Trust Center

Risks & Nonconformities

Gandi's top management monitors and directs the performance of the ISMS through regular reporting sessions which include the review of risks and nonconformities to Information Security

Policies.

Gandi undertakes assessments of risks to the information system and prioritises treatments based on the potential impact of an identified risk in the following domains:

• Confidentiality
• Integrity
• Availability

Treatment tasks are prioritsed according to risk severity and progress against risk treatment plans are reported regularly to Top Management.

Where nonconformities are identified, they are analyzed to understand the impact, the root cause and the possibility of similar unidentified occurrences. This information is used to plan corrective

actions to address the root cause of the nonconformities.

Information Security Classification

An inventory is maintained for all information assets processed by Gandi and each asset is assigned to an "owner". The owner is then responsible for identifying the criticality of the information according to a standardised scale:

- Normal - Information can be shared externally

- Private - Information can only be shared with Gandi employees

- Restricted - Information can only be shared with those who need to know

Each classification has corresponding security measures that must be followed for all information with that classification. An annual review cycle ensures that these details are kept up-to-date.

Legal Compliance

A dedicated internal legal team is responsible for the regulatory compliance of all Gandi's activities including:

• GDPR
• Applicable territorial legal frameworks
• Registry requirements for various TLDs

Treatments of information assets are catalogued and systematically reviewed on a regluar basis.

All relevant information on privacy topics is published via Gandi's Privacy Policy:

https://www.gandi.net/en/contracts/privacy-policy

Data Centers

Gandi does not make use of colocated hosting or cloud services for the infrastructure of our public products, instead, we rent space in dedicated rooms inside data center. These rooms are accessible only to Gandi employees or, in extenuating circumstances, data center staff under instruction from Gandi employees.

The data centers we rent space in have stringent physical security controls:

France: Saint-Denis Equinix PA3

• Certified SSAE16/ISAE3402 SOC-1 Type II, ISO 27001, PCI-DSS, FACT, ISO 9001-2008 and ISO 50001.
• Equinix PA3 security measures are detailed here: https://www.equinix.co.uk/data-centers/europe-colocation/france-colocation/paris-data-centers/pa3
  

Luxembourg: Bissen LuxConnect DC2

• Tier IV certified.
• LuxConnect security measures are detailed here: https://www.luxconnect.lu/data-center-2/

Network Security

Gandi employs a dedicated Security Operations team to work on continual improvement of technical security measures as well as daily active surveillance with a suite of security monitoring,

logging and alerting tools.

The Security Operations team provide reactive support in investigating, isolating and remediating security incidents as well as detailed forensic analysis where required.

Monitoring & Logging

Detailed monitoring plans are a base requirement for all of Gandi's production systems and must include metrics such as:

• CPU utilization
• Memory utilization
• Storage capacity
• Network connection status
• Message queue backlogs
• Component health-checks

Automated alerts are configured according to expected usage patterns and traffic fluctuations, but dashboards are also actively monitored as part of a daily operational management routine.

Mandatory centralization of logs on dedicated infrastructure ensures the ability to investigate functional issues affecting production systems as well as deliberate or accidental abuse.

Malware Protection

Gandi has implemented an Endpoint Detection and Response solution on critical user devices and administrative servers as part of an ongoing roll-out of capabilities to identify and isolate malware as well as monitoring for updates and distributing security patches.

Due to high performance requirements, malware detection is not run on production servers, and instead, systems are protected by defense-in-depth strategies such as fire-walling, network segregation, and automated monitoring and alerting.

Physical Security

Physical security measures at data centers are implemented by our data center providers (see above). However, Gandi rents private rooms within these data centers where only approved

members of the technical operations team are permitted to enter.

Tiered physical security perimeters are also maintained for all of Gandi's offices and access to these premises is controlled through the use of electronic badges assigned to employees and visitors.

Access Control

Gandi adheres to the principle of least privilege with regards to access control.

Access profiles are determined according to an employee's business function and associated risk assessments. All additional access requests must follow a standardized procedure which includes assessment and approval from the relevant asset owner.

Encryption

Gandi enforces SSL Encryption as standard on all web portals and APIs. The same standards are applied for all internal connections to staging or production environments.

Encryption at rest is applied as a function of data criticality so that we can assure that sensitive information such as passwords are always securely encrypted.

Note: Encryption of customer information such as emails or data stored on our hosting services remains the responsibility of the customer. Full terms and conditions can be found here:

https://www.gandi.net/contracts

Availability & Continuity

All planned maintenance activities that risk disruption to our services are communicated on https://status.gandi.net/ at least 48 hours in advance (but generally much earlier).

These activities must be fully risk-assessed and step-by-step procedures including options for roll-back must be documented and approved by the operations manager.

Where possible, maintenance activities are planned outside of peak hours to minimize the risk of significant disruptions to clients.

Gandi maintains a Disaster Recovery Plan that makes use of a recovery site that is both geographically separated from production systems and supported by a separate organization. This redundancy guards against large scale incidents that could affect multiple data centers.

Business Continuity procedures are also in place for critical systems to ensure a minimum level of service availability until disruptions can be mitigated.

Automated backups are carried out on a daily basis and copies are stored in three locations:

• Locally within the same data center
• Remotely in the disaster recovery site
• Offline in a safe room.

Backups are subject to daily automated integrity checks, as well as ad-hoc manual validation.

Note: Backups and disaster recovery measures are in place only for DNS services and Gandi’s own infrastructure. Clients are therefore responsible for the backup and recovery of their own data for

services such as email or hosting. Full terms and conditions can be found here:

https://www.gandi.net/contracts

Third Parties

Gandi actively limits all instances of customer data sharing with third parties. All processing of

customer information by third parties is listed below:

Communication:

• Brevo : Email addresses for customer communications
• Vadesecure : Emails for Anti-spam filtering
• Zendesk : Account details for customer support request handling

Supply Chain:

• Registries (Corresponding to purchased TLD ) : Domain registration info for domain name management
• Equinix: Data center provider (see above)
• LuxConnect: Data center provider (see above)

Reviews of security measures in place with Gandi's third parties are conducted as part of the initial contracting phase and then at regular intervals according to the sensitivity of the information being processed.

Security Awareness

All employees are informed of their security responsibilities as part of the standard onboarding process. Any further security training is provided based on the relevance to the employee’s specific role.

Gandi also actively promotes security awareness on an ongoing basis through activities such as company-wide security notices for identified vulnerabilities and imminent threats as well as topical security newsletters and presentations.

Additionally, a mandatory security awareness survey is deployed annually to enable assessment of employee awareness of security topics and procedures and to enable targeted interventions and communications.

Incident Management

Incidents affecting Gandi's production environment are handled by our internal operations team.

A 24/7 "on-call" schedule is in place with clearly defined escalation routes and automated alerting to ensure rapid response times to significant incidents. Once identified, updates about incident

response progress are posted to https://status.gandi.net/

All incidents are managed by a standard internal process that includes timeline and evidence logging to enable detailed postmortems.

Vulnerability Management

Automated feeds of vulnerability disclosures are actively monitored by members of the security team as part of a daily routine.

Disclosure notices are triaged for their relevance to Gandi's infrastructure and for applicable vulnerabilities, mitigation activities are planned and prioritized according to a risk assessment.

Additionally, Gandi also schedules annual penetration tests carried out by independent service providers to identify exploitable vulnerabilities in the defences of Gandi's network perimeter.