Innofactor Blog

Episerver DXC: reliable, secure & GDPR compliant

Written by Rami Karhu | 15.6.2017

There has been a lot of talk about security and data privacy over the last few years and organizations all over Europe (and beyond) are getting ready to comply with General Data Protection Regulation (GDPR), which kicks in on May 25th, 2018. GDPR is the most important change in data privacy regulation in 20 years. A breach of GDPR can result in fines up to 4% of annual global turnover (or 20M€, whichever is greater), which is why organizations are right in taking the regulation seriously.

However, it is not just GDPR that has us thinking about data security. Web as a channel (web sites, customer portals, eCommerce…) is among the most critical customer service channels at present. Taking care of customers’ privacy issues can become a competitive advantage as customers are becoming more and more aware of data privacy.

There are countless questions flying around regarding the security, reliability and data privacy of web technologies. To help everyone out, we decided to compile a “5 things you always wanted to know…” type of FAQ about Episerver DXC.

Our list covers 5 topics:

  • Service reliability
  • Data location
  • Disaster recovery
  • GDPR compliance
  • Security

Service reliability

Question: We need 24/7 service – what type of an SLA can Episerver DXC provide?

Answer:
The standard SLA (Service Level Agreement) for the basic DXC “Group” license defines an availability of at least 99.7%. This represents an approximate period of downtime/unavailability of 2h 11m 29s monthly.

An 99.9%+ SLA is available at an additional cost for the Group license and 99.9%+ is the standard SLA for “Corporate” and “Enterprise” licenses. This represents an approximate period of downtime/unavailability of 43m 50s monthly.

Episerver commits to these SLAs and in reality the availability can be a lot higher.

Learn more about the current status and recent outage history on http://status.episerver.com/.

Data location

Question: We require our data to be maintained within the EU. Which data center locations are available with Episerver DXC?

Answer:
Customers can choose their data center’s geographic location from 4 geographical areas: West US, East US, Europe and APAC.

You can choose to use Europe as a geographical area for their service and related data. Azure’s Europe geography has two regions, North Europe (Dublin) and West Europe (Amsterdam). The primary region for Episerver DXC is North Europe.

Learn more about Episerver DXC service continuity on:
http://www.episerver.com/legal/episerver-dxc-service-description/#servicehealthandcontinuity.

Disaster recovery

Question: Downtime of our webservice or loss of data may have serious business impact on us. How fast will our service on Episerver DXC recover during a website outage or in the case of loss of data?

Answer:
Episerver DXC runs on Microsoft Azure.

In the event of a customer website outage within a data center, Episerver will work to restore the service based on a service request. When you open a restore ticket with the Episerver Service desk, the application is restored to the most recent backup (Recovery Point Objective is 24 hours).

Episerver will first look to restore the application within the same data center. If the data center is permanently unavailable, a secondary data center will be utilized. Paired data centers are automatically based on the primary Region chosen during your configuration process and Azure's default regional pairing. For Europe, the paired regions are North Europe and West Europe.

Learn more about disaster recovery on: http://www.episerver.com/legal/episerver-dxc-service-description/#disaster.

GDPR compliance

Question: GDPR comes into effect on May 2018. Will Episerver DXC be GDPR compliant?

Answer: Episerver is committed to ensuring GDPR compliance by May 25th, 2018 (see section 7 of http://www.episerver.com/legal/episerver-dxc-eusa/).

Learn more about privacy on: http://www.episerver.com/legal/episerver-dxc-service-description/#privacy.

Learn more about the data processing agreement: http://www.episerver.com/legal/data-processing-agreement/.

Security

Question: Security is essential for us. How is data security managed in Episerver DXC?

Answer: Services are deployed on Microsoft Azureand operate on a security hardened OS, specifically designed to limit the attack surface of the operating system. The service also provides automated elastic scaling to smoothly handle traffic peaks, assuring high performance for seasonal spikes and other unanticipated spikes in traffic.

An anti-malware service is running on all service operating systems to provide drive level protection against malicious file uploads. Each customer’s service is isolated by Virtual Networks. Availability and performance are constantly monitored.

All data-in-transit is encrypted via HTTPs/TLS. The delivery network provides a broader, wider attack base and the Web Application Firewall (WAF) provides state-of-the-art scanning to monitor for unusual or malicious traffic. The global 24/7/365 Episerver Managed Services team continuously manages and monitors the delivery network and WAF to anticipate and mitigate attacks including DDoS style attacks against the DNS and service. Service instances are load balanced and enabled for automated elastic scaling. In addition, Episerver provides multi-domain SSL certificates with the service.

Learn more about Episerver security on:
http://www.episerver.com/about/privacy/trust-center/security.