Skip to navigationSkip to main contentSkip to footerScaleway DocsAsk our AI
Ask our AI
Log inSign up

Scaleway Instances Shared Responsibility Model

On this page, we outline the roles and responsibilities for maintaining and securing your virtual CPU and GPU Instances. Our shared responsibility model clarifies the division of duties between Scaleway and our users, ensuring clarity in managing Instance availability, backups, configurations, and security measures. By understanding this shared responsibility, you can optimize the performance, reliability, and security of your Scaleway CPU Instances and GPU Instances services.

Note

Vous pouvez télécharger le modèle de responsabilité partagée relatif aux Instances en français ici. Veuillez noter que, pour les valeurs contractuelles, la version anglaise fait foi.

Overview of the "Cloud Security vs. Security in the Cloud" Model

At Scaleway, the security of your data and applications is crucial. To ensure a robust and secure environment, we operate under a shared responsibility model, which clearly distinguishes Scaleway's obligations from those of our users. This model is often conceptualized as "Security of the Cloud" and "Security in the Cloud".

Security of the Cloud (Scaleway's responsibility)

Scaleway is responsible for the security of the Cloud. This means we are committed to protecting the overall infrastructure that runs all services offered in the Scaleway Cloud. Our responsibilities include:

  • Physical security of data centers: Protection of facilities, access control, and monitoring.
  • Network infrastructure security: Protection of networks, platforms, and operating systems that underpin our services.
  • Virtualization security: Resource isolation, hypervisors, and management of virtual environments.
  • Infrastructure maintenance and updates: Applying security patches and updates for components managed by Scaleway.
  • Compliance and certifications: Maintaining our own certifications (e.g., ISO 27001, HDS) and adhering to regulations applicable to our role as a cloud service provider.

In other words, Scaleway is responsible for protecting the environment in which your Instances reside.

Security in the Cloud (User's responsibility)

The user is responsible for the security in the Cloud. Once resources are made available to you, you are in charge of the security of everything you deploy, configure, and manage within that environment. Your responsibilities include:

  • Instance management: Operating system configuration, applications, middleware, patches, and software updates for your Instances.
  • Data management: Data encryption (at rest and in transit), backup management, integrity, and confidentiality of your information.
  • Identity and Access Management (IAM): Configuration of permissions, roles, SSH keys, multi-factor authentication (MFA), and the principle of least privilege for accessing your resources.
  • Network security of your Instances: Configuration of firewalls, security groups, and network access for your Instances.
  • Application security: Protecting your applications against vulnerabilities, managing dependencies, and monitoring application logs.
  • Compliance of your workloads: Ensuring that your applications and data comply with industry regulations and your own internal security policies.

This shared responsibility model is essential for a comprehensive and effective security approach. It allows you to leverage the robustness of the Scaleway infrastructure while retaining the flexibility and control necessary to secure your own workloads. A clear understanding of these roles ensures that all facets of security are considered.

Product resiliency

Availability

The detailed SLAs measurements and guarantees can be found at Service Level Agreement for Scaleway Instances Services.

Once the resource is in your hands, we have no access to the machine and therefore no way to monitor its operation. If you face operational issues, we recommend consulting our documentation or creating a support ticket for assistance in regaining access to your resources.

Backups and snapshots

It is your responsibility to:

  • Manage your virtual machine and its data.
  • Ensure data redundancy, if necessary, by relying on backups or Instance snapshots.
  • Define the necessary redundancy measures based on the nature and criticality level of your data. We remind you that a snapshot does not in any way constitute a permanent backup of your data, but only an "instantaneous" copy of the Instance.

Block Storage volumes are replicated three times to provide storage redundancy availability of 99.99%.

