codatio · andy-white-hat · Oct 15, 2024 · Sep 26, 2024 · Sep 27, 2024 · Sep 27, 2024
@@ -1,36 +1,36 @@
 ---
-title: "Overview"
-description: "Enterprise pages"
+title: "Architecture overview"
+description: "Explore a high-level overview of Codat's platform architecture"
+sidebar_label: "Overview"
+hide_table_of_contents: false
 ---
 
+## Introduction
 
-# Architecture 
+Codat has a **microservice architecture**. This modular structure parallelizes software development and enables a scalable and robust system to be created.
 
-The Codat technology system has a [microservice](https://en.wikipedia.org/wiki/Microservices) architecture, this modular structure parallelizes software development and enables a scalable and robust system to be created.
+There are currently over 100 services that make up the Codat technology infrastructure, each with a separate instance for each of the two environments (integration and production). Most importantly, each connection to an external data source is a separate service that handles authentication, authorization, data fetch, and data mapping. 
 
-There are currently over 100 services that make up the Codat technology infrastructure, each with a separate instance for each of the two environments (integration, production). 
+Services are configured to automatically scale out to multiple instances in the event of increased load. This ensures high levels of availability and performance. The load on instances is proactively monitored by [Microsoft Azure](https://azure.microsoft.com/en-us/), and the engineering team is alerted in the event of unexpected spikes.
 
-Most importantly, each connection to an external data source is a separate service with the responsibility of handling authentication, authorisation, data fetch and data mapping. Services are configured to automatically scale out to multiple instances in the event of increased load, thus ensuring high levels of availability and performance. 
+### Networking flow topology
 
-Load on instances is proactively monitored by Azure, and the engineering team is alerted in the event of unexpected spikes.
+You can see the overview of Codat's networking flow topology on the image below. Clients call through a Web Application Firewall (WAF) to our gateway, which is routed to the correct service.
 
 ![](/img/enterprise/architecture/architecture.png)
 
-# Hosting and Data Storage
+## Hosting and data storage
 
-Codat uses the [Microsoft Azure](https://azure.microsoft.com/en-us/) platform for all hosting and data storage.  Codat has ensured that all hosting and data storage by Azure is located in the UK only.
+Codat uses the [Microsoft Azure](https://azure.microsoft.com/en-us/) platform for all hosting and data storage, located in the UK only. Microsoft Azure is a growing collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centres.
 
-Microsoft Azure is a growing collection of integrated cloud services that developers and IT professionals use to build, deploy and manage applications through a global network of data centres.
-In particular Codat uses [Azure’s Platform-as-a-service PaaS](https://azure.microsoft.com/en-gb/overview/what-is-paas/) offering rather than Infrastructure-as-a-service (IaaS). 
+In particular, Codat uses Azure’s [Platform as a service (PaaS)](https://azure.microsoft.com/en-gb/overview/what-is-paas/) offering. It includes hosting, networking, and storage infrastracture as well as middleware, development tools, and other resources required to support a complete web application lifecycle. 
 
-This means that the underlying application infrastructure is managed by Microsoft themselves, ensuring it is maintained to the highest standard. Operating System patching is carried out automatically by Microsoft.
+This allows Codat to focus on the services we create while Microsoft manages the underlying application infrastructure and automatically patches the operating system, maintaining them to the highest standard. 
 
-All data is stored on Microsoft Azure architecture.
+:::info Additional resources
+See Microsoft's [What is PaaS?](https://azure.microsoft.com/en-gb/resources/cloud-computing-dictionary/what-is-paas/) to learn more about cloud platform services and [Shared Responsibility Model](/enterprise/tech-overview/architecture/shared-responsibility-model) for more information on our use of Azure. 
+:::
 
-# Azure Security
-Codat utilizes the following security offerings provided by Microsoft Azure:
- - Encryption at rest: SQL transparent data encryption, Storage Service Encryption, AES-256
- - Encryption in transit: TLS/SSL enforced for all data transit, HSTS, IPSec
- - Role level access: Azure RBAC, Active Directory
+## Read next
 
