1. Information Security Governance
Gandi implements an Information Security Management System that is certified by BSI against the ISO27001:2022 standard.
The latest copy of our certificate can be downloaded here.
The latest copy of the associated Statement of Applicability can be downloaded here.
The ISMS is directly overseen by Gandi's Top Management who conduct monthly reviews of performance and suitability of the ISMS to Gandi's organisation.
The ISMS is designed to systematically respond to the expectations of identified internal and external stakeholders whilst minimizing and reacting to risks, nonconformities and incidents.
The ISMS is documented and communicated internally through the publication of Policies and Procedures and these documents are reviewed on at least an annual basis.
Gandi strives to be as transparent as possible with our stakeholders so long as transparency does not undermine our ability to effectively maintain information security.
Internal and external certification Audits of the ISMS are carried out each year to ensure proper functioning of all aspects of Information Security procedures and adherence to Gandi’s own security policies.
Risks & Nonconformities
Gandi's top management monitors and directs the performance of the ISMS through regular reporting sessions which include the review of risks and nonconformities to Information Security
Policies.
Gandi undertakes assessments of risks to the information system and prioritizes treatments based on the potential impact of an identified risk in the following domains:
- Confidentiality
- Integrity
- Availability
Treatment tasks are prioritized according to risk severity and any progress against risk treatment plans are reported regularly to Top Management.
Where nonconformities are identified, they are analyzed to understand the impact, the root cause and the possibility of similar unidentified occurrences. This information is used to plan corrective
actions to address the root cause of the nonconformities.
Information Security Classification
An inventory is maintained for all information assets processed by Gandi and each asset is assigned to an "owner". The owner is then responsible for identifying the criticality of the information according to a standardized scale:
- Normal - Information can be shared externally
- Private - Information can only be shared with Gandi employees
- Restricted - Information can only be shared with those who need to know
Each classification has corresponding security measures that must be followed for all information with that classification. An annual review cycle ensures that these details are kept up-to-date.
Legal Compliance
A dedicated internal legal team is responsible for the regulatory compliance of all Gandi's activities including:
- GDPR
- Applicable territorial legal frameworks
- Registry requirements for various TLDs
Treatments of information assets are catalogued and systematically reviewed on a regular basis.
All relevant information on privacy topics is published via Gandi's Privacy Policy:
2. Infrastructure
Data Centers
Gandi does not make use of colocated hosting or cloud services for the infrastructure of our public products, instead, we rent space in dedicated rooms inside data center. These rooms are accessible only to Gandi employees or, in extenuating circumstances, data center staff under instruction from Gandi employees.
The data centers we rent space in have stringent physical security controls:
France: Saint-Denis Equinix PA3
- Certified SSAE16/ISAE3402 SOC-1 Type II, ISO 27001, PCI-DSS, FACT, ISO 9001-2008 and ISO 50001.
- Equinix PA3 security measures are detailed here: https://www.equinix.co.uk/data-centers/europe-colocation/france-colocation/paris-data-centers/pa3
Luxembourg: Bissen LuxConnect DC2
- Tier IV certified.
- LuxConnect security measures are detailed here: https://www.luxconnect.lu/data-center-2/
3. Security Measures
Network Security
Gandi employs a dedicated Security Operations team to work on continual improvement of technical security measures as well as daily active surveillance with a suite of security monitoring,
logging and alerting tools.
The Security Operations team provide reactive support in investigating, isolating and remediating security incidents as well as detailed forensic analysis where required.
Monitoring & Logging
Detailed monitoring plans are a base requirement for all of Gandi's production systems and must include metrics such as:
- CPU utilization
- Memory utilization
- Storage capacity
- Network connection status
- Message queue backlogs
- Component health-checks
Automated alerts are configured according to expected usage patterns and traffic fluctuations, but dashboards are also actively monitored as part of a daily operational management routine.
Mandatory centralization of logs on dedicated infrastructure ensures the ability to investigate functional issues affecting production systems as well as deliberate or accidental abuse.
Malware Protection
Gandi has implemented an Endpoint Detection and Response solution on critical user devices and administrative servers as part of an ongoing roll-out of capabilities to identify and isolate malware as well as monitoring for updates and distributing security patches.
