Ensuring the security of your project and data is one of our top concerns, so we follow a set of internal guidelines based on ISO27001 to help ensure we're on the right side of secure. The following is a high level overview of our security principles and some technical info on how it's implemented.

Physical Security #

Servd is a software platform which utilises physical servers provided by both Digital Ocean, Civo, Wasabi and Backblaze. These companies and the data centres within which they operate are responsible for the physical security of the servers under their management. All companies use fully SOC-2 compliant physical access procedures including biometric and segmented access restrictions.

You can read more this on their respective sites:

Project Data at Rest #

All project database data and backups are stored encrypted by default, ensuring that direct access to data at rest is protected from 3rd parties. Encryption is provided by the underlying storage service providers, Digital Ocean, Civo, Wasabi and Backblaze, and make use of industry standard encryption algorithms to ensure transparent storage and retrieval of encrypted data.

Accounts and Access #

Servd's internal accounts are provisioned on a per user basis following a minimum-viable-permissions philosophy. This also applies to any inter-service communication in which access scopes are tailored to the application using them.

Credentials require a minimum level of entropy and are signed by administrators private keys where applicable. Access to individual platform components is limited on a per user basis to only the functions each user is authorised to perform. Credential revocation can be performed by internal administrators in the event of a suspected leak.

Access to critical system components is monitored by intrusion detection mechanisms which are able to alert administrators of suspicious activity in real-time, ensuring unauthorised access can be dealt with quickly.

Updates and Security Patches #

We try to keep our platform software as up-to-date as possible, however there are occasions where breaking changes prevent us from applying new software releases quickly. In these circumstances we ensure that critical security patches are applied within at least 1 month of their release and within a designated platform maintenance window if we believe they might incur any end-user downtime.

Security patches for individual PHP / Craft projects hosted on the platform are made available for inclusion in your bundles as soon as possible, however we do not automatically apply updates to PHP and Craft - instead they are automatically included in your new bundles. This ensures you always have easy access to the latest vulnerability patches (just build a new bundle), but we don't risk breaking your project by auto-applying breaking changes. It's important that you check regularly for available updates for your projects - we'll also send out global emails for critical security issues to keep you informed.

Firewalls and Traffic #

The Servd platform is restricted to receiving only a small number of traffic types on specific ports. Specifically we only allow traffic of the following types:

- HTTP: Port 80

- HTTPS: Port 443

- MySQL: Port 6033

- SSH: Port 2200

All of this traffic passes through at least one proxy service before arriving at your project's running instances. This allows us to manage the updates and security of these entrypoints as a whole for the platform, rather than individually per-project. It also ensures that access via these entrypoints can be centrally managed and deactivated on a per-project basis. We encourage you to only activate MySQL and SSH access as required and disable it after each use.

All incoming traffic also passes through an internet-facing load balancer which is the only component within the platform which receives external traffic directly - all other components are not exposed to the wider internet and only accept traffic from services running within the same VPC address space.

Database Access #

Database access is restricted to traffic originating from inside the platform VPC (your project's PHP instances and optionally the database connection proxy). Databases cannot be accessed directly from the internet.

All databases are provisioned with a single user per-database which has access to that database only. Every database user is protected by a unique auto-generated password which is only shared with your project's PHP instances.

Ephemeral Filesystems #

All Servd projects run on an ephemeral filesystem, ensuring any unexpected changes can be undone by simply redeploying your application. This has some significant security benefits as it prevents any attackers from being able to persist any changes they make - even if they leave behind scripts intended to re-install exploits if they are ever removed.

A redeploy on Servd resets your entire project filesystem to a known-safe state. You can read more about that here.

Network Segregation #

Servd runs as a multi-tenant platform, meaning we use some shared infrastructure components for multiple projects. In order to ensure that projects within the platform are not able to communicate directly with each other, we implement strict network segregation between project components. This ensures that even though two projects might be running side-by-side within the Servd platform, any traffic they send to one another has to exit the platform and re-enter via the internet-facing load balancers - applying all of the same rules and restrictions that that entails. Traffic sent directly from one project to another via the use of the VPC's internal address space is simply dropped.

Staff Access #

Servd's staff have access to client projects to help with debugging and problem remediation. However we will always ask permission before accessing any database data. Project data will not be copied to any other location during these activities.

Servd's staff employ secure access to both internal and any third party services that we use. This includes the use of strong passwords, password management and MFA as a blanket policy. Access to our own infrastructure is managed via public/private key pair signed certificates whose access credentials are confirmed and maintained by system administrators. All certificates are revokable and have a limited lifespan.