At Continuent, we take security seriously.

All of the Tungsten Cluster components (Proxy/Connector, Manager and Replicator) can be configured with SSL for encrypted in-flight communication between components, and also for secure communication to the underlying database if supported by the database release/version in use within the customers environment.

For versions up to and including v6.1.24, SSL is disabled by default and can be enabled either before or after install.

From v7.0.0 onwards, SSL is enabled by default.

We have not formally certified/documented these under SOC2, ISO 27001 or any other certification program. Whilst we manage your database for continuous availability, we do not touch or manage the customer’s data inside those databases, thus these certifications would not apply Continuent solutions anyway.

For more details on enabling and configuring SSL please review our online documentation at https://www.continuent.com/resources/docs/latest/tc/deployment-security.html.

From time to time, customers conduct their own internal security reviews, either as part of an internal audit or in preparation for external security certification.

We are often asked a number of questions regarding Tungsten Cluster and/or Tungsten Replicator with regards to our security stance, and therefore we have compiled the following FAQ that will serve to answer these queries.

Should you have further questions not covered by the below FAQ’s please do not hesitate to contact us.

How long has Continuent been in business?

8+ years in our current corporate form, but really over 20 years since 2004.

Continuent was founded in April 2004, acquired by VMware in October 2014, and subsequently spun off back into an independent company in October 2016.

List the applications/services provided that are in scope?

  • Tungsten Cluster for MySQL and MariaDB HA, DR and Geo-scale
  • Tungsten Replicator for advanced MySQL replication
  • MySQL DBA Services for Tungsten customers

Has the company suffered a data loss or security breach within the last 3 years?

No. Never.

Do you provide a web-based application that employees will be using? Do you provide a web-based application customer and/or partners will be using?

No, Continuent provides data replication and database clustering solutions for business-critical MySQL and MariaDB applications.

Continuent’s software offerings are available for bare-metal, virtual machine, and cloud deployments, and are always deployed within a customer’s environments.

There is an optional browser-based database cluster management GUI (Tungsten Dashboard) for customer-internal use only. Continuent employees will never have, or ask for, access to this.

Will you be storing, processing, or transmitting confidential information (for example, PII or PHI)?

Tungsten Cluster and Tungsten Replicator provide high availability and read scaling around customer data, but it is not responsible for storing the data. Our software helps customers to manage their data.

What happens to our data at the end of any engagement?

As stated above, your data is in the customer’s own hands only — inside your MySQL databases — and as such, it will continue to be there with or without Tungsten software.

Do you have information security policies in place? Have the policies been reviewed in the past 12 months?

Yes, and yes, they are evaluated and updated continuously.

Does your organization have a vendor risk management program that includes guidelines for selecting and contracting with vendors, assessing the risks and exposures from using such vendors and reviewing these assessments? Please describe.

We do not use 3rd party vendors for our development or service offerings. All development is done in-house. In engaging our customers, we use common tools such as Zendesk for support tickets and Zoom for collaboration.

While we have no formal documented security policy to share, we take security very seriously in everything we do.

Do you have an anti-virus/malware policy or program (workstations, servers, mobile devices)? What do you use for anti-malware? Which systems do you use it on? Which do you not?

Our software development and testing servers are AWS Linux, and software development desktops are MacOS; no anti-virus in use nor needed. We are not hosting our software for our customers; our customers run Tungsten software in their own environments and are responsible for securing them.

How do you segment your network to restrict access between different network zones to ensure that only authorized systems can communicate with each other?

We use VPC’s and firewall rules.

Do you have a constituent termination or change of status process? How is system/application access management handled?

There is no customer access to Continuent systems or data, nor do we have access to our customer’s data. Removal of employee access to internal/support systems is handled when needed by the COO and it is documented.

Will Continuent employees or contractors be allowed access to our information via remote access? If so, please provide information on how such access would be available and what remote access controls are in place to ensure only approved individuals have access and that data in transit is protected (e.g. two-factor authentication, encryption).

We do not use contractors. Continuent employees do not require access to any customer systems or data, nor will they ask for such access. Any and all activities requiring remote access to Tungsten data services will be “view only” through the use of Zoom (or similar tools) and will be for technical support purposes only. The customer will be in complete control at all times.

Will external parties have access to our data? If so, what third parties will have access and what protections are in place to ensure the secure handling of that data?

We do not use 3rd parties. Continuent does not have external access to customer data; we do not handle customer data.

How does your patch management process work for applying the latest security patches within your production environment? Which types of systems, if any, are excluded from your patch management lifecycle, and how do you mitigate risks for them not regularly receiving security updates?

Patches are applied to our internal systems every 3 months or so. Patching of customer installations will be at the customer’s discretion. We will advise of any urgent patches required for any vulnerabilities in the Tungsten software that the patches address.

Do you have a secure software development lifecycle (SDLC) policy? What are the key components of your secure software development lifecycle, which proactively identify and prevent security vulnerabilities from being introduced into your software or services?

Our engineering team builds security into all layers of the software.

How do you ensure our data is separated from other customers’ data?

Continuent does not touch, store or have any other access to the customer data.

Do you have an MFA in your production environment? Is there anywhere that you don’t have an MFA?

There is no production environment in our premises. All deployments are local to the customers; we are NOT a Database-as-a-Service per se.

How do you control privileged access in your production environment?

AWS Access & Secret keys for programmatic access; MFA login and password for console access to AWS.

Is our data encrypted in transit and at rest? Are credentials encrypted at rest? What type of encryption is utilized to protect our data?

It is up to the customer to encrypt the database.

Enabling security before installation of Tungsten software will ensure data is transmitted securely during replication. The customer is responsible for encryption/security of their own MySQL databases and Operating System in line with their own security policies.

Some of our Valued Customers

Why Continuent?

Our customers are leading SaaS, e-commerce, financial services, gaming and telco companies who rely on MySQL and Continuent to cost-effectively safeguard billions of dollars annual revenue.

Learn more