Doppler keeps your data secure by using end-to-end encrypted communication channels, encrypting data at rest, and by ensuring our infrastructure never has direct access to your secrets. This fact sheet explains how data flows through our systems, where/how it is encrypted, and how your data is secured at rest with our security partner.
Data flows between the outside world and Doppler-and vice versa- in 3 distinct paths (illustrated below). All of these paths, as well as all communication channels within our infrastructure, strictly enforce SSL/TLS (henceforth referred to as TLS) and required a valid certificate chain.
All traffic to doppler.com and related subdomains is routed through Cloudflare's DNS name servers. Cloudflare enforces TLS with HSTS and requires a minimum of TLS 1.1.
All traffic leaving Cloudflare is proxied over TLS to Google Cloud Platform (GCP). All of Doppler’s servers run in private VPCs on GCP. The primary servers run in the Iowa, USA region with failover servers and databases located in Virginia, USA. In the event of an outage on the primary cluster, Cloudflare will automatically direct traffic to the failover servers. You can learn more about failover in section III: “Failover and Fallback”.
When sensitive data enters GCP, it is immediately sent to our security provider and tokenized with a secure cryptographic function. This tokenization process is identical to how Stripe handles sensitive card data. Once the data is tokenized, all of Doppler’s servers (including workers and databases) will only use this tokenized data. This helps to ensure that your sensitive data is never stored on Doppler's infrastructure. Additionally, it also ensures that if Doppler's infrastructure were breached, an attacker would only have access to these tokens. Due to the nature of the cryptographic function used to tokenize the data, it would be computationally infeasible to reverse the token back to its original value.
All traffic is encrypted with a minimum supported TLS protocol of 1.1. Traffic on the TLS 1.3 protocol supports 0-RTT. 0-RTT is a feature that improves performance for clients who have previously connected to Doppler. It allows the client’s first request to be sent before the TLS connection is fully established, resulting in faster connection times.
Doppler has 2 layers of fault tolerance built-in: failover and fallback.
Failover is built directly into Doppler’s DNS through Cloudflare Workers. In the event of an API server outage, Cloudflare will immediately direct traffic to the failover servers. The failover servers read from its own replicae database. The failover servers are fixed on a predefined commit in the codebase, isolating them from an outage that may be due to a bug introduced in a recent code change. All API endpoints that produce write events to the database are suspended during a failover.
Fallback is a feature built into Doppler’s client-side SDKs. In the event your machine cannot reach Doppler’s APIs, such as losing internet connection on your computer, the client can fallback to a file. This file will consistently be updated by the client on each new deploy. This feature is primarily used for local development.
Doppler has 3 layers of database durability: high availability, replicas and snapshots.
All Doppler databases are hosted on GCP's Cloud SQL, which is a database cluster and management system designed to maintain database availability in the face of hardware, software, and even data center failure. When a primary database fails, it is automatically replaced with another replica database called a standby.
Doppler backs up its databases in real-time with multiple replace databases. These duplicate databases are located in Iowa, USA and are managed by GCP. Doppler will automatically switch over to a replica in real-time in the event of a database outage.
Doppler regularly and automatically creates snapshots of its databases through GCP's Automated Backups feature.
Doppler prohibits its employees from accessing any sensitive customer data without explicit customer permission. This data includes, but is not limited to, environment variables, Doppler issued API keys, and user passwords.
In the rare case a Doppler support agent needs to access your workplace, you will need to manually grant them access by inviting their email in the team page. It is recommended to restrict their access to only the pipelines and environments that need assistance. You should always revoke their access after the support ticket has been closed.
Updated 3 months ago