read, modify, or list another customer's servers, domains, or billing.
Authentication, infrastructure, and billing events are logged with IP and user-agent. Logs are retained for 90 days and available to you in the dashboard.
We publish live platform status and operate a responsible disclosure policy. If you believe you've found a security issue, please contact us before public disclosure — we acknowledge every report within one business day.
Platform availability and uptime metrics are reported on /status. Legal terms are on /privacy and /terms.