To help assure customers, I'd like to be able to answer these questions in a few lines each

[OllyGilbert]

1. What security do we have in place?
2. How often is data backed up?
3. Where is it backed up? (it helps to identify exactly what country this information is stored or processed)
4. What third parties do we use for hosting and other elements of the service

[OllyGilbert]

@achingbrain has answered some of these in https://github.com/Medialist/medialist-app2/issues/492

[olizilla]

1. What security do we have in place

We use reputable cloud service providers, and make use of their industry-standard security measures. We use private virtual machines based in a UK datacenter rather than shared hosting. We use MongoDB for data storage and their Atlas cloud hosting to ensure clients data is encrypted at rest, but still highly available.

MongoDB Atlas is security hardened by default. Each MongoDB Atlas group is provisioned into its own VPC, thus isolating your data and underlying systems from other MongoDB Atlas users. Network encryption and access control are configured by default, and IP whitelists allow you to specify a specific range of IP addresses against which access will be granted. All security-specific updates to the operating system and database of the underlying instances are automatically applied by MongoDB engineers.

See: https://webassets.mongodb.com/_com_assets/collateral/Atlas_Security_Controls.pdf and: https://www.mongodb.com/cloud/atlas/faq

2. How often is data backed up?

Continuously. This may be too mindblowing so we could say incremental backups are taken every minute.

MongoDB Atlas continuously backs up your data, ensuring your backups are typically just a few seconds behind the operational system. MongoDB Atlas ensures point-in-time backup of replica sets and consistent, cluster-wide snapshots of sharded clusters. With MongoDB Atlas, you can easily and safely restore to precisely the moment you need.

See: https://www.mongodb.com/cloud/atlas/faq

__3. Where is it backed up?___

It's backed up to 3 separate locations in the same AWS region Ireland (eu-west-1)

4. What third parties do we use for hosting and other elements of the service

• MongoDB Atlas & Amazon Web Service (database servers)
• Digital Ocean (app servers)
• Uploadcare (image hosting)

[OllyGilbert]

This is awesome and really helpful. Thank you @olizilla. So, we store data in Ireland rather than the UK? Or both?

[olizilla]

We have a db server cluster on MongoDB Atlas in the AWS region eu-west-1 (Ireland). That's a "recommended region" for availability as the datacenter has 3 separate availability zones

What is a recommended region? In recommended regions Atlas replica sets always span 3 availability zones. In other regions only 2 availability zones are used.

eu-west-2 (London) is an option, but it's listed as having only 2 availability zones.

Strictly speaking, MongoDB does the work of provisioning virtual servers on Amazon Web Services infrastructure for us. The actual server reliability and securiy and SLA are whatever AWS promises. And we get the peace of mind of knowing that our cluster configuration is optimised and secure as it can be as the same org that designed the DB also set up the cluster for us.

The app servers are a separate issue, they are located in a datacenter in London (just), managed by Digital Ocean.

In time, this story will become more coherent, but that's the situation today. Probably best to say UK datacenters for all the things.

[OllyGilbert]

UK & Ireland is perfect. Thank you @olizilla

[olizilla]

@OllyGilbert I've edited ☝️ to be more specific