Development activities are performed locally on the developer’s workstation.
Validation environments are provisioned prior to merging code, in a minimal configuration and without any client data.
A staging environment is provisioned independently from production, designed to maintain maximum parity while using anonymized datasets to test all components of the solution.
Data segregation between clients is enforced at the middleware, application, and database levels using acts_as_tenant, which implements row-level multi-tenancy.
Automated unit and API tests verify this isolation at every commit to the master branch.
All requests to the platform are made over HTTPS, supporting TLS 1.2 and 1.3 with RSA_2048 encryption.
If the SFTP upload service is used, strong and unique algorithms and credentials are assigned to each client. Uploaded files are stored in a chroot-jailed environment tied to the client’s user account. In addition, clients are encouraged to send files encrypted with Elevo’s public GPG key.
All data is encrypted at rest with AES-256 in our databases.
Our database is continuously backed up (see Data Protection & Backups). These databases and backups are encrypted at rest.
We also archive a daily copy of the database to a physically and logically separate cloud (DigitalOcean Spaces). These backups are encrypted both at rest (see DigitalOcean Security) and end-to-end via GPG.
They are accessible only to the development team, with access protected by both SSO and 2FA (Google Authenticator). The corresponding code version is archived alongside each backup to allow the data to be viewed within the exact version of the application that generated it.
The backup creation job verifies multiple metadata elements to confirm the integrity of the archive. Another automated job tests critical restore functions daily, and alerts are sent by email if any failure occurs.
See more on:
Scaleway provides historical logs of administrative activities on our infrastructure.