Security and Privacy at Gatling

Gatling strives to maintain and provide a secure experience for all our clients and users.
Security, Privacy, and Transparency are an integral part of our services delivery.

 

Stress-tested Load Testing Platform

Industry leaders trust Gatling with their load testing data being processed by our products. They rely on Gatling to keep their systems available and their customer experience enjoyable.
We back ourselves up with a robust multi-layered security approach that combines people, culture, processes, and technologies.
Security issues
200,000+

Organizations

implementing Gatling in 30+ business industries, including the most demanding in terms of security (Government & public services, Healthcare, Energy & Utilities, Finance, Aerospace & Defense, etc.).

1 Million+

Users

using Gatling across the globe in 65+ countries. Gatling has a very large community of users, contributors (more than 6.3K stars on GitHub), clients and partners.

20 Millions

Downloads

Gatling has been a success from the start of our history.

Governance and Commitment

Gatling is committed to information security, data protection and privacy with applicable laws, regulations, and best-in-class standards. Executive leadership members (all Directors) are responsible for establishing policies and controls management system, monitoring compliance with those controls, improving security if necessary, and proving our security to clients.

Leadership

Directors regularly communicate the importance of effective security measures, ensure that the resources needed are available, and promote continuous improvement.

Defence-in-depth layers

Security controls are implemented and layered according to the principle of defense-in-depth to leverage multiple security measures to protect Gatling's assets and Clients' data.

Principle of least privilege

Access are limited to only people with a legitimate business need and granted based on the principle of least privilege.

Security consistency

Security controls are applied consistently across all areas of Gatling departments.

Security efficiency

The implementation of controls is iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.

Data protection

Gatling provides industry-standard encryption for Client data, in particular personal data, to prevent any unauthorized access and data breaches.

Access to product

All products are accessible only via secure, encrypted, state-of-the-art protocols (TLS...) and can use certificates signed by public or internal authorities.

Data at rest

All data hosted in our infrastructure is encrypted at rest using AWS RDS for PostgreSQL with symmetric 256-bit Advanced Encryption Standard (AES-256) enabled.

Data in transit

All data sent to or from our infrastructure is encrypted in transit (HTTPS) using industry best practices Transport Layer Security (TLSv1.3) to maximize the security.

Database encryption

Database encryption is managed by AWS (KMS) storing key material in Hardware Security Modules, which prevents direct access by any individuals, including employees of Amazon and Gatling.

Secrets Management

Gatling Enterprise can integrate your test scripts with Secrets management services (such as AWS Secrets Manager) to securely retrieve and manage secret values after the initialization stage of your load generators.

Logging and Monitoring

Gatling uses technologies to capture and monitor logs, and detect anomalies in our systems and applications. We benefit from a full audit trail to identify suspicious activity.

GDPR Compliance

Gatling is compliant with the General Data Protection Regulation (GDPR). It is a comprehensive data protection law that governs the use, sharing, transfer, and processing of EU personal data. For UK personal data, the provisions of the EU GDPR have been incorporated into UK law as the UK GDPR. We also comply with CNIL recommendations (an independent administrative authority responsible for ensuring the protection of personal data).

Infrastructure

Gatling infrastructure and SaaS services are hosted by a third-party service provider, Amazon Web Services in the AWS Europe (Paris, France) Region. Gatling provides top-notch security with complete isolated multi-tenant architecture in a modern cloud-based dedicated Virtual Private Cloud. We don’t host or run our own servers, switches, routers, load balancers, or DNS servers. AWS has ownership and responsibility for security maintenance of infrastructure layers (OS, databases, networks, etc.).

High availability

Gatling guarantee a modern 3-tier architecture with reliable and sustainable availability, and scalable performance. The AWS Europe (Paris) Region offers three Availability Zones (AZs), which refer to technology infrastructures located in distinct geographical locations. In addition to the region, AWS has six edge locations in France.

AWS's security and environmental controls

The AWS Europe (Paris) Region complies with ISO 27001, ISO 27017, ISO 27018, SOC 1 (Formerly SAS 70), SOC 2 and SOC 3 Security & Availability, PCI DSS Level 1, Hébergeur de Données de Santé (HDS) certification, and many more.

Web Application Firewall

The Gatling infrastructure is multi-VPC and multi-region to limit attack surfaces and ensure availability, performance and resilience. Each VPC is subdivided into distinct sub-networks according to application needs. Communications between applications are secured at network level (L4) by security groups, and at access level (L7) by associated IAM roles.

DDos Protection

Gatling uses AWS WAF as the primary automatic mitigation for application layer attacks with an anti-Distributed Denial of Service (DDoS) protection at every edge location using throttling. AWS WAF web access control lists minimize the effects of a attack at the application layer.

Back-ups

Gatling uses Amazon RDS to set up, operate, and scale our PostgreSQL database in the AWS Cloud, and AWS Keyspaces as managed Apache Cassandra–compatible database service for Gatling load tests data. Amazon RDS manages daily automated backups, software patching, automatic failure detection, and recovery. In addition to back-ups, our databases are replicated on 2 other Availability Zones.

Infrastructure continuity

Gatling operates on AWS, and AWS is responsible for the resiliency of the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS Cloud services. Each AWS Region is fully isolated and consists of multiple Availability Zones, which are physically isolated partitions of infrastructure.

Product security

Gatling has implemented and maintains

Penetration testing

Gatling engages with one of the best penetration testing consulting firms in France at least annually, auditing secure code development (OWASP Top 10...).

Enterprise security

Gatling uses a risk-based approach to vendor security. Factors which influence the risk rating include access to customer data, integration with clients' environments, potential damage to the Gatling brand.

Vulnerability scanning

Gatling requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC).

Endpoint protection

All corporate devices are centrally managed with known hardened security configurations, such as anti-malware protection, disk encryption, screen lock configuration, software updates, and password manager.

Secure remote access

Gatling secures remote access to internal resources to protect employees and their endpoints while browsing the internet.

Identity and access management

Gatling employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. We prevent any chance of an accidental code merge with credential checking and peer review.

No organization is impenetrable, and we're always aiming to improve.

If you find any security issues with Gatling, please contact us.