Security

Security, as a process

At Clever Cloud, security is not an afterthought. The whole platform was designed with security in mind. Most of security work is systemic: we work on elimination and mitigating entire classes of vulnerabilities before handling specific issues. This allows our platform to be resilient against new and unknown threats.

We see and practice security as a process, a background task that underlines everything we do, not as something that’s tacked on code after it’s been written. The two pillars of our security policy are immutable infrastructure and the avoidance of trusted networks.

Immutable Infrastructure

Every piece of code deployed on Clever Cloud is deployed in a short-lived, reproducible environment.
In the event of compromise, the compromised code automatically disappears during the next deployment.This is particularly useful for commonly targeted applications like PHP CMSs.

No Trusted-Network Policy

We don’t believe in the ‘fortress metaphor’.It is the most seductive approach to IT security, but it’s also far from our security standards.

Since more than 20 years, it has been common practice to think of a network as a fortress, protected from the outside world by firewalls, NATs and DMZs. This idea is now obsolete.

Our approach is based on in-depth security, not perimeter security: we identify, authenticate, and encrypt communication for each peer on the same network to avoid any possibility of harm or data theft in the event of an intrusion.

Vulnerability Reporting

Clever Cloud rigorously monitors the languages themselves and their dependencies for each technology supported.

When vulnerabilities are discovered, our system images are updated at OS, language and dependency levels.

Security Assessments and Compliance

Third-party auditors regularly conduct audits and pentests on the Clever Cloud platform as part of our commitment to our customers. Obviously, all the platform-level conclusions are forwarded to the security team and acted upon.
Then, if you wish to audit or pentest applications running on Clever Cloud, please contact us.
Also, we are open to customer audits, particularly in banking and insurance.

Open Sourcing tools for Security

We are committed to developing open-source security tools. Through this approach, we enable communities to contribute to the continuous improvement of our solutions. Take a look to Sozu (Reverse Proxy) and Biscuit (token).

Protection of Customer Peronal Data

Clever Cloud is therefore committed to ensure the best level of data protection. In accordance with our Terms and Conditions of Use, these commitments towards Personal Data (the “Personal Data” under Regulation UE n°2016/679) of April 27, 2016 “GDPR”) are described in our Privacy Policy and Data Processing Agreement.

Following the fact that all data is hosted in France by default (other regions are optionally available).