-For a more detailed explanation of Microsoft Azure security and data protection features see [here](https://www.microsoft.com/en-us/trustcenter/).
+- [Shared responsibility model](/enterprise/tech-overview/architecture/shared-responsibility-model)
@@ -0,0 +1,35 @@
+---
+title: "Shared responsibility model"
+description: "Review Codat's shared responsibility model with Microsoft Azure"
+hide_table_of_contents: false
+---
+
+Operations at Codat are performed entirely on cloud hosted platforms. As such, responsibilities vary across layers of the stack. You can see Microsoft's approach to dividing responsibility in the cloud below. 
+![Microsoft's division of responsibility in the cloud](ms-shared-responsibility.svg)
+
+## Resposibilities by party
+
+The following tables articulate the responsible parties at each layer of our [platform as a service](/enterprise/tech-overview/architecture/platform-as-a-service) offering and the details of their implementation. 
+
+### Codat's scope
+
+| Responsibility           | How is it done?              |
+|--------------------------|------------------------------|
+| Information and data     | &#x2022; Codat Control Framework <br /> &#x2022; Data Retention Policy <br /> &#x2022; Encryption Policy <br /> &#x2022; Access Control Policy <br /> &#x2022; Security & Data Protection <br /> &#x2022; [Information Security Policy](https://trust.codat.io/)🔗 <br /> &#x2022; [Acceptable Use Policy](https://trust.codat.io/)🔗 <br /> &#x2022; [Data Security](/enterprise/tech-overview/security/data-security) |
+| Devices (mobile and PCs) | &#x2022; People Operations Security Policy <br /> &#x2022; Security Operations & Network Security Policy (workplace tech) <br /> &#x2022; Security & Data Protection <br /> &#x2022; [Acceptable Use Policy](https://trust.codat.io/)🔗 |
+| Accounts and identities  | &#x2022; Password Policy <br /> &#x2022; Access Control Policy <br /> &#x2022; [Information Security Policy](https://trust.codat.io/)🔗 <br /> &#x2022; People Operations Security Policy <br /> &#x2022; Security & Data Protection <br /> &#x2022; [Acceptable Use Policy](https://trust.codat.io/)🔗 |
+| Identity and directory infrastructure  | &#x2022; Access Control Policy <br /> &#x2022; [Information Security Policy](https://trust.codat.io/)🔗 |
+| Applications             | &#x2022; Codat Control Framework <br /> &#x2022; [Change Management Policy](https://trust.codat.io/)🔗 <br /> &#x2022; [Secure SDLC Policy](https://trust.codat.io/)🔗 |
+| Network controls         | &#x2022; Security Operations & Network Security Policy <br /> &#x2022; Codat Control Framework <br /> &#x2022; [Information Security Policy](https://trust.codat.io/)🔗 <br /> &#x2022; [Network Security](/enterprise/tech-overview/security/network-security) |
+
+### Azure's scope
+
+Comprehensive details on the security and data protection features within Microsoft Azure can be found on the [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/)🔗 and as part of Microsoft's [Shared responsibility in the cloud](https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)🔗 documentation. 
+
+| Responsibility           | How is it done?              |
+|--------------------------|------------------------------|
+| Operating System         | &#x2022; [Firmware security](https://learn.microsoft.com/en-us/azure/security/fundamentals/firmware)🔗 <br /> &#x2022; [Security in Azure App Services](https://learn.microsoft.com/en-us/azure/app-service/overview-security)🔗 <br /> &#x2022; [Securing PaaS deployments](https://learn.microsoft.com/en-us/azure/security/fundamentals/paas-deployments)🔗 |
+| Physical hosts          | &#x2022; [Azure information system components and boundaries](https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure-components)🔗 |
+| Physical network        | &#x2022; [Azure information system components and boundaries](https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure-components)🔗 |
+| Physical data centre     | &#x2022; [Datacenter security overview](https://learn.microsoft.com/en-us/compliance/assurance/assurance-datacenter-security)🔗 |
+
@@ -0,0 +1,21 @@
+---
+title: "API mutual TLS"
+description: "Learn about the prerequisites for setting up enterprise API mTLS"
+hide_table_of_contents: true
+---
+
+:::tip Enabling API mTLS
+
+If you wish to use mTLS when talking to our API, speak to your account manager.
+:::
+
+Mutual TLS (mTLS) is available to our enterprise clients as a mutual authentication method when calling our API. mTLS ensures that the parties at each end of a network connection are who they claim to be. To confim this, the parties' private cryptographic keys are verified. The information within their respective TLS certificates provides additional verification.
+
+:::info Additional resources
+For more information on mTLS and its core concepts, see:
+- [What is mutual authentication?](https://www.cloudflare.com/en-gb/learning/access-management/what-is-mutual-authentication/)
+- [What is a cryptographic key?](https://www.cloudflare.com/en-gb/learning/ssl/what-is-a-cryptographic-key/)
+- [What is an SSL certificate?](https://www.cloudflare.com/en-gb/learning/ssl/what-is-an-ssl-certificate/)
+:::
+
+Codat can provision our enterprise customers with client certificates to enable mTLS communication with a client or clients. Once this has been issued and enabled on a particular client, all API requests on behalf of the configured client must include the public certificate and an `x-codat-client: GUID` HTTP request header.
@@ -0,0 +1,96 @@
