At Continuent we take security seriously. All of the components of a Tungsten Cluster (Proxy/Connector, Manager and Replicator) can be configured with full SSL for all in-flight communication between components, and also for secure communication to the underlying database if supported by the database release/version in use within the customers environment.

For versions up to and including v6.1.13, SSL is disabled by default and can be enabled either before or post install.

From v7.0.0 onwards, SSL is enabled by default.

We have not formally certified/documented these under SOC2, ISO 27001 or any other certification programme. Whilst we manage your database for continuous availability, we do not touch or manage the customer’s data inside those databases, thus we do not believe these certifications would apply.

For more details on enabling and configuring SSL please review our online documentation at https://docs.continuent.com/tungsten-clustering-6.1/deployment-security.html.

From time to time, customers conduct their own internal security reviews, either as part of an internal audit or in preparation for external security certification.

We are often asked a number of questions regarding Tungsten Cluster and/or Tungsten Replicator with regards to our position, and therefore we have compiled the following FAQ that will serve to answer these queries.

Should you have further questions not covered by the below FAQ’s please do not hesitate to contact us.

How long has the company been in business?

5 years in the current form, but really since 2004. Continuent was founded in April 2004, we were then acquired by VMware in October 2014, and subsequently spun off back into an independent company in October 2016.

List the applications/services provided that are in scope?

  • Tungsten Clustering for MySQL HA, DR and Geo-scale
  • Tungsten Replicator for advanced MySQL replication
  • MySQL DBA Services for Tungsten customers

Has the company suffered a data loss or security breach within the last 3 years?

No. Never.

Do you provide a web-based application that employees will be using? Do you provide a web-based application customer and/or partners will be using?

There is an optional browser-based database cluster management GUI (Tungsten Dashboard) for customer-internal use only. Continuent employees will never have, or ask for, access to this.

Will you be storing, processing, or transmitting confidential information (for example, PII or PHI)?

Tungsten Clustering and Tungsten Replicator provide high availability and read scaling around your data, but it is not responsible for storing the data. We help you to manage your own data.

What happens to our data at the end of any engagement?

As stated above, your data is in your own hands only — inside your MySQL databases — as such it will continue to be there with or without Tungsten software.

Do you have information security policies in place? Have the policies been reviewed in the past 12 months?

Yes and Yes, they are reviewed on an ongoing basis.

Does your organization have a vendor risk management program that includes guidelines for selecting and contracting with vendors, assessing the risks and exposures from using such vendors and reviewing these assessments? Please describe.

We do not use 3rd party vendors for our development or service offerings. All development is done inhouse. In the course of engaging our customers we use common tools such as Zendesk for support tickets and Zoom/GoToMeeting for collaboration. While we have no documented security policy to share, we are very careful about security in everything we do.

Do you have an anti-virus/malware policy or program (workstations, servers, mobile devices)? What do you use for anti-malware? Which systems do you use it on? Which do you not?

Our servers are AWS Linux, desktops are MacOS; no anti-virus in use, nor needed.

How do you segment your network to restrict access between different network zones to ensure that only authorized systems can communicate with each other?

We use VPC’s and firewall rules.

Do you have a constituent termination or change of status process? How is system/application access management handled?

There is no customer access to Continuent systems or data, nor do we have access to our customer’s data. Removal of employee access to internal/support systems is handled when needed by the COO and it is documented.

Will Continuent employees or contractors be allowed access to our information via remote access? If so, please provide information on how such access would be available and what remote access controls are in place to ensure only approved individuals have access and that data in transit is protected (e.g. two-factor authentication, encryption).

We do not use contractors. Continuent employees do not require access to any customer systems or data, nor will they ask for such access. Any and all activities requiring remote access to Tungsten data services will be “view only” through the use of Zoom (or similar tools) and will be for technical support purposes only. The customer will be in complete control at all times.

Will external parties have access to our data? If so, what third parties will have access and what protections are in place to ensure the secure handling of that data?

We do not use 3rd parties. Continuent does not have external access to your data; we do not handle your data.

How does your patch management process work for applying the latest security patches within your production environment? Which types of systems, if any, are excluded from your patch management lifecycle, and how do you mitigate risks for them not regularly receiving security updates?

Patches are applied to our internal systems every 3 months or so. Patching of customer installations will be at the customer’s discretion. We will advise of any urgent patches required for any vulnerabilities in the Tungsten software that the patches address.

Do you have a secure software development lifecycle (SDLC) policy? What are the key components of your secure software development lifecycle, which proactively identify and prevent security vulnerabilities from being introduced into your software or services?

Our engineering team builds security into all layers of the software.

How do you ensure our data is separated from other customers’ data?

Continuent does not touch, store or have any other access to the customer data.

Do you have MFA in your production environment? Is there anywhere that you don’t have MFA?

There is no production environment in our premises. All deployments are local to the customers; we are NOT a Database-as-a-Service per se.

How do you control privileged access in your production environment?

AWS Access keys; login and password for console access to AWS.

Is our data encrypted in transit and at rest? Are credentials encrypted at rest? What type of encryption is utilized to protect our data?

It is up to the customer to encrypt the database. Enabling security before installation of Tungsten software will ensure data is transmitted securely during replication. The customer is responsible for encryption/security of their own MySQL databases and Operating System in line with their own security policies.

Some of our Valued Customers

Why Continuent?

Our customers are leading SaaS, e-commerce, financial services, gaming and telco companies who rely on MySQL and Continuent to cost-effectively safeguard billions of dollars annual revenue.

Learn more