How we protect your data

In light of recent events, many of you have asked us about the practices and methods we use to protect our data centers. We thank you for all your questions, and we will respond, as always, with maximum transparency.

Data centers: at the heart of data resilience strategies

We have always considered our data centers to be a selling point and a tangible reflection of the quality of our products. They are also an invaluable production tool, and a source of pride for us.

For almost 15 years, our data centers have been part of an uncompromising investment strategy, which allows us to take full responsibility on our clients’ behalf. We have chosen to specialize in all aspects of this profession: from design to construction and implementation, basing our engineering on feedback. We have used our teams’ valuable knowledge to set up data centers which are more and more resilient and innovative.

We are one of the few companies with a fully integrated approach, from data center to software (as well as networks and hardware), all in full transparency. We are one of the last remaining cloud companies to master the highly specific area of data centers – almost all other companies in the market use large real estate actors’ sites for their international expansions.

We are the only triple play-type cloud supplier to provide all three services: data center and private infrastructure colocation, dedicated high-end servers for maximum control and impact and a modern and flexible public cloud ecosystem.

Our command of the whole value chain allows us to offer competitive pricing and innovative services, while never compromising due to economic considerations.

With regard to data center colocation, we are one of the biggest French players and an important European player. For many years we have been hosting Gartner Magic Quadrant companies on our infrastructure, as well as many other companies which are well-known in Europe, thus demonstrating our stringency with regard to colocation.

The regulatory context: Regulation ensures that people and the environment are protected. The operator, along with the insurer, handles asset protection.

Data centers in France are governed by labor law, and above a certain power, by ICPE-type decrees (establishments classified for environmental protection).

Regulation on this is light-handed and mainly concerns safe evacuation of staff (emergency exits, smoke extraction, etc.) in case of incidents, and environmental protection. For example, it does not require the installation of fire detectors or fire suppression systems, nor any asset-protection measures.

It is important to understand that the technical design and inclusion of asset protection measures in a data center is therefore entirely dependent on the project owner and the operator, but also on the insurer’s conditions on the level of coverage and deductibles. To summarize: these regulations ensure the protection of people and the environment, the operator and the insurer ensure the protection of physical assets.

There has long been confusion between design resilience and certification such as ISO standards. The aim of certification is to standardize governmental practices and business processes, but this provides no guarantee to the client of proper design, rules, or implementation with regard to asset protection in a data center. The recent unfortunate incident, which affected infrastructure with SECNUMCloud (an initiative by the French National Cybersecurity Agency), ISO-27001 and even HDS certification, demonstrates this. Certification of compliance with an ISO, HDS or SECNUMCloud standard is by no means a guarantee of the physical security of a data center.

Regarding asset protection, in France, APSAD certification delivered by insurance companies and the CNPP (National Center for Prevention and Protection) provides a guarantee of reliability and effectiveness for asset security. This certification is based on reference standards and requirements, stemming from experience of incidents, which apply to the design of the facility, desired results, training of staff, and maintenance. This voluntary certification is extremely strict, costly, and demanding. For us, it represents the minimum requirement for a data center, bearing in mind the sensitivity of the assets hosted. This APSAD certification is a guarantee of security.

Risks in data centers: we reveal all

The risk is very low if it is correctly addressed by measures built into the data center.

In our experience, inverters and batteries represent the highest risk.

Over the past ten years, across its data centers in France using around 40MW, Scaleway has experienced one battery fire, on September 16, 2019.

and four inverter explosions

On June 27, 2013, the neighbor of our DC2 data center, specialized in recycling paper, burned down:

More recently, on June 2, 2019, the neighbor of our DC5 data center, specialized in chemical processing, also burned down just a few meters away from our premises:

To be very clear, running a data center means anticipating and managing risk. This risk may be internal or external, and it is real.

Our job is to plan for every eventuality, no matter how unlikely. Each time, the design of our data center and our automatic mechanisms worked perfectly and prevented your assets from being affected by a major incident, with no outages.

Scaleway’s approach

Scaleway’s approach is based around three objectives:

1. Isolate any incidents to stop them becoming bigger, using compartmentation methods.
2. Control the incident, without interrupting production, using automatic mechanisms.
3. Facilitate intervention by the emergency services and our staff.

This approach is applied by all data centers around the world. In this sector, not only asset protection but also business continuity is paramount, even in the unlikely event of a fire.

Passive protection (built-in)

We divide each data center into compartments, all of which are fire-resistant. The walls, flooring, ceilings, doors, and windows are designed to resist fire and prevent it spreading to the rest of the building. The surface area and duration of this resistance depends on the risk involved.

In other words, if there is an incident within one compartment, it will not spread to the rest of the building for at least one or two hours.

For example:

• We consider the places where inverters and transformers are located to be particularly at risk of fire (pursuant to the decree of June 25, 1980), due to high electrical power and/or presence of batteries. They have two-hour fire protection.
• Redundant systems are isolated in separate fire-proof compartments with two-hour fire protection.
• Computer rooms are split into 150 – 1700m2 compartments (depending on the data center). They have one-hour fire protection.

Ventilation ducts are shut off by valves which close automatically in case of fire to stop it spreading. Cable passages are caulked and treated with mastic and intumescent paint.

