ISO 27001 Compliance

Last updated: March 5, 2026

1. Overview

BarMake aligns its information security management system (ISMS) with the ISO/IEC 27001:2022 standard. This page describes our approach to information security governance, risk management, and the controls we implement to protect customer data.

2. Information Security Management System

Our ISMS covers all aspects of BarMake's operations, including application development, infrastructure management, customer data processing, and employee access. The ISMS is reviewed and updated annually to address evolving threats and business requirements.

3. Risk Management

  • Risk Assessment: We conduct regular risk assessments to identify, evaluate, and prioritize information security risks.
  • Risk Treatment: Identified risks are addressed through mitigation controls, risk acceptance, or risk transfer as appropriate.
  • Continuous Monitoring: Risks are continuously monitored and reassessed as the threat landscape evolves.

4. Security Controls

Organizational Controls

  • Information security policies and procedures documented and communicated
  • Defined roles and responsibilities for information security
  • Regular security awareness training

Technical Controls

  • TLS 1.2+ encryption for all data in transit
  • AES-256-GCM encryption for sensitive data at rest
  • Multi-factor authentication (TOTP-based MFA)
  • Rate limiting and DDoS protection
  • Security headers (HSTS, CSP, X-Frame-Options)
  • Input validation and parameterized database queries (Prisma ORM)
  • HMAC-SHA256 IP address hashing for privacy-preserving analytics

Physical Controls

  • Infrastructure hosted in OVH data centers with ISO 27001 certification
  • Firebase services backed by Google Cloud's SOC 2 and ISO 27001 certifications

5. Business Continuity

BarMake maintains business continuity plans including automated database backups, infrastructure redundancy, and disaster recovery procedures. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and tested regularly.

6. Supplier Management

Third-party services used by BarMake (Firebase, Stripe, Resend, Twilio) are evaluated for their security posture and compliance certifications. All third-party data processing is governed by appropriate data processing agreements.

7. Certification Status

BarMake is actively working toward formal ISO 27001 certification. Our current security practices are designed to meet or exceed the requirements of the standard. For questions about our certification timeline, contact support@barmake.app.