Legal & Compliance
Network Segregation & Threat Monitoring
Effective: May 26, 2026 · Next review: May 26, 2027 · Pythias Technologies, LLC
1
This policy defines Pythias Technologies' standards for securing its network infrastructure, segregating environments, and monitoring for threats. It applies to all network-connected systems and services operated by or on behalf of Pythias.
2
Pythias maintains logical separation between production, development, and administrative environments:
Production systems (MongoDB Atlas, application servers, Wasabi storage) are isolated from development and testing environments.
MongoDB Atlas clusters are restricted by IP allowlist — only authorized server IPs may connect to the production database.
Application servers are hosted on dedicated infrastructure with inbound access limited to HTTPS (443) from the public internet and SSH (22) from authorized administrator IPs only.
Internal services communicate over private/internal network channels where possible; all cross-service traffic uses authenticated API calls.
Development and staging environments do not share credentials, API keys, or databases with production.
3
All inbound traffic to production servers is filtered at the host and/or cloud provider level. Only ports 80 (redirected to 443) and 443 are open to the public.
Administrative access via SSH is restricted to key-based authentication from approved IP ranges. Password-based SSH authentication is disabled.
Default-deny inbound rules are applied — all ports are closed unless explicitly opened for a documented purpose.
Cloud provider security groups (where applicable) are reviewed quarterly to remove any unused rules.
4
Application logs are retained for 30 days and reviewed for anomalous patterns including repeated authentication failures, unexpected API calls, and unusual data access volumes.
MongoDB Atlas alerts are configured to notify on unauthorized connection attempts, unusual query patterns, and replication anomalies.
Server-level access logs (SSH, HTTP) are monitored. Repeated failed login attempts trigger account lockout or temporary IP block.
Rate limiting is applied to public-facing API endpoints to mitigate brute-force and abuse attempts.
Any detected threat or anomaly is treated as a security incident per the Incident Response Policy.
5
Administrative access to production systems from outside the office network is permitted only under the following conditions:
Access is via SSH with key-based authentication only. No password SSH, no RDP to production.
SSH keys must be passphrase-protected and stored securely on the administrator's device.
Remote administrators are expected to use a secure, private network — no public Wi-Fi without a VPN.
Any administrative session must be terminated when not in active use.
6
Connections to third-party services (ShipStation, marketplace APIs, OpenAI, Google) are made outbound over HTTPS only. Inbound webhooks from third parties are validated using shared secrets or HMAC signatures before processing. No third party is granted direct inbound network access to Pythias infrastructure.
7
This policy is reviewed annually (next review: May 26, 2027) and updated following any significant infrastructure change, security incident, or vendor change that affects network topology.
© 2026 Pythias Technologies, LLC · All rights reserved
