Security and Privacy at Gatling
Gatling strives to maintain and provide a secure experience for all our clients and users.
Security, Privacy, and Transparency are an integral part of our services delivery.
Stress-tested Load Testing Platform
We back ourselves up with a robust multi-layered security approach that combines people, culture, processes, and technologies.
Organizations
implementing Gatling in 30+ business industries, including the most demanding in terms of security (Government & public services, Healthcare, Energy & Utilities, Finance, Aerospace & Defense, etc.).
Users
using Gatling across the globe in 65+ countries. Gatling has a very large community of users, contributors (more than 6.3K stars on GitHub), clients and partners.
Downloads
Gatling has been a success from the start of our history.
Governance and Commitment
Gatling is committed to information security, data protection and privacy with applicable laws, regulations, and best-in-class standards. Executive leadership members (all Directors) are responsible for establishing policies and controls management system, monitoring compliance with those controls, improving security if necessary, and proving our security to clients.
Leadership
Directors regularly communicate the importance of effective security measures, ensure that the resources needed are available, and promote continuous improvement.
Defence-in-depth layers
Security controls are implemented and layered according to the principle of defense-in-depth to leverage multiple security measures to protect Gatling's assets and Clients' data.
Principle of least privilege
Access are limited to only people with a legitimate business need and granted based on the principle of least privilege.
Security consistency
Security controls are applied consistently across all areas of Gatling departments.
Security efficiency
The implementation of controls is iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Data protection
Gatling provides industry-standard encryption for Client data, in particular personal data, to prevent any unauthorized access and data breaches.
Access to product
All products are accessible only via secure, encrypted, state-of-the-art protocols (TLS...) and can use certificates signed by public or internal authorities.
Data at rest
All data hosted in our infrastructure is encrypted at rest using AWS RDS for PostgreSQL with symmetric 256-bit Advanced Encryption Standard (AES-256) enabled.
Data in transit
All data sent to or from our infrastructure is encrypted in transit (HTTPS) using industry best practices Transport Layer Security (TLSv1.3) to maximize the security.
Database encryption
Database encryption is managed by AWS (KMS) storing key material in Hardware Security Modules, which prevents direct access by any individuals, including employees of Amazon and Gatling.
Secrets Management
Gatling Enterprise can integrate your test scripts with Secrets management services (such as AWS Secrets Manager) to securely retrieve and manage secret values after the initialization stage of your load generators.
Logging and Monitoring
Gatling uses technologies to capture and monitor logs, and detect anomalies in our systems and applications. We benefit from a full audit trail to identify suspicious activity.
GDPR Compliance
Gatling is compliant with the General Data Protection Regulation (GDPR). It is a comprehensive data protection law that governs the use, sharing, transfer, and processing of EU personal data. For UK personal data, the provisions of the EU GDPR have been incorporated into UK law as the UK GDPR. We also comply with CNIL recommendations (an independent administrative authority responsible for ensuring the protection of personal data).
Infrastructure
Gatling infrastructure and SaaS services are hosted by a third-party service provider, Amazon Web Services in the AWS Europe (Paris, France) Region. Gatling provides top-notch security with complete isolated multi-tenant architecture in a modern cloud-based dedicated Virtual Private Cloud. We don’t host or run our own servers, switches, routers, load balancers, or DNS servers. AWS has ownership and responsibility for security maintenance of infrastructure layers (OS, databases, networks, etc.).
High availability
Gatling guarantee a modern 3-tier architecture with reliable and sustainable availability, and scalable performance. The AWS Europe (Paris) Region offers three Availability Zones (AZs), which refer to technology infrastructures located in distinct geographical locations. In addition to the region, AWS has six edge locations in France.
AWS's security and environmental controls
The AWS Europe (Paris) Region complies with ISO 27001, ISO 27017, ISO 27018, SOC 1 (Formerly SAS 70), SOC 2 and SOC 3 Security & Availability, PCI DSS Level 1, Hébergeur de Données de Santé (HDS) certification, and many more.
Web Application Firewall
The Gatling infrastructure is multi-VPC and multi-region to limit attack surfaces and ensure availability, performance and resilience. Each VPC is subdivided into distinct sub-networks according to application needs. Communications between applications are secured at network level (L4) by security groups, and at access level (L7) by associated IAM roles.
DDos Protection
Gatling uses AWS WAF as the primary automatic mitigation for application layer attacks with an anti-Distributed Denial of Service (DDoS) protection at every edge location using throttling. AWS WAF web access control lists minimize the effects of a attack at the application layer.
Back-ups
Gatling uses Amazon RDS to set up, operate, and scale our PostgreSQL database in the AWS Cloud, and AWS Keyspaces as managed Apache Cassandra–compatible database service for Gatling load tests data. Amazon RDS manages daily automated backups, software patching, automatic failure detection, and recovery. In addition to back-ups, our databases are replicated on 2 other Availability Zones.
Infrastructure continuity
Gatling operates on AWS, and AWS is responsible for the resiliency of the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS Cloud services. Each AWS Region is fully isolated and consists of multiple Availability Zones, which are physically isolated partitions of infrastructure.
Product security
Gatling has implemented and maintains
Penetration testing
Gatling engages with one of the best penetration testing consulting firms in France at least annually, auditing secure code development (OWASP Top 10...).
Enterprise security
Gatling uses a risk-based approach to vendor security. Factors which influence the risk rating include access to customer data, integration with clients' environments, potential damage to the Gatling brand.
Vulnerability scanning
Gatling requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC).
Endpoint protection
All corporate devices are centrally managed with known hardened security configurations, such as anti-malware protection, disk encryption, screen lock configuration, software updates, and password manager.
Secure remote access
Gatling secures remote access to internal resources to protect employees and their endpoints while browsing the internet.
Identity and access management
Gatling employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. We prevent any chance of an accidental code merge with credential checking and peer review.