Due to high performance requirements, malware detection is not run on production servers, and instead, systems are protected by defense-in-depth strategies such as fire-walling, network segregation, and automated monitoring and alerting.
Physical Security
Physical security measures at data centers are implemented by our data center providers (see above). However, Gandi rents private rooms within these data centers where only approved
members of the technical operations team are permitted to enter.
Tiered physical security perimeters are also maintained for all of Gandi's offices and access to these premises is controlled through the use of electronic badges assigned to employees and visitors.
Access Control
Gandi adheres to the principle of least privilege with regards to access control.
Access profiles are determined according to an employee's business function and associated risk assessments. All additional access requests must follow a standardized procedure which includes assessment and approval from the relevant asset owner.
Encryption
Gandi enforces SSL Encryption as standard on all web portals and APIs. The same standards are applied for all internal connections to staging or production environments.
Encryption at rest is applied as a function of data criticality so that we can assure that sensitive information such as passwords are always securely encrypted.
Note: Encryption of customer information such as emails or data stored on our hosting services remains the responsibility of the customer. Full terms and conditions can be found here:
https://www.gandi.net/contracts
Availability & Continuity
All planned maintenance activities that risk disruption to our services are communicated on https://status.gandi.net/ at least 48 hours in advance (but generally much earlier).
These activities must be fully risk-assessed and step-by-step procedures including options for roll-back must be documented and approved by the operations manager.
Where possible, maintenance activities are planned outside of peak hours to minimize the risk of significant disruptions to clients.
Gandi maintains a Disaster Recovery Plan that makes use of a recovery site that is both geographically separated from production systems and supported by a separate organization. This redundancy guards against large scale incidents that could affect multiple data centers.
Business Continuity procedures are also in place for critical systems to ensure a minimum level of service availability until disruptions can be mitigated.
Automated backups are carried out on a daily basis and copies are stored in three locations:
- Locally within the same data center
- Remotely in the disaster recovery site
- Offline in a safe room.
Backups are subject to daily automated integrity checks, as well as ad-hoc manual validation.
Note: Backups and disaster recovery measures are in place only for DNS services and Gandi’s own infrastructure. Clients are therefore responsible for the backup and recovery of their own data for
services such as email or hosting. Full terms and conditions can be found here:
https://www.gandi.net/contracts
Third Parties
Gandi actively limits all instances of customer data sharing with third parties. All processing of
customer information by third parties is listed below:
Communication:
- Brevo : Email addresses for customer communications
- Vadesecure : Emails for Anti-spam filtering
- Zendesk : Account details for customer support request handling
Supply Chain:
- Registries (Corresponding to purchased TLD ) : Domain registration info for domain name management
- Equinix: Data center provider (see above)
- LuxConnect: Data center provider (see above)
Reviews of security measures in place with Gandi's third parties are conducted as part of the initial contracting phase and then at regular intervals according to the sensitivity of the information being processed.
Security Awareness
All employees are informed of their security responsibilities as part of the standard onboarding process. Any further security training is provided based on the relevance to the employee’s specific role.
Gandi also actively promotes security awareness on an ongoing basis through activities such as company-wide security notices for identified vulnerabilities and imminent threats as well as topical security newsletters and presentations.
Additionally, a mandatory security awareness survey is deployed annually to enable assessment of employee awareness of security topics and procedures and to enable targeted interventions and communications.
Incident Management
Incidents affecting Gandi's production environment are handled by our internal operations team.
A 24/7 "on-call" schedule is in place with clearly defined escalation routes and automated alerting to ensure rapid response times to significant incidents. Once identified, updates about incident
response progress are posted to https://status.gandi.net/
All incidents are managed by a standard internal process that includes timeline and evidence logging to enable detailed postmortems.
Vulnerability Management
Automated feeds of vulnerability disclosures are actively monitored by members of the security team as part of a daily routine.
Disclosure notices are triaged for their relevance to Gandi's infrastructure and for applicable vulnerabilities, mitigation activities are planned and prioritized according to a risk assessment.
Additionally, Gandi also schedules annual penetration tests carried out by independent service providers to identify exploitable vulnerabilities in the defences of Gandi's network perimeter.