This page outlines the Platform Policy for the Formpipe.Cloud platform.
Roles and Access Restrictions
Only the cloud services and support team staff have permanent access to Formpipe Cloud resources.
Members of the Formpipe delivery team may be granted temporary access to specific environments on a project-by-project basis.
All platform user accounts have Two-Factor Authentication (2FA) applied to mitigate the threat of account hijacking.
Access to customer environments via platform accounts is limited by default. Access is granted using on-demand privilege escalation for a limited time and is administered by us as the solution provider.
We provide the following uptime commitments for each of our service tiers (excluding maintenance windows, planned downtime and agreed downtime):
All Partner and Customer connections to the service are accessible through the Gateway-based external access system.
Environments are partitioned into network segments and restrictions are applied to only allow specific communication between them.
Formpipe support is carried out only via authorised Formpipe addresses.
Application traffic uses end-to-end transport layer encryption and/or application-specific encryption mechanisms (e.g. message-level encryption when sending payloads over other communication channels).
Data at rest is encrypted for Azure services and storage (Azure Blob Storage, and Azure SQL).
Environments have storage encryption applied and use Azure Key Vault to securely store encryption keys.
Formpipe Cloud’s Premium tier provides a highly available service by utilising multiple production nodes of our Lasernet product to provide increased resilience to node failures.
These nodes are also spread across different data centre locations, providing resilience to data centre level disruption.
This applies to service components that hold data or configuration, such as:
- Service Nodes
- Storage accounts
As part of Formpipe Cloud environments, Geo Redundant Storage (GRS) is utilized to offer a global multi datacentre level of redundancy for data and services. GRS allows the backup data to be replicated to another Azure region for additional redundancy. The weekly backup is stored for 4 weeks and the daily backup is stored for 7 days.
Key Vaults are by default protected with Zone Redundant Storage (ZRS). No further protection is required for this resource.
Formpipe Cloud hosted environments provide Disaster Recovery by utilising Backups stored within Recovery Services Vaults. This provides replication of our production node backups to another geographical location.
This allows us to quickly restore nodes in a customer environment in a disaster scenario and provides resilience to geographic-level disruption.
The Recovery Time Objective (RTO) is set to 6 hours and a Recovery Point Objective (RPO) is set to 24 hours.
Platform updates are applied in a controlled way.
To ensure we are up to date with the latest Microsoft patches, in particular security updates, we use the Update Management feature in Azure to schedule automatic deployment of updates to each node.
Nodes are split up into Four groups for patching:
Update Group - Test Group: Internal Test Nodes
Update Group 1: Test Nodes
Update Group 2: Primary Nodes
Update Group 3: Secondary Nodes
Regression testing is carried out on our internal test nodes to ensure that the functionality of the system is not affected prior to roll out of updates to customer environments.
Update Group - Test Group - Wednesday, the 2nd week of each month.
Update Group 1 - Monday, the 3rd week of each month.
Update Group 2 - Wednesday, the 4th week of each month.
Update Group 3 - Thursday, the 4th week of each month.
All updates are scheduled for 1 a.m. local time to customer region. The servers are set to reboot automatically if required.
Software updates are offered to the partner and end customer on a yearly basis. These upgrades require that the partner and customer undertake appropriate testing before any updates are applied to Production.
Releases that include critical bug or security fixes may be applied immediately if the potential risk of leaving the system unpatched is too high.
After the patch has been applied, the partner/customer will be sent a report detailing the changes and justification for applying an emergency change.
Two re-occurring weekly maintenance windows are scheduled should there be a need for any configuration changes/maintenance work to be carried out.
Day/time of the set maintenance windows are listed below:
Tuesday: 8 to 10 p.m. Local time.
Thursday: 8 to 10 p.m. Local time.