Security and resilience
At Scaleway, there is no compromise when it comes to your data
We are proud of our data centers and their security, and consider that we have implemented the best solutions to protect your most valuable asset: your data. We are well aware of the huge responsibility this represents, so there can be no compromise when it comes to your data.
Our four data centers in France are audited by our insurer at least once per year. As our client, you can also audit our data centers with the experts of your choice.
Our certification, risk analyses, and safety information can be consulted upon request from technical support.
The physical security of our data centers and equipment is assured by comprehensive monitoring devices at different levels as follows:
- Surrounding exterior walls/fencing (except DC4 – located in a former nuclear fallout shelter 25 meters under Paris)
- 24/7 security staff presence (SSIAP2)
- Video surveillance systems monitor the entirety of our sites
- Alarms to warn security staff in case of attempted unauthorized access to protected areas or should a door not be closed or locked on time
- Access control system using badges and a biometric recognition system
- Any external visitors are accompanied by data center employees at all times
- Infrared protection for the site boundary (DC5)
- Storage equipment is transported in secured cases equipped with GPS trackers
Fire safety agents specially trained in firefighting are present 24/7 at all data centers, ready to intervene at any time. Scaleway’s approach is based around three objectives:
- Isolate any incidents to stop them becoming more serious, using compartmentation methods
- Control the incident, without interrupting production, using automatic mechanisms
- Facilitate intervention by the emergency services and our staff
Passive protection (built-in):
- We divide each data center into compartments, all of which are fire-resistant. The walls, flooring, ceilings, doors, and windows are designed to resist fire and prevent it spreading to the rest of the building
- Each compartment has a smoke extraction system which is able to work in 400ºC heat for two hours
- Where we are not able to implement a 10-meter distance, we protect our data centers with fire protection walls, heavy-duty roads and fire hydrants which allow the emergency services to safely intervene
Active protection (fire detection systems corresponding to APSAD DC7 or N7):
- DC2 uses the DFHS multipoint system from DEF
- DC3 and DC4 use the VESDA multipoint system
- DC5 uses both the VESDA system and OSID system from Xtralis
- DC2 uses the Semco water mist FM, VdS/OH1 and DIFT certified system
- DC4 uses the 3M NOVEC 1230 gas fire suppression APSAD R13 certified system
- DC3 and DC5 use the Marioff HiFog water mist FM and VdS/OH1 certified system (N.B.: currently being installed in DC5 as part of the site extension which is underway)
Our FM, VdS/OH1, DIFT and APSAD R13 certification and periodic maintenance (APSAD Q13) certification is available upon request from technical support.
Other risk management
Just like for any industrial site, we have taken all physical risks into account during the design, construction and day-to-day running of all our data centers. As each of our sites is different, we may have specific risk management policies depending on an individual data center.
Risk of lightning strikes
The risk of lightning strikes at our data centers is considered as very low and has been taken into account during the construction of our sites by the inclusion of lightning conductors.
The level of industrial risk is considered to be low given that no at-risk sites (SEVESO) are situated near to our data centers.
Risk of volcanic activity and earthquakes
None of our data centers are classed as being at risk of earthquakes as the entire Paris area has zero risk (nonexistent/very low). As the risk of volcanic activity in France is zero, our data centers have no risk of volcanic activity.
Risk of ground movements
Despite the Paris area containing many underground quarries (catacombs, former quarries…), none of our data centers are built on top of at-risk areas. As such, the risks associated with underground quarries collapsing or landslides is considered to be almost zero.
Agricultural and forestry risks
Our data centers are all built within urban areas and situated at least several kilometers from agricultural areas or forests. As such, the agricultural and forestry risks are considered to be zero.
Additional protection measures
Additional protection measures are present at the outskirts of our plots of land in order to protect our data centers from our neighbors (e.g. firewalls).
High-pressure gas pipelines
No protective perimeters for high-pressure gas pipelines are located near to our sites.
Compliance and certifications
Information security management system
The ISO 27001:2013 standard certifies the implementation of an information security management system. This standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system. It guarantees that security best practices are followed for data protection.
Health data hosting
The HDS standard certifies the implementation of a personal health data security system. This standard specifies requirements for establishing, implementing, maintaining and continually improving a personal health data protection system. It guarantees that best security practices are followed to protect your personal health data. The HDS certification relies on the same scope as the ISO 27001 standard.
Energy management systems
The ISO 50001:2018 standard certifies the implementation of an energy management system. This standard specifies requirements for establishing, implementing, maintaining and continually improving an energy management system. It guarantees that energy management best practices are followed to help you manage costs.
The General Data Protection Regulation (EU) 2016/679 (GDPR) was adopted by the European Parliament on 14 April 2016, and became enforceable on 25 May 2018. GDPR contains provisions and requirements related to the processing of personal data of individuals from the European Union. Scaleway, as a data processor, implements all necessary technical and organizational measures in order to guarantee the security and confidentiality of clients’ data, in accordance with GDPR. For more information about our commitments, see our Data Processing Agreement.
Tier 3 Uptime Institute: 2014
The Uptime Institute certification measures a data center’s capacity for reaching a specific level of performance for the services provided dependent on availability, redundancy and fault tolerance.
SWIPO (SWitching Cloud and POrting data) AISBL is a multi-stakeholder association facilitated by the European Commission with the mission to develop voluntary Codes of Conduct in support of Article 6 “Porting of Data” of the Free Flow on Non Personal Data Regulation (EU) 2018/1807. Scaleway has declared adherence of several of its services to SWIPO’s code of conduct for Infrastructures as a Service (IaaS). The related transparency statement can be made available upon request.
The concept of shared responsibility in the cloud
- Download our white paper
Physical security is just the first step when it comes to cloud security. Discover our advice and best practices around the concept of shared responsibility in the cloud. From account management to architecture best practices, start off on the right foot.