System Architecture

The Backup & Archive application frontend and backend are segmented on different subnet zones for security isolation. Our web servers are placed in a DMZ network, and database servers reside on a separate internal network. Firewalls, IPS, and strict access controls limit traffic between application tiers. Flosum has configured Security Groups that allow making requests only on port 443. Backup & Archive also provides a configuration file for self-hosted environments that can be used to reconfigure ports as needed.

The latest stable versions of frameworks and languages are used to avoid known vulnerabilities. The operating systems and software libraries are frequently patched and hardened. Load Balancing and failover systems maintain uptime during traffic spikes. Infrastructure redundancy removes single points of failure. Logical segregation of database data from other customers is applied. Customer-Hosted is a dedicated-tenant architecture. Flosum-Hosted is multi-tenant segmented by Salesforce Org ID. Flosum Backup & Archive does not have a data sharing mechanism. Communications take place only in the UI, or with the Salesforce orgs being backed up. Stringent access controls are in place to ensure the isolation of every Backup & Archive account within a dedicated virtual machine, in accordance with Backup & Archive SOC2 Type II policies. S3 buckets are never exposed to the public internet. They are set to Private as default and it is never changed. Flosum also uses a reverse proxy server to provide private links to customers.