Resilience and Security
We designed SearchPilot with security and resilience as a top priority from the outset. The system is engineered to be fast, robust, resilient and secure.
Technical documentation, designed to be shared with engineering and operations teams, is available upon request.
SearchPilot operates in 7 AWS regions, three in the US, two in the EU, then one in both Tokyo and Singapore.
SearchPilot is designed with multiple levels of resilience and failover in place. In each AWS region traffic is load balanced across an auto-scaling group of servers. At times of high load new servers are automatically provisioned to maintain a certain level of redundancy in platform capacity. Each server can fallback to being a transparent proxy in the event of an application error.
By default we configure the system to route around SearchPilot entirely in the unlikely case of catastrophic failure or complete outage of AWS across multiple availability zones and regions. This can happen almost instantly via Amazon’s Route53 service as well as at the CDN level for sustained outages. Under any of these circumstances your site stays up and available but without the SearchPilot enhancements and tests.
Each of our 7 AWS regions have redundancy and can handle millions of requests per minute. Currently, we handle billions of page views per month.
SearchPilot is a mission-critical platform, and demands a high level of security. We approach security both at a user level and at a systems level. In particular:
- All user accounts are protected with 2-factor authentication via Authy
- User permissions can grant different powers to different team members - such as restricting the ability to publish changes to the preview or live environments for certain users
- Our systems are hosted on AWS and employ strict security policies and best practices taking advantage of AWS security features
- If your site’s connection to us is secure (HTTPS), then all connections between servers and to the origin will be secured end-to-end using TLS
- We do not store PII (Personally identifiable information) of your website visitors - simply passing information through to your servers
- We are fully PCI compliant and can provide our Attestation of Compliance (AoC) upon request
- We work with a third-party penetration testing company, and can provide the most recent report on request.