SOC2

Qovery infrastructure and processes comply with SOC2 (Systems and Organizations Controls 2) best practices. By default, Qovery integrates numerous security features into your applications, clusters, and databases, ensuring alignment with SOC2’s stringent security standards. For more information, visit the Qovery trust page.

All customers using Qovery benefit from a SOC2-compliant infrastructure, significantly reducing the time required for compliance readiness.

This documentation outlines configuration settings for achieving SOC2 compliance and additional recommended security measures.

Cluster advanced settings

In the Cluster Advanced Settings, you will find several configurable options to enhance compliance with SOC2. Here are the key settings:

AWS CloudWatch

To meet SOC2 retention requirements, set the aws.cloudwatch.eks_logs_retention_days to at least 365 days.

Application Logs Retention

To meet SOC2 retention requirements, and store applications/containers logs in the object storage used by Loki, set the loki.log_retention_in_week to at least 365 days.

VPC flow logs

Enable VPC flow logs to monitor and maintain network traffic visibility:

On AWS:

Set aws.vpc.enable_s3_flow_logs to true.
Specify aws.vpc.flow_logs_retention_days to 365 days or more to ensure compliance.

On GCP:

Set gcp.vpc.enable_flow_logs to true.
Set gcp.vpc.flow_logs_sampling to 1.0 to capture all network traffic.

Databases access

Qovery allows databases to be publicly accessible for convenience; however, to comply with SOC2, it’s recommended to restrict this access to secure your databases by changing the value of those settings:

database.<database type>.deny_public_access: set the CIDR ranges permitted to access the database.
database.<database type>.allowed_cidrs: limit access to only your VPC CIDR or other specified IP ranges.

Kubernetes API access

By default, cloud providers allow public access to the Kubernetes API, which is secured by TLS certificates. AWS and GCP provide an added layer of security by requiring account-based dual authentication.

SOC2 compliance, however, mandates restricted access to the Kubernetes API. To achieve this:

qovery.static_ip_mode: limit access to Qovery’s designated IPs. Qovery needs this access to perform infrastructure maintenance and application deployment.
k8s.api.allowed_public_access_cidrs: optional, define any additional CIDRs that require access to the Kubernetes API, thus limiting external access further.

Please refer to the dedicated documentation section, you have to create a Dockerhub account and link it to Qovery to avoid rate limit.

Container images retention time

SOC2 requires that images be retained for a minimum of 365 days. To meet this requirement, set the registry.image_retention_time to at least 365 days.

AWS EC2 metadata access

To comply with SOC2, restrict access to the AWS EC2 metadata service.

Set aws.eks.ec2.metadata_imds to required to prevent unauthorized access to the metadata service.

Additional Actions

AWS S3

To comply with SOC2 requirements for data integrity and protection:

S3 versioning is automatically enabled by Qovery to maintain object history
Enable MFA delete protection to add an extra layer of security for version deletion. This must be configured by the account owner using root credentials through the AWS CLI.

Schema

For SOC2 compliance, an auditor may request a diagram of your infrastructure and its connection to Qovery. Below is the diagram you can share:

#Cluster advanced settings

#AWS CloudWatch

#Application Logs Retention

#VPC flow logs

#Databases access

#Kubernetes API access

#Container images retention time

#AWS EC2 metadata access

#Additional Actions

#AWS S3

#Schema