However, when using Local Storage or scratch storage, in the event of disk or hardware failure on the underlying hypervisor, we cannot guarantee that you will regain access to your virtual machine and data on Local Storage. The failure may require a complete replacement of the virtual machine. Therefore, it is your responsibility to ensure in advance that you have a backup or redundancy of your data on another Instance or storage means. Scaleway cannot be held responsible for the loss of your data. Backups and snapshots must be configured and managed by you. Refer to our documentation for assistance in setting up backups for Instances via the CLI/API or the Scaleway console. Restoring snapshots or backups must be triggered by you.

Block Storage performance and Instances block bandwidth

Block Storage volumes are available with 5,000 or 15,000 IOPS (input/output operations per second). The actual storage performance is determined by the block bandwidth available for each Instance type. All Block Storage-compatible Instance types support both Block Storage volume types; however, performance may vary depending on the available block bandwidth. Refer to the Scaleway Instances internet and Block Storage bandwidth overview for Virtual Instances and to Scaleway GPU Instances internet and Block Storage bandwidth overview for GPU Instances.

Configuration and version management

Installation and configuration

We provide a range of Linux and Windows OS distributions for automatic image installation from the Scaleway console. These distributions come with a default configuration designed for standard use cases, ensuring security, usage efficiency, and reliability. During the setup of your machine, you can modify and customize this initial configuration. However, you are responsible for any impact on your Instance’s availability, security, or performance.

If you use a custom image, it is your responsibility to ensure the reliable and secure configuration of your machine. A custom image is a user-created disk image with a preconfigured OS, software, or settings. It allows users to deploy new Instances with their environment already set up, instead of using a standard image or InstantApp.

Updates and version management

We regularly provide OS version updates, allowing you to upgrade your environment if desired. It is your responsibility to update your machine to the desired version and thus maintain its compatibility with all internal and external resources at Scaleway. If you perform manual upgrades without reinstalling your machine with an image provided by Scaleway, it is your responsibility to ensure the reliability and stability of your machine’s configuration.

Scalway API/CLI upgrades and breaking changes

As part of our ongoing efforts to improve and enhance the functionality of Scaleway Instances, we may release updates to our API that could potentially introduce breaking changes. These changes may affect the compatibility of older versions of our Command-Line Interface (CLI), custom scripts, automation mechanisms, or developer tools (devtools) used by our users. It is the responsibility of the user to actively monitor potential upgrades and ensure that their CLI version, as well as any custom scripts, automation mechanisms, or developer tools they use to interact with Scaleway’s Instances API, are regularly updated to the latest version available. This includes, but is not limited to:

  • Keeping the CLI up-to-date with the latest releases
  • Updating custom scripts and automation mechanisms to be compatible with the latest API versions
  • Ensuring that any third-party developer tool or integration (such as Terraform or Packer) is compatible with the latest API versions published by Scaleway.

Usage compliance

You are responsible for the proper use of your resources. In this regard, you are responsible for maintaining the use of your Instances in accordance with Scaleway’s compliance policy and terms of service, as well as those of the various operating systems you use.

Important

It is your responsibility to inform yourself beforehand about the permitted and prohibited use cases for your Instances and to adhere to them throughout your usage.

Data protection

Encryption in transit

Instances (CPU and GPU) support SSH connections to secure your communication with them. You remain responsible for configuring SSH keys.

Data encryption

You are responsible for encrypting the volumes on your Instance. We are not responsible for data encryption, especially in cases of sensitive applications or additional security requirements. Refer to our documentation on encrypting volumes for sensitive data for further information.

Data deletion

  • Local Storage: When you delete your Instance, we are responsible for removing all of your data from the Local Storage of the Instance.
  • Scratch Storage: The encryption key of the scratch storage of your Instance is deleted and can not be restored after deletion. Disk data is therefore made unavailable at deletion.
  • Block Storage: Block Storage volumes remain, by default, attached to your account with their data stored on them. To delete Block Storage volumes you can explicitly request volume deletion when deleting the Instance. If not deleted, volumes remain in your account for further usage (re-attribution to a new or existing Instance) or until deleted by your request.