Our level of fireproofing is ensured by mineral wool sandwich panels with fire properties corresponding to APSAD standard D14-A, or concrete with a certain thickness, and specially designed doors.

Smoke is just as dangerous as fire itself. Each compartment has a smoke extraction system which is able to work in 400ºC heat for two hours.

With regard to the neighbors of our data centers (which have caused problems on two occasions throughout our history), where we are not able to implement a 10-meter distance, we protect our centers with fire protection walls, heavy-duty roads and fire hydrants which allow the emergency services to safely intervene.

Finally, since DC3, we install all high-risk equipment such as power generators and high-voltage transformers outside the building.

Active protection

Our data centers are all standard equipped with fire detection systems corresponding to APSAD DC7 or N7.

• DC2 uses the DFHS multipoint system from DEF
• DC3 and DC4 use the VESDA multipoint system
• DC5 uses both the VESDA system and OSID system from Xtralis due to the specific nature of the site.

These are highly advanced systems. They work by taking air samples and are unaffected by the significant air currents present in data centers. These are reliable early detection systems, which can detect a fire in under 40 seconds. The manufacturer carries out maintenance twice per year, which also has specific certification (APSAD D7).

The first intervention or check in the event of a potential detection is carried out by a fire safety agent specially trained in firefighting (SSIAP2), present 24/7 at all data centers, and our technicians. They use installed fire extinguishers which are certified APSAD N4 or fire hose cabinets installed in the storage spaces of DC2, DC3 and DC5.

N.B.: Our APSAD DC7, N7 and N4 certification and periodic maintenance certification (APSAD Q7 and Q4) are available by request from technical support.

Fire suppression

Our sector requires service and operating continuity even in the event of a fire. There are two main types of automatic fire suppression systems on the market which can put out a fire without interrupting services:

• Gas systems (FM200, Novec, Inergen, Nitrogen, etc.)
• Water mist systems (HiFog, Fogtec, Semco, etc.)

As for sprinkler systems, which are a specific requirement in the USA, these do not allow operating continuity.

We use both of the above systems:

• DC2 uses the Semco water mist FM, VdS/OH1 and DIFT certified system
• DC4 uses the 3M NOVEC 1230 gas fire suppression APSAD R13 certified system
• DC3 and DC5 use the Marioff HiFog water mist FM and VdS/OH1 certified system (N.B.: currently being installed in DC5 as part of the site extension which is underway).

We avoid using gas systems due to a number of hard drive incidents which have occurred over the past few years, caused by the noise made by these systems(1)

In light of the unjustified disinclination of the market toward water mist systems, we tested them in real conditions in June 2012, in conjunction with the CNRS (French National Center for Scientific Research) and in the presence of our clients, to measure their effectiveness in extinguishing a fire without damaging IT equipment:

We also tested this approach on live transformers in September 2012:

This system was installed at Scaleway, with an autonomous water supply and electric power from a generator in case the electricity is deliberately switched off by firefighters.

Since then, this automatic water mist fire suppression system has become widely used in almost all data centers around the world, and is recognized as the most effective system.

N.B.: Our FM, VdS/OH1, DIFT and APSAD R13 certification and periodic maintenance (APSAD Q13) certification is available by request from technical support.

Facilitating emergency services intervention

Our buildings and rooms are built with fire-resistance in mind, to allow safe intervention by the emergency services if an incident occurs. They are made of concrete or fire-resistant mineral wool sandwich panels.

To raise the alarm, DC3 is equipped with a specific priority telephone (TASAL – Automatically Monitored Line Telephone) installed by the fire department.

All our data centers have a limited height (maximum 11 meters), are equipped with fire hydrants, heavy-duty roads and a fire water run-off collection system in line with regulations.

Audit

We are proud of our data centers and their security. We consider that we have implemented the best solutions to protect your most valuable asset: your data. We are well aware of the huge responsibility this represents. There can be no compromises when it comes to your data.

For this reason, and because of the high level of protection implemented in our data centers, we are covered by the best insurance on the market.

Our four data centers are audited by our insurer at least once per year. They can also be audited by you, our client, accompanied by experts chosen by you.

Our certification, risk analyses, and safety information can be consulted and audited upon request. We only charge for the time our teams spend assisting you and putting together the required technical files.

We regularly organize visits to our data centers, particularly on heritage days, and we would be delighted to welcome you into the heart of our infrastructure as soon as the health situation allows.

Scaleway’s approach in other data centers

All our data centers in France belong to Scaleway, and we also have colocation data centers in the Netherlands and Poland.

These data centers have not been designed by, and are not run by Scaleway, rather we work with Iron Mountain and Equinix.

We have a long-term contract with these partners, and we regularly audit their sites to ensure they apply similar criteria as for our own sites in terms of infrastructure availability and asset security.

The APSAD certification and reference standard does not exist outside of France, but each country has similar technical reference standards that many data centers follow and adhere to, such as VdS.

N.B.: The certification for our colocation partners is available by request from technical support.

(1)(https://www.silicon.fr/test-anti-incendie-sourd-datacenter-ing-157345.html & http://www.availabilitydigest.com/public%5Farticles/0602/inergen%5Fnoise.pdf)