Security

Ubicloud is committed to keeping customer data safe and secure. You can read more about our security practices in the general security page. This page reiterates some of those practices and shares more information that's relevant in the context of our Managed PostgreSQL offering.

Network / Infrastructure Security

We use established best practices to provide cloud security. In summary, these include:

  • For our managed service, we review and select hosting providers based on their physical and digital security practices.

  • Elastic Compute: We use Linux KVM for full virtualization, a trusted VM technology used by millions of developers worldwide. Further, we use the Cloud Hypervisor as our virtual machine monitor (VMM); and contain each VMM within Linux namespaces for additional isolation and security.

  • Virtual Networking: We use IPsec tunneling to establish an encrypted and private network environment; and regularly rotate encryption keys. For security, each customer's VMs operate in their own networking namespace.

  • Firewall Settings: When running your managed PostgreSQL, we restrict incoming traffic to the PostgreSQL port (5432).

Software Security

Ubicloud cloud services are available under the AGPL v3 License. We follow an open development model and our source code is available for review in GitHub: https://github.com/ubicloud/ubicloud

If you discover any security issues when reviewing Ubicloud services or integrations, please report them using the process described in our general security page.

Additionally, we follow standard security best practices to receive vulnerability alerts. These include:

  • Code scanning alerts through industry-leading semantic code analysis engine CodeQL
  • Security issue alerts through language specific static code analysis engine Ruby Brakeman
  • Secret scanning alerts
  • Dependabot alerts to receive notifications when one of our dependencies has a vulnerability

Separate VM for PostgreSQL

Ubicloud uses VMs to securely isolate your data from other users. Each PostgreSQL server runs on its own VM. You can create multiple databases in your database server, but the database servers don’t share VMs. This ensures that each PostgreSQL server runs its own isolated environment.

Backups

Storage for full backups and WAL files are isolated on the bucket level. We create separate buckets for each PostgreSQL server in our blob storage. The credentials provided to each PostgreSQL server only allows access to its own bucket.