Scaleway access

We do not have the technical capability to access your virtual machine once it is installed, nor the data stored on it. We have no visibility into your use of the Instance and its configuration. Therefore, it is your responsibility to ensure the security of your virtual machine and data.

Identity and access management

Virtual Instances (CPU and GPU) provide IAM permissions sets that allow or restrict specific actions a user or application can perform, such as creating or deleting Instances. You remain responsible for giving these permissions to the relevant users or applications and reviewing these accesses frequently. Managing access and permissions for creating, modifying, using, and deleting a resource remains, in any case, your responsibility.

Platform security

Our security guarantees are available at https://www.scaleway.com/en/security-and-resilience/, and our certifications and commitments are available in our Trust Center.

Security best practices

For optimal security, we recommend that you:

  • use an ED25519 SSH key to access your machine, rather than using username and password authentication,
  • check and update the firewall and filtering rules if necessary (following the principle of least privilege: "Deny all by default, allow by exception"),
  • configure security groups for your Instances to limit their exposure on the internet,
  • regularly update the operating system to take advantage of configuration updates and security patches,
  • regularly monitor our changelog and documentation for updates on API changes and update automation tools and CLI regularly to avoid unnoticed breaking changes

HDS (Hébergement de Données de Santé) - Complete documentation

This section consolidates all HDS-specific information and requirements for healthcare data hosting compliance.

HDS data residency

  • HDS Instances: Restricted to France. Data must not be transferred outside the authorized perimeter.
  • Scaleway Responsibility: Technically guarantee that data remains within the authorized Parisian datacenters, and will not modify the customer’s selected localisation during resource allocation.
  • Customer Responsibility: Do not configure transfer to other regions, nor create Instances in non-HDS regions for your HDS infrastructure or non-HDS Instances.

HDS compliance requirements

As a user of HDS Instances, you are responsible for:

  • Signing Scaleway's HDS contract,
  • Ensuring access is restricted to authorized personnel,
  • Respecting authorized Instance offers, including storage requirements.
  • Use Audit Trail for log provisioning purposes

Scaleway Responsibility: Provide HDS-certified infrastructure and ensure best efforts to maintain certification. The loss of the certificate may result in the termination of our commercial relationship with the HDS customer. These elements are included in the HDS contract.

HDS encryption

As a user of HDS Instances, you are responsible for:

  • Implementing appropriate technical and organizational measures depending on your related security policies
  • Encrypting your data at rest and in transit on public and private networks
  • Ensuring that the services you use are compatible with the encryption solutions you plan on using.

HDS Instance offers

Authorized Instance offers

Configuration typeEligible for HDS purposesAuthorized type of storage
Other Instances SLO (DEV1, GP1, PLAY2, PRO2, COPARM1, ENT1)NoN/A
Development InstancesYesBlock Storage Local Storage (client’s responsibility to encrypt)
Shared General Purpose InstancesYesBlock Storage (i.e no local storage allowed) Local Storage (client’s responsibility to encrypt)
Dedicated General Purpose InstancesYesBlock Storage (i.e no local storage allowed) Local Storage (client’s responsibility to encrypt)
Specialized InstancesYesBlock Storage (i.e no local storage allowed) Local Storage (client’s responsibility to encrypt)
GPU InstancesYesBlock Storage Scratch storage Local Storage (client’s responsibility to encrypt)

Responsibilities:

  • Customer: Ensure only eligible offers are used and understand the obligations regarding storage options.

HDS data deletion

When you delete an HDS Instance, block volumes remain, by default, attached to your account. To delete Block Storage volumes you can explicitly request volume deletion when deleting the Instance.

  • Customer: Explicitly request Block Storage volume deletion when deleting an HDS Instance.

HDS backups and replication

You are responsible for managing your backups and replication needs while respecting data residency (France only) on your Scaleway HDS services.

Important

Snapshots are not available on scratch storage.

Still need help?

Create a support ticket
No Results