How we protect your data

How we protect your data Deploy • Arnaud de Bermingham • 26/05/21 • 11 min read

In light of recent events, many of you have asked us about the practices and methods we use to protect our data centers. We thank you for all your questions, and we will respond, as always, with maximum transparency.

Data centers: at the heart of data resilience strategies

We have always considered our data centers to be a selling point and a tangible reflection of the quality of our products. They are also an invaluable production tool, and a source of pride for us.

For almost 15 years, our data centers have been part of an uncompromising investment strategy , which allows us to take full responsibility on our clients’ behalf. We have chosen to specialize in all aspects of this profession: from design to construction and implementation, basing our engineering on feedback. We have used our teams’ valuable knowledge to set up data centers which are more and more resilient and innovative .

We are one of the few companies with a fully integrated approach, from data center to software (as well as networks and hardware), all in full transparency. We are one of the last remaining cloud companies to master the highly specific area of data centers – almost all other companies in the market use large real estate actors’ sites for their international expansions.

We are the only triple play-type cloud supplier to provide all three services: data center and private infrastructure colocation , dedicated high-end servers for maximum control and impact and a modern and flexible public cloud ecosystem.

Our command of the whole value chain allows us to offer competitive pricing and innovative services, while never compromising due to economic considerations.

With regard to data center colocation, we are one of the biggest French players and an important European player. For many years we have been hosting Gartner Magic Quadrant companies on our infrastructure, as well as many other companies which are well-known in Europe, thus demonstrating our stringency with regard to colocation.

The regulatory context: Regulation ensures that people and the environment are protected. The operator, along with the insurer, handles asset protection.

Data centers in France are governed by labor law, and above a certain power, by ICPE-type decrees (establishments classified for environmental protection).

Regulation on this is light-handed and mainly concerns safe evacuation of staff (emergency exits, smoke extraction, etc.) in case of incidents, and environmental protection. For example, it does not require the installation of fire detectors or fire suppression systems, nor any asset-protection measures.

It is important to understand that the technical design and inclusion of asset protection measures in a data center is therefore entirely dependent on the project owner and the operator, but also on the insurer’s conditions on the level of coverage and deductibles. To summarize: these regulations ensure the protection of people and the environment, the operator and the insurer ensure the protection of physical assets.

There has long been confusion between design resilience and certification such as ISO standards. The aim of certification is to standardize governmental practices and business processes, but this provides no guarantee to the client of proper design, rules, or implementation with regard to asset protection in a data center. The recent unfortunate incident, which affected infrastructure with SECNUMCloud (an initiative by the French National Cybersecurity Agency), ISO-27001 and even HDS certification, demonstrates this. Certification of compliance with an ISO, HDS or SECNUMCloud standard is by no means a guarantee of the physical security of a data center.

Regarding asset protection, in France, APSAD certification delivered by insurance companies and the CNPP (National Center for Prevention and Protection) provides a guarantee of reliability and effectiveness for asset security. This certification is based on reference standards and requirements, stemming from experience of incidents, which apply to the design of the facility, desired results, training of staff, and maintenance. This voluntary certification is extremely strict, costly, and demanding. For us, it represents the minimum requirement for a data center, bearing in mind the sensitivity of the assets hosted. This APSAD certification is a guarantee of security.

Risks in data centers: we reveal all

The risk is very low if it is correctly addressed by measures built into the data center.

In our experience, inverters and batteries represent the highest risk.

Over the past ten years, across its data centers in France using around 40MW, Scaleway has experienced one battery fire, on September 16, 2019.

and four inverter explosions

On June 27, 2013, the neighbor of our DC2 data center, specialized in recycling paper, burned down:

More recently, on June 2, 2019, the neighbor of our DC5 data center, specialized in chemical processing, also burned down just a few meters away from our premises:

To be very clear, running a data center means anticipating and managing risk. This risk may be internal or external, and it is real.

Our job is to plan for every eventuality, no matter how unlikely. Each time, the design of our data center and our automatic mechanisms worked perfectly and prevented your assets from being affected by a major incident, with no outages.

Scaleway’s approach

Scaleway’s approach is based around three objectives:

Isolate any incidents to stop them becoming bigger, using compartmentation methods.

Control the incident, without interrupting production, using automatic mechanisms.

Facilitate intervention by the emergency services and our staff.

This approach is applied by all data centers around the world. In this sector, not only asset protection but also business continuity is paramount, even in the unlikely event of a fire.

Passive protection (built-in)

We divide each data center into compartments, all of which are fire-resistant. The walls, flooring, ceilings, doors, and windows are designed to resist fire and prevent it spreading to the rest of the building. The surface area and duration of this resistance depends on the risk involved.

In other words, if there is an incident within one compartment, it will not spread to the rest of the building for at least one or two hours.

For example:

We consider the places where…