+---
+title: "Data security"
+description: "Review the security practices that cover how we store data at rest and secure it in transit"
+sidebar_label: "Data security"
+---
+
+:::tip Additional resources
+View our latest compliance certificates and security and legal policies in our **[Trust Portal](https://trust.codat.io/)**.
+:::
+
+## Data at rest
+
+In this section, we cover security principles that apply to the data we store in Azure's SQL databases and blob storage.
+
+### Azure SQL databases
+
+The databases are encrypted using Transparent Data Encryption (TDE). Microsoft manages the full key lifecycle and encryption standards within Azure using AES-256 as part of this process. 
+
+See Microsoft's [Transparent data encryption for SQL Database, SQL Managed Instance, and Azure Synapse Analytics](https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&viewFallbackFrom=sql-server-ver16&tabs=azure-portal)🔗 for more information.
+
+#### Enterprise-specific encryption keys
+
+Codat's enterprise clients have the option of using dedicated databases that can facilitate customer-specific encryption keys. Encryption keys are stored in a Codat-managed Azure Key Vault with the option of client storage. All databases for the same client share the same encryption key.
+
+##### Key regeneration principles
+
+* New versions of keys are generated at least every two years to meet cryptographic best practices.
+* For Codat-managed vaults, the key management lifecycle follows our current best practice approach.
+* Previous versions of the keys are maintained for the duration of the backup retention policy to allow for recovery from backups.
+* Automatic key rotation is enabled at the database level. The rotation is triggered when a new version of the key is detected, and will automatically be rotated within 24 hours.
+
+See [Configure cryptographic key auto-rotation in Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation)🔗 for further details.
+
+##### Key deletion principles
+
+Upon request or contract termination, Codat deletes the customer-specific key within 5 working days excluding weekends. This renders persisted data unreadable. The client can confirm the deletion is complete by requesting data from our API, which will fail because the database will be unreadable.
+
+See [Transparent data encryption (TDE) with customer-managed keys at the database level](https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-database-level-overview)🔗 for further information.
+
+### Azure blob storage
+
+Codat stores data in the Azure blob storage on a temporary basis for the purposes of staging and support. This data is encrypted at rest through Storage Service Encryption. 
+
+See [Azure Storage encryption for data at rest](https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption)🔗 for more details.
+
+### Backups and redundancy
+
+To ensure a continuous service, Codat follows a best practice data backup and redundancy methodology. As a result, all our backups are encrypted and follow our retention policy. 
+
+Depending on the client's contract, backups may be protected using a dedicated customer key or through the usage of a managed Microsoft encryption key.
+
+## Data in transit
+
+In this section, we cover ways that Codat enforces current best practice encryption mechanisms as part of all data transportation.
+
+### HTTPS
+
+All communication to `codat.io` mandates HTTPS (not HTTP) with best practice enforced. The report results below provided by the independent third party [Qualys SSL Labs](https://www.ssllabs.com/ssltest/) attest to this configuration. 
+
+![Qualys SSL Labs Scan Report](qualys-ssl-report.png)
+
+### Internal network traffic
+
+All internal network traffic operates over SSL/TLS (HTTPS). 
+
+### HTTP Strict Transport Security
+
+At an application level, all HTTPS responses servicing requests (from the portal or API) include an HTTP Strict Transport Security (HSTS) header. 
+
+## Data access control
+
+As part of our data security posture, Codat enforces strict data access control. This includes the following practices:
+
+1. **Principle of least privilege**
+
+    By default, people do not have access to production client data. 
+
+3. **Break-glass access**
+
+    Individuals have the ability to obtain break-glass access to production for the purposes of issue investigation. This access is time-bound, tied to a specific task, and must be approved by an elected set of leadership. It must be carried out through a connection to a dedicated production VPN that requires 2FA and a compliant Codat-provisioned device.
+
+3. **Codat people device control**
+
+    All Codat provisioned devices have full disk encryption, and production data does not leave the production environment.
+
+Access control is enforced through Azure RBAC and Active Directory. You can find more details about these features on the [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/)🔗.
+
+## Secrets storage
+
+Parts of Codat's application require the persistence of secrets (such as tokens or credentials). These are treated with particular care and sensitivity: they are stored in the Azure Key Vault and are only accessible via specific break-glass access control. 
+
+See [Azure Key Vault Security](https://learn.microsoft.com/en-us/azure/key-vault/general/security-features)🔗 for more information.
+
+## Logging
+
+Diagnostic information is persisted for the purposes of engineering investigation and support. No sensitive information or PII is logged.