guideSystem security

CKEditor Cloud Services is a Software as a Service solution that processes large amounts of customer data. The safety of the data is a key part of our offering. A lot of effort and resources are put into the security areas.

# Servers

CKEditor Cloud Services is hosted on AWS which provides the necessary stability and resilience to different disaster scenarios. The CKEditor Cloud Services architecture has been prepared and designed to fulfil all recommendations and best practices from AWS, and to keep the system running even if the underlying infrastructure experiences an outage or other significant issues.

All servers and infrastructure components are hosted in the US East (Northern Virginia) region within a virtual private network that cannot be accessed via the public internet directly. Load balancers are the only publicly available resources. The access to the other components is limited and requires specific permissions, certificates, and VPN access.

Services are deployed and running in multiple servers in AWS in at least two instances, in at least two different availability zones. This provides a 99.99% SLA in AWS on the infrastructure level.

# Data

Databases are running in two different locations, and the data is replicated automatically. Should any of the availability zones fail, the services will automatically switch to a different backup instance in another availability zone.

All permanent data is automatically backed up on AWS servers with the capability to provide point-­in-­time recovery down to the second for the last 7 days.

Data stored in databases is encrypted at rest and in transit. Additionally, data for every customer and environment is encrypted by different private keys to maximize data isolation between environments and customers.

Employee access is limited to only those individuals who need it to maintain the system.

# Communication

CKEditor Cloud Services uses encryption to protect the communication between the user and the server. All communication interfaces are provided via HTTPS or WSS protocols and accept only TLS protocol version 1.2 or newer.
CKEditor Cloud Services Server does not require any additional network ports to communicate with the user, the communication uses the default TCP port (443). For the connection to work properly, the WebSocket protocol must not be blocked anywhere (e.g. by firewall rules or software on an end-user’s device).

# Dependencies

We continuously monitor our software dependencies and container images with an automation tool for scanning for the known CVEs. All software dependencies are also updated automatically.

# Monitoring

Our teams regularly test, monitor, and improve the system to ensure continued operations. We monitor and analyze information gathered from our applications and all infrastructure components (network usage, CPU and memory usage, request processing time, etc.). We record all needed logs to provide high-quality support for our customers. All logs are kept for 1 month and any sensitive data is redacted.

Moreover, the system is monitored 24/7 by a bot that simulates real users. The bot runs a series of tests every minute and reports any issues.