Cloud Services

February, 2026

Applications

At the user endpoint, only an evergreen browser is required. Major releases will be tested on the current versions of:

When using outdated and/or other browsers, your mileage may vary. 3D features require hardware acceleration.

The Lighthouse audits, being run with slow network connectivity, result in these spectacular scores of a typical Vision 42 ® application:

100% - Performance
100% - Accessibility
100% - Best Practices
100% - SEO

For details, see the attached report. Even on an emulated mid-range smartphone from 2020, the score stays 100% across the board. Note we make use of HTTP/3 and IPv6. An application's performance is regularly assessed. In case of diminishing performance, measures will be taken to speed up the application. Among possible improvements are code refactoring, database tuning, and adding hardware.

Each application exists in at least three environments: production, quality assurance, and development. Software releases are done by continuous integration and continuous deployment (CI/CD). Its fully automatic nature limits human error. All versions of the source code, the database schemata, the documentation, and the configuration files are immutably stored in a blockchain. All data in the quality assurance environment is copied daily from production.

Application bugs will be fixed free of charge.

Infrastructure

Cloud applications need infrastructure to run on; servers, storage, and network. Vision 42 selects a reliable and accomplished infrastructure-as-a-service (IaaS) provider to host the applications. At the time of writing, this provider is European company TransIP.

Although our IaaS provider guarantees and delivers 99.99% uptime, the availability of a Vision 42 application can be slightly lower. Keeping potential release issues in mind, the effective availability will be at least 99.9%. Internet and customer network issues are out of our control, so the perceived availability at certain user endpoints might be lower. Free or captive-portal based Internet access, like municipal WiFi, are often not stable enough and can cause sub-optimal operation. Intermediate cyber attacks of the distributed denial of service (DDoS) type, have been known to cause multi-hour Internet connection saturation [1]. Our current operational status and detailed uptime statistics can be consulted on a public status page. In case of calamities, news will be published on our website or on X.

The primary data centers are state-of-the-art and are located in Amsterdam and Rotterdam, in The Netherlands. See the attached fact sheet for details. Our IaaS providers have a massive bandwidth available.

Vision 42 applications run on redundant physical servers. All servers have been over-dimensioned, so they have power to spare. Currently, the specifications of a single virtual server are:

CPU model: AMD EPYC (dedicated)
CPU cores: 8
CPU usage: < 20% (typical)
Memory: 16 GB
Disk: Non-Volatile Memory Express (NVMe) - 3 replicas
File system: ZFS
Network: 2.5 Gbps

Our Domain Name System (DNS) provider is Cloudflare.

[1] The Netherlands has a powerful National Scrubbing Center against DDoS attacks.

The Datacenter Group Amsterdam.pdf

Backup and Restore

Although our IaaS vendor provides backups, we choose not to place all of our eggs in one basket. That is why we make use of an independent backup-as-a-service (BaaS) provider. At the time of writing, this provider is rsync.net.

Geographically, the secondary data center is located in Denver, USA [3]. In contrast with Amsterdam [1] and Rotterdam [2], Denver is located one mile above sea-level. The geographical difference between both locations provide protection against complete data-loss caused by most natural disasters. Additionally, offsite backups are kept at two separate locations in Belgium [5] [6]. In case a big asteroid destroys The Netherlands, Colorado, and Belgium at once, we fear your data may be lost. At that moment, it will be the least of your problems...

All backups are stored in both data centers and all offsite locations. Files are synchronized with 1-hour intervals. Every database is replicated with 2-hour intervals and thoroughly verified. We keep many immutable / read-only snapshots, so we can restore up to 3 years ago.

Our average recover point objective (RPO) is:

30 minutes for files, including a user transaction log
60 minutes for databases

Recover time objective (RTO) depends on the service level agreement (SLA) of your support formula and will typically be the next business day.

We offer a takeout service to leaving clients.

Monitoring

Our infrastructure and the applications are continuously being monitored. Alerts are sent to the engineering staff, who often solve the (rare) problem before a customer notices. Monitoring includes:

Infrastructure availability
Application availability
Database integrity:
- Table or index entries that are out of sequence
- Misformatted records
- Missing pages
- Missing or surplus index entries
- UNIQUE, CHECK, and NOT NULL constraint errors
- Integrity of the freelist
- Sections of the database that are used more than once, or not at all
- Foreign key constraints that are violated
Database performance
Replication of databases
Synchronization of application files

Backup of configuration files
Snapshots
Available disk and backup capacity
CPU, memory, and file nodes
Intrusion or privilege escalation attempts
Intrusion Detection System (IDS)
Unsanctioned open ports
Vulnerability scans
Expiration of certificates
Unauthorized certificates, using certificate transparency logs
Undelivered email
Domain Name System (DNS) configuration
Warnings and errors of web applications
Network performance
External integrations
External email issues

Security

All servers run FreeBSD or Linux operating systems. Daily, we proactively audit and upgrade all software to the latest stable and secure versions. This can be verified in your app, under About > Changes > Software. If an intrusion or a privilege escalation attempt is detected, automatic countermeasures will fire immediately.

The default authentication method is password-less, based on tokens with 144 bits of entropy. These tokens can only be used once and expire after 1 day.

Legacy passwords have 120 bits of entropy; they cannot be provided by a user. Instead of passwords, salted cryptographic hashes are being transmitted and stored. Brute-force attacks are impeded by delaying failed authorization attempts.

Session management is based on Ed25519 asymmetrical cryptography and requests are always signed.

All network connections are encrypted, both the client/server as the server/server connections. Certificates are always being verified. Strong certificates are used for our servers. Additionally, we make use of:

Transport Layer Security (TLS) - limited to secure versions and ciphers
Certification Authority Authorization (CAA)
Certificate Transparency (CT)
Certificate Revocation Lists (CRL)
Domain Name System Security Extensions (DNSSEC)
Secure Shell fingerprint records (SSHFP)
Service binding and parameter specification (DNS SVCB and HTTPS RRs)
Intrusion Detection System (IDS)
Address space layout randomization (ASLR)
Global Privacy Control (GPC)

We hold these security ratings (reports attached):

"A+" final SSL score on ImmuniWeb
"A+" overall rating on Qualys SSL Labs
"A+" score on HTTP Observatory
"A+" on Security Headers
"10/10" score on Mail Tester

Our TLS implementation is compliant with:

Payment Card Industry Data Security Standard (PCI DSS) requirements
Health Insurance Portability and Accountability Act (HIPAA) guidance
National Institute of Standards and Technology (NIST) guidelines

Our email is protected from eavesdropping and impersonation by:

Opportunistic TLS (StartTLS)
Sender Policy Framework (SPF)
DomainKeys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Mail Transfer Agent - Strict Transport Security (MTA-STS)

Every write operation can be traced to a specific user, an IP address, and a browser type. Relevant server logging is being kept for 10 weeks, including:

Web access, error, and TLS
E-mail
SFTP
FTP

ImmuniWeb SSL certificate.pdf

ImmuniWeb SSL.pdf

Mail Tester.pdf

Page updated

Report abuse