Security

One of the key concerns for CTX is security.

CTX needs to be able to see your documents and data to index them - that means it has (limited, read-only) access to the contents and the metadata, and that it keeps copies of these in its’ index long-term.

It’s very important that customers know their data is treated with respect, kept safe, and managed sensitively.

In the interests of transparency, here’s a brief description of the layers of security CTX employs to keep your data safe.

Physical security

We host in data centres inside the EU. The data centres we use are secured with industry best practice including biometric access control, and they’re manned by security staff 24x7.

We use dedicated server hardware that we fully control, hardened using a variety of techniques and configuration-managed with cutting-edge tools to give us assurance and auditability.

Network security

The CTX servers sit within Virtual Private Networks (VPNs) inside our data centres’ networks.
These VPNs are setup in a mesh topology for high availability, and are encrypted using the AES-256 cipher.

Our networks are configured to be as isolated as possible. All management communications into the VPNs are over encrypted tunnels and the network services we operate have been setup to have the minimum “surface area” possible.

Our web services operate only over HTTPS, configured with modern ciphersets and all the recommended options like rotating TLS session ticket keyss, OSCP stapling and so forth.

Encryption at rest

CTX stores your data encrypted on disk.
It’s encrypted with the industry-standard AES-256 (‘Rijndael’) cipher.

This means that even if an attacker was able to breach all our other security and take a copy of the data, using current computing techniques it’s estimated that decoding the data might take over a billion years.

Data isolation

The architecture of CTX provides software-level isolation and guarantees that your data cannot be seen by any other party.

On our Team and Business plans, your data is stored in isolated indices within our central search cluster, subject to those guarantees.

On our Enterprise plan, in addition to the other benefits, we’ll maintain a separate cluster of index servers for you. This adds a layer of physical separation.

As a further feature of our Enterprise offering, we will provide the ability to manage your own encryption keys, guaranteeing even higher degrees security to match customers’ policy requirements.

For the truly paranoid, get in touch to talk about Enterprise On-Premise hosting, where you can be in total control of security (and everything else).