#community-help

Discussing Typesense Cloud Security and SOC Certifications.

TLDR Pradyuman questioned the security practices of Typesense. Kishore Nallan explained their practices but noted the lack of external auditing. Pradyuman recommended auditing tools and Jason agreed to consider them and to discuss their system's security over a call.

24mo

Join the chat

Nov 27, 2021 (24 months ago)

Photo of md5-d7f4aa44e3d4866e8b7a38eceb9af762

Pradyuman

05:21 AM

How do you think about security for Typesense Cloud? Are you working towards SOC certifications and/or having better documentation about your internal infrastructure security and pentest cadence (e.g. https://www.algolia.com/distributed-secure/security-compliance/)?

We'd like to use a hosted version of Typesense if possible, but we'll be indexing PII and need to have confidence that there isn't significant risk of a data breach on your end.

Photo of md5-4e872368b2b2668460205b409e95c2ea

Kishore Nallan

05:28 AM

Is SOC-2 an end-user requirement or you are looking for SOC-2 like cadence in terms of practices we follow?

05:31

Kishore Nallan

05:31 AM

Here are some of the things we already follow in view of security but we need to document this:

a) Every Typesense cluster runs on isolated infrastructure so every customer's data is isolated
b) Data is encrypted at rest on disk
c) Machines have SSH disabled
d) SSO based login (Github auth)

05:33

Kishore Nallan

05:33 AM

We have been part of SOC-2 compliant teams and processes in our previous jobs (including experience handling PCI data) so we're already checking most of the boxes in terms of best practices, but it SOC-2 requires an external auditing process and we have not prioritised it at the moment.

Pradyuman

07:03 AM

It's not a requirement to be audited, although it would be great-- tools like Secureframe make it pretty easy to get audits nowadays (within 2-4 weeks if your internal processes are generally up to par).

For us, it's more just generally being comfortable with your security practices so we can feel confident there's not a risk of a data breach. So any documentation on that front would be super great (alongside any information regarding pen test cadence / bug bounty program). I'm happy to chat through this briefly on call too if you don't have official documentation yet. As long we're comfortable with the current state of the system and you have a path towards a more comprehensive and well documented program, that will probably be sufficient for us at the moment.

07:06

Pradyuman

07:06 AM

For reference, these are a couple of the tools startups today use for SOC / ISO compliance.

Secureframe: https://secureframe.com/
Vanta: https://www.vanta.com/

We've used both and have gotten completed audits within 4 weeks (happy to make referrals to auditors if this is something you're interested in).

Photo of md5-8813087cccc512313602b6d9f9ece19f

Jason

07:26 AM

Pradyuman SecureFrame and Vanta look interesting! Will look into it further.

For now, we don’t have this documented anywhere but happy to talk you through our practices over a quick call. Will email you with my availability.

Typesense

Lightning-fast, open source search engine for everyone | Knowledge Base powered by Struct.AI

Indexed 2779 threads (79% resolved)

Join Our Community Manage subscription

Similar Threads

Discussing Dataset Indexing and Instance Reboots

Thomas asked questions about dataset indexing and instance reboots. Kishore Nallan clarified that endpoints are synchronous for indexing, re-indexing happens on instance restarts, and upgrades shouldn't cause issues. CPU speed is identified as a bottleneck during this process. They suggested using CRIU for periodic RAM dumps to avoid re-indexing on reboot.

20mo

Inquiry and Troubleshooting of Typesense Cloud

Alex is addressing memory usage, import, and bandwidth issues with Typesense Cloud. Jason helped determine the issues and offered solutions, including in-place upgrades and potential use of Cloudflare for security.

24mo

Discussing Typesense Cloud's SSDs, NVMe, and Resources Needed

A asked about Typesense's storage type and configuration possibilities. Jason shared that they use SSDs and suggested NVMe SSDs for high-availability instances. They discussed server resources needed for specific user cases and briefly touched on DDoS protection via Cloudflare.

28mo