BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingDocsWhite PaperTokenBlogAboutSecurity Demo
Log InGet API Key
ISO 27001

Web Filtering Policy

Effective: March 17, 2026 · DCF-780

1. Purpose

This document defines H33.ai's web filtering controls in accordance with ISO 27001 A.8.23 (Web Filtering). As a fully remote organization, H33.ai implements web filtering through a combination of endpoint security policies, cloud service controls, and network-level restrictions on production infrastructure to protect against malicious web content, phishing attacks, and data exfiltration.

2. Scope

This policy applies to:

  • All corporate endpoints (laptops, workstations) used by H33.ai personnel for business purposes
  • All production infrastructure (EC2 instances, Elastic Beanstalk environments, managed services)
  • All network traffic originating from or destined to H33.ai-managed systems

3. Endpoint Web Filtering (Corporate Devices)

H33.ai operates a fully remote workforce. Web filtering on corporate endpoints is implemented through the following layered controls:

Microsoft Defender for EndpointProvides real-time web content filtering, blocking access to known malicious sites, phishing URLs, exploit kits, and command-and-control (C2) domains. Integrated with Microsoft 365 Security Center for centralized policy management and reporting.
Cloudflare DNS (1.1.1.1 for Families)Configured on all corporate devices as the primary DNS resolver. Blocks resolution of domains associated with malware, phishing, and other security threats at the DNS layer, before any HTTP connection is established.
Browser Security PoliciesCorporate browsers are configured to enforce HTTPS-only mode, block mixed content, and display warnings for sites with invalid or expired TLS certificates.

4. Blocked Categories

The following web content categories are blocked across all corporate endpoints and production infrastructure:

  • Malware distribution sites: Domains known to host or distribute malicious software, including ransomware, trojans, and rootkits.
  • Phishing and social engineering: Sites that impersonate legitimate services to harvest credentials or personal information.
  • Command-and-control (C2): Domains and IP addresses associated with botnet C2 infrastructure, remote access trojans, and backdoor communications.
  • Known threat IPs: IP addresses flagged by threat intelligence feeds (Microsoft Threat Intelligence, Cloudflare Radar) as actively hostile.
  • Cryptojacking: Sites that attempt to use visitor computing resources for cryptocurrency mining without consent.
  • Typosquatting domains: Domains that closely resemble legitimate services (e.g., g1thub.com, aw5.amazon.com) used in targeted attacks.

5. Production Infrastructure Network Controls

Production infrastructure has strict outbound traffic restrictions that go beyond endpoint web filtering:

AWS Security Groups

Outbound traffic from production EC2 instances and Elastic Beanstalk environments is restricted via security group rules to only the required service endpoints:

AWS Service EndpointsS3, Secrets Manager, CloudWatch, STS, and other AWS APIs accessed via VPC endpoints where available, or via AWS public endpoints over HTTPS (port 443).
GitLabHTTPS (port 443) to gitlab.com for CI/CD pipeline operations and source code access.
DataDogHTTPS (port 443) to DataDog intake endpoints for metrics, traces, and log submission.
Stripe APIHTTPS (port 443) to api.stripe.com for payment processing.
Twilio APIHTTPS (port 443) to api.twilio.com for SMS OTP delivery.
NTPUDP (port 123) to 169.254.169.123 (Amazon Time Sync Service, link-local only).

All other outbound traffic is denied by default. This whitelist approach ensures that even if a production system is compromised, it cannot communicate with arbitrary external hosts.

Network ACLs

VPC Network ACLs provide a secondary layer of network filtering at the subnet level, reinforcing security group rules. NACLs are configured to deny traffic to known threat IP ranges published by AWS Shield and updated automatically.

6. Employee Acceptable Use

Employee web usage is governed by the H33.ai Information Security Policy, which requires:

  • Corporate devices are used primarily for business purposes. Incidental personal use is permitted provided it does not violate security policies.
  • Employees must not attempt to bypass, disable, or circumvent web filtering controls (including VPN tunneling to avoid DNS filtering).
  • Downloading of software from untrusted sources is prohibited. All software installations must be from official vendor sources or approved package managers.
  • Employees must report any suspected phishing attempts or malicious sites to security@h33.ai immediately.

7. Monitoring

  • Microsoft 365 Security Center: Aggregates web threat detections, blocked URL attempts, and endpoint security events across all corporate devices. Weekly summary reports are reviewed by the CISO.
  • DataDog network monitoring: Monitors outbound network connections from production infrastructure. Alerts on any connection attempt to a destination not in the approved whitelist.
  • VPC Flow Logs: Enabled on all production VPCs. Flow logs are sent to CloudWatch and analyzed for anomalous traffic patterns, including unexpected outbound connections, high-volume data transfers, and connections to unusual ports.
  • DNS query logging: Cloudflare DNS provides query logs for corporate devices, enabling detection of DNS-based data exfiltration and communication with known malicious domains.

8. Exceptions

Exceptions to this web filtering policy require:

  1. Written request to the CISO (security@h33.ai) with documented business justification
  2. Risk assessment of the requested exception
  3. CISO approval (or denial with explanation)
  4. Time-limited exception (maximum 90 days, renewable with re-justification)
  5. Documentation of the exception in the compliance exception register (Drata)

No standing exceptions are currently active.

9. Review Schedule

  • Weekly: CISO reviews Microsoft 365 Security Center web threat summary reports.
  • Monthly: Review of production security group rules and outbound whitelist for accuracy and necessity.
  • Annual: Comprehensive review of web filtering policy, blocked categories, endpoint security configuration, and production network controls. Updates as needed based on threat landscape evolution.

Questions?

Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.

H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945