We try to achieve the security of your data and stability of operation in two ways, namely through the so-called. high availability and quality security.
Availability & Security
We achieve both high availability and security through a combination of physical and software measures that we apply to the design, operation and administration of physical and virtual computing infrastructure.
In practice, this means that we place our technology in private data rooms in data centres designed to meet the TIER 3 standard. The physical and virtual computing infrastructure is built on enterprise grade hardware and software with manufacturer support. Both the physical and virtual computing infrastructure is configured in accordance with the best practices of hardware and software manufacturers with the latest stable versions of operating systems.
Elements of our datacentres
TIER 3 certification
Data centres have been designed and classified according to the international TIER standard for several decades around the world. This standard differentiates data centres according to the degree of substitutability of all key elements, business continuity and access to technology. The key measure is therefore the degree of ability to ensure business continuity in the event of power failure, cooling failure, failure of various branches of the data network, attempted intrusion, etc. We use private data halls to house our technology in several data centres across the European Union that are designed and operated to meet the TIER 3 standard. At this level, N+1 redundancy is ensured for all non-IT elements. This allows maintenance or expansion of the data center to take place without downtime. For security reasons, our data centres are geographically separated and interconnected by their own data circuits. Your data can be transparently operated from multiple data centres without the need for intervention. Furthermore, we strictly ensure that production data and backups are always geographically separated.
Private data rooms
In data centres, we use private data halls that are not part of the outer wall of the building. They are separated from the rest of the data centre by walls in category RC3 in the NSA classification. In the halls themselves there are only racks and cooling units. Other data centre technologies, such as the fixed fire extinguishing system, electronic fire suppression system, access control system, CCTV system, electronic security system, monitoring, measurement and control, etc., are only accessible to data centre personnel for security reasons. Access to the data centre is only granted to personnel authorised in accordance with our internal security rules, after presenting their personal documents to the security guard. Access to private data rooms is subject to verification in a fingerprint and bloodstream scanner. Therefore, there is no way to access the private data rooms without prior authorization.
High voltage is always provided by two independent power connections with their own switching station. In the event of a power failure, diesel generators in N+1 configuration, including central fuel management, form a backup. Low voltage is provided by the power substations. Each of the substations has a minimum N+1 element configuration as recommended by the Uptime Institute. All data center operational support systems such as cooling, security, etc. are backed up by separate non-IT UPS power supplies.
According to the TIER 3 standard, on the cooling source side in the N+1 circuit and on the cooling distribution side in the min. N+1. The distribution of the cooling medium is realized by double piping. All components of the cooling system are redundant and powered by two independent power supplies.
Physical guests and storage
To ensure high availability, we use only enterprise grade hardware from Hewlett Packard Enterprise with the highest possible support and a time guarantee for replacement of defective hardware. The physical computing infrastructure consists of hardware from Hewlett Packard Enterprise and Cisco Systems. We use proven servers as physical hosts, namely Synergy, ProLiant DL and Apollo Systems.
For virtualization we use enterprise grade VMware solutions, which are available in the form of the highest possible Enterprise Plus license. As a result, we have the authority to integrate advanced functionality into our services, such as vSphere HA, vSphere DRS / SDRS and, if the customer wishes, vSphere Fault Tolerance, which will reduce possible downtime to milliseconds.
Internet connectivity is always redundant in our data centres and is supplied by two independent providers. Of course, there is active DDoS protection of the entire environment, which is responsible for detecting and blocking potential attacks (so-called Anti DDoS). There is no charge for transferring data to and from the Internet. We also support connections via private lines, e.g. MPLS, where we cooperate with most telecom operators. Upon agreement, it is possible to place a box in our data centers where the private line is terminated.
We are one of the few to exclusively use HPE 3PAR fully redundant Full Flash Storage, divided into speed tiers. IOPS are assigned to a specific disk tier at both the product and technical level to ensure stability of operation and fair access to the service for all our customers. The communication of physical guests with storage is conducted over a dedicated isolated network using Fibre Channel, which has a positive impact not only on latency, but especially on high availability and security of operation. Storage-level data encryption is supported, but it is an optional extra.
At the outer edge of customer clouds, we use VMware NSX EDGE firewall technologies. However, if the customer wishes, we are able to implement other firewall technologies. We use VMware NSX to virtualize network traffic, ensuring that all our customers’ virtual networks are isolated from each other using VXLAN.
Access to the data centre
Access to the data centre is only granted to personnel authorised in accordance with our internal security rules after presenting their personal documents to security. Access to private data rooms is subject to verification in the fingerprint and bloodstream scanner. It is therefore not possible to access private data rooms without prior authorisation.
All backups are encrypted by default using Veeam backup software tools. We support encrypted VPN technology to connect to the cloud. You can also use your private circuit or MPLS connection to ensure that the network traffic is isolated. Customer connections to the cloud support VPN technology, so data can be transmitted in encrypted form from the end device. Our technical staff connect to the data centre in the same way to increase security.
Based on customer requirements, data can be encrypted at the storage or VMware vSphere virtualization layer. For this reason, anyone, incl. our employees, who could have partial access to such encrypted data in predefined cases when dealing with technical support requests, cannot access the stored data without the active cooperation of the customer. Moreover, without an encryption key, it is virtually impossible to decrypt this data.
Only our authorized administrators have access to the technology administration interface based on multi-factor authentication, based on access roles defined in the internal identity manager. A central activity logging policy is set for these privileged users.
The assigned accesses and their history are evaluated as part of regular security audits. Our technical support is based on two escalation levels, which are covered by the Support Manager. Outside of the technical support organization, there are specialized IT operations and R&D engineers who are only brought in to address defect or implementation requirements when the complexity of the problem requires their highly specialized expertise.