Skip to main content

Infrastructure

VM isolation

Each customer runs on their own dedicated VM. There is no shared runtime, no shared kernel, no shared filesystem between tenants.
  • Hardware-backed virtualization — every VM is a separate guest with its own CPU, memory, and storage.
  • No co-tenancy at the app layer — your containers never share a host with another customer’s containers.
  • Network isolation — your VM has its own public IP; other tenants’ VMs aren’t reachable from yours.

Network

  • TLS everywhere — public app URLs are HTTPS with certificates issued and renewed automatically.
  • Authenticated management channel — the dashboard’s management features reach your VM only over an encrypted, mutually-authenticated connection unique to that VM.
  • Default-deny inbound — only SSH and Suji’s management access are open by default. You opt traffic in via the Firewall tab.
  • Outbound restrictions — TCP 25 / 465 are blocked at the network layer to prevent abuse; everything else is open.

Data

Encryption

  • In transit — every connection is encrypted: HTTPS for public app traffic and the dashboard, SSH for shell access, an authenticated encrypted channel for management.
  • At rest — VM disks and snapshots are stored on encrypted storage in the EU.
  • Secrets — API keys, tokens, and any install field marked secret are encrypted before they are stored.

Credentials

  • The dashboard shows that a secret exists and its last 4 characters only — never the full value after save.
  • Secrets never appear in logs or audit metadata.
  • Rotating a secret overwrites the old value and redeploys the app with the new one.

Backups & snapshots

  • Snapshots are stored in the EU, separate from the live VM.
  • Retention: see Snapshots — manual snapshots persist until you delete them while your account is funded; at €0 balance all snapshots and volumes enter a 7-day retention window (lifted if you top up in time).

Account & access

Authentication

  • Passwords are stored using modern, industry-standard password hashing — never in plaintext.
  • Optional 2FA (TOTP) — enable in account settings; works with any standard authenticator app.
  • Password resets are time-limited and single-use, and changing your password signs out all other sessions.
  • Sign-in and other sensitive endpoints are rate-limited and monitored for abuse.

Audit log

Every meaningful action is recorded with the actor, the IP, the user-agent, and the affected resource. Visible in Settings → Audit log at the org level. Members see only their project’s actions; org owners see everything.

Web terminal & file editor

  • Available only to authenticated members with access to the VM’s project.
  • Sessions are limited per VM and closed automatically after 30 minutes of inactivity.

What you control vs what we control

You

  • The OS-level state of your VM (packages, system config, scheduled jobs, anything you install yourself).
  • The data inside your apps (app databases, files, secrets).
  • Your firewall rules (within platform-blocked port restrictions).
  • Your snapshots, who you invite to the org, and who has access to which project.

We

  • The underlying physical infrastructure (datacenter, hypervisor, host-level patching).
  • The management service that powers the dashboard’s Terminal / Files / Logs / Metrics tabs.
  • The HTTPS ingress that serves your apps’ public URLs.
  • The Suji platform itself (dashboard, API, billing, audit log).

Data location & compliance

  • EU-only hosting — VMs run in Falkenstein, Nuremberg, or Helsinki, depending on the region you pick.
  • EU storage — disks, snapshots, and backups all stay in the EU.
  • GDPR-aligned — see our privacy policy for the full data-processing picture.
  • Billing records — kept for 10 years as required by French accounting law.

Retention after account closure

EventWhat happensWhen
Balance hits €0VM snapshotted, then cloud server deleted; data preserved in the termination snapshotDay 0
Snapshot retention endsTermination snapshot deletedDay 7
Account closed (explicit)30-day grace window (restorable), then the account and its personal data are permanently deleted; billing records retained per lawDay 30 after closure
See Grace period for the full timeline.

Reporting a security issue

If you find a vulnerability:
  1. Don’t disclose it publicly — it puts other users at risk.
  2. Email [email protected] with the details and reproduction steps.
  3. Expect an acknowledgment within 48 hours.
We investigate every report, keep you updated on remediation, and credit responsible disclosure if you’d like. For general support: [email protected].

Security best practices

  • Enable 2FA on your Suji account.
  • Use a unique, strong password.
  • Keep API keys and tokens out of public logs / repos.
  • Take snapshots before risky changes (schema migrations, major app upgrades).
  • Restrict SSH to your office/VPN IP rather than 0.0.0.0/0.
  • Review the audit log periodically for unexpected actions.
  • Export critical data before destroying VMs you don’t intend to keep.