SaaS Infrastructure Details¶
We’ll talk about our own infrastructure security policies in the next parts of this document, therefore they’re irrelevant if you choose the on-premises option.
Toucan Toco SaaS applications are all hosted on dedicated bare metal servers provided by Scaleway.
The datacenters DC3/DC5 are physically located in Vitry (France) and respects all hosting standards (security, network, client isolation):
- pci-DSS (2017)
- ISO 27001 (2017)
- HDS (2017)
- ISO 50001 (2014)
- Tiers III design by the Uptime Institute (2014)
All the details of the datacenters are described in the official Scaleway public documentation:
Since Toucan Toco is present in the US, we are also able to host our customers’ projects on Amazon Web Service.
We mainly use dedicated Amazon Elastic Compute Cloud instances to host all the parts of a project’s stack.
Our main region is US East Ohio (aka us-east-2).
All details about the AWS compliance/certifications are fully described and available on the official website.
Please note our hosting providers never get access to our servers, logs or your data. They are only an hardware and services suppliers, we manage all the VMs or bare-metal servers.
Infrastructure Security Policies¶
We respect the usual good practices for SaaS hosting:
- We only expose HTTPS, HTTP (which is automatically redirected to the HTTPS) and SSH services.
- We do not expose management interfaces directly on Internet. We require a VPN connection first, using a strong 2-factor authentication (certificate and credentials).
On our cloud offer, we ensure that each of our client data are very well isolated from any other client’s one. Each client runs different private containers for:
- its application server (API)
- its database (MongoDB)
- its cache (Redis) Containers are operated by Docker, linked using Docker networks and exposed only to the necessary other containers (e.g.: Redis container is not linked to MongoDB container).
Thus, only the container API is able to reach the associated database container.
We ensure isolation between clients with different docker networks.
Of course with dedicated SaaS mode, all your stack will be isolated by design because you will get your own dedicated server in the Toucan Toco infrastructure.
We apply this policy to ensure our servers stay safe anytime:
- fail2ban on HTTPS, SSH and on the Toucan app (on failed logins) to prevent brute-force
- management interface password access disabled
- management interface root access disabled
- management interface login gracetime
- management interface auto-logout on inactivity
- IPv6 disabled
We enforce standard SSL transport by authorizing only strong cipher suites. You can audit this by checking our SSL-Labs test results.
Our containerized infrastructure prevent any malicious propagation if a container is compromised.
Containers communicates on a private network and can’t access to resources from other containers except from explicitly defined ones on selected ports.
Furthermore, all files uploaded by users are never stored in a file system (but in a database), preventing malicious files to be executed remotely.
Secrets and credentials like:
- database accounts
- API secrets (JWT signature) are unique for each of our clients, and strong enough not to be brute-forced (complexity and length).
We deactivate the use of system passwords on management interfaces.
Nevertheless, we make sure they’re never stored in plain text on file systems.
SSH access is only available for Toucan Toco’s administrators.
PubkeyAuthentication is allowed and key should respect the
- keys should be RSA
- with a size of 4096 bits
- protected by a passphrase
Admin privileges and SSH keys are automatically managed by our Ansible playbooks. The management is a fully automated process with no manual actions of Toucan Toco’s administrators.
System or data partitions are not encrypted. But as explained earlier in this doc, even in a case of mutual instances, everything is containerised and isolated by design thanks to Docker.
Moreover, keys, application and databases’s passwords are dedicated and different for each instance/project.
We operate separated staging, preprod and production environments, that are exactly the same with the same backup and monitoring policy.
We considered our demo as a separate customer that would be us! Testing and auditing it will give you the same results as if it was your own instance.
LoadBalancer and Failover¶
Currently the whole front-end stack is fully redundant with a round robin loadbalancer system.
We can lost the half of our front-end stack without any disruption. The recovery process is fully automated and the convergence time is less than 1 minute.
Disaster Recovery Plan - DRP¶
If our datacenter is the victim of a major and critical issue and we lost all our production servers our service will be degraded during the recovery time.
We currently don’t have a fully automated datacenter fallback process. However we have reserved ressources in another Scaleway Datacenter where we can redeploy our full infrastructure and data with our automated scripts (thanks to our Infrastructure as Code policy).
By design the DRP of a production client stack is just a basic migration process (redeploy, backup restoration and potential DNS changes) and each step is fully automated.
We use our migration procedure at least one time a month. Our DRP is the same approach but for all our production and client instances and it’s is fully automated.
If we need to restore from scratch our infrastrcture, we will continue to respect our SLA.
General Data Protection Regulation - GDPR¶
Toucan Toco has already filed a statement with the CNIL (Declaration Number: 2129004 v 0). Legal notices on the use of data collected via the website are also available on the Toucan Toco website.
The new requirements of the GDPR are paramount and our team is working diligently to adjust the processes in place to comply with these requirements.
- continue to invest in our security infrastructure
- ensure that the appropriate contractual conditions are in place
Please check our dedicated public note about it for more details and informations.
Service Level Agreement - SLA¶
Our SLA includes the following points:
- Clients are able to connect to the Toucan Toco application 24/7 all year long, excepting during maintenance or infrastructure operations. When these operations produce downtimes, they are scheduled out of business hours, and the Toucan Toco ops team will warn the clients by mail with details about the downtime period.
- Toucan Toco applications got an uptime of 99% over a calendar month.
- The whole infrastructure is monitored and backuped 24/7 all year long.