Documentation Index
Fetch the complete documentation index at: https://docs.suji.fr/llms.txt
Use this file to discover all available pages before exploring further.
Infrastructure
VM isolation
Each customer’s apps run on their own dedicated VM. There is no shared runtime, no shared kernel, no shared filesystem between tenants. CPU, memory, storage, and the local network namespace are exclusive to your VM.- Hardware-backed virtualization — every VM is a separate guest.
- No co-tenancy at the app layer — your containers never share a host with another customer’s containers.
- Network isolation — your VM has its own public IP and its own internal Docker network; other tenants’ VMs aren’t reachable.
Network
- TLS everywhere — public ingress is HTTPS-terminated by the Cloudflare Tunnel, with certificates auto-issued and auto-renewed.
- Control-plane channel is pinned — Suji’s dashboard reaches your VM only via a mutually-authenticated channel with a per-VM TLS certificate. Even Suji’s internal services can’t connect “in general”; they need the right cert.
- Default-deny inbound — only SSH and the control-plane port are open by default. You opt traffic in via the Firewall tab.
- Outbound restrictions — TCP 25 / 465 are blocked at the network layer to prevent abuse; everything else is open.
Data
Encryption
- In transit — TLS for every connection (public-facing HTTPS via the tunnel, control-plane TLS-pinned, SSH for shell access).
- At rest — VM disks are stored on encrypted volumes at the cloud-infrastructure layer.
- Sensitive fields — secrets in app install configs are encrypted with a service-managed key before persistence, separately from the database row.
Credentials
- API keys, channel tokens, and any field marked
secret: truein an app’s manifest are encrypted before save. - The dashboard shows secret existence + last-4 characters only — never the full value after save.
- Credentials are injected into the running container via env vars; they never appear in logs or audit metadata.
- When you rotate a secret, the old value is overwritten and the container is redeployed with the new env.
Backups & snapshots
- VM snapshots live in encrypted EU-region object storage.
- Each snapshot is keyed per-instance — Suji’s internal services can’t decrypt cross-tenant.
- Snapshot retention: see Snapshots — manual snapshots persist until you delete them; auto-snapshots persist 30 days.
Account & access
Authentication
- Lucia-based session cookies, HTTP-only and signed.
- argon2id password hashing with per-user salt.
- Optional TOTP 2FA — enable in account settings; supports any standard authenticator app.
- Password resets are time-limited (1 hour) and single-use.
- Session invalidation on password change — all devices forced to re-auth.
Rate limits & abuse protection
- Per-email and per-IP rate limits on login, password reset, signup, and other sensitive endpoints.
- API endpoints have per-token rate limits.
- Failed login attempts are tracked and trigger temporary blocks.
Audit log
Every meaningful action is recorded with the actor (user or token), the IP, the user-agent, and the affected resource. Visible in Settings → Audit log at the org level. Members see only their project’s actions; org owners see everything.Dashboard access
- The web terminal and the file editor require a re-auth (the existing session is enough; no extra password prompt) and run over the same TLS-pinned channel as the rest of the control plane.
- Per-VM session limit: max 3 concurrent terminal sessions.
- Inactive timeout: terminal sessions are reaped after 30 minutes of inactivity.
What you control vs what we control
You
- The OS-level state of your VM (packages, system config, cron jobs, custom apps not in the marketplace).
- The data inside your apps (app DBs, files, secrets).
- Your firewall rules (within platform-blocked port restrictions).
- Snapshot frequency and retention beyond the platform defaults.
- Whether to enable 2FA, who you invite to the org, who has access to which project.
We
- The underlying physical infrastructure (datacenter, hypervisor, kernel patches at the host layer).
- The guest-agent that powers the dashboard’s terminal/files/logs/metrics tabs (runs as a system service inside your VM).
- The cloudflared system container that fronts the public ingress.
- The Suji control plane itself (API, dashboard, billing, audit log).
Data location & compliance
- EU-only hosting — VMs run in Falkenstein, Nuremberg, or Helsinki, depending on the region you pick.
- EU storage — disks, snapshots, and database backups all stay in the EU.
- GDPR-aligned — see our privacy policy for the full data-processing picture.
- Billing records — kept for 10 years as required by French accounting law.
Retention after account closure
| Event | What happens | When |
|---|---|---|
| Balance hits €0 | VMs stopped; data preserved | Day 0 |
| Grace period ends | VM disks destroyed; snapshots retained | Day 7 |
| Snapshot retention ends | Snapshots deleted | Day 37 |
| Account closed (explicit) | Personal data anonymized; billing records retained per law | On request |
Reporting a security issue
If you find a vulnerability:- Don’t disclose it publicly — it puts other users at risk.
- Email
[email protected]with the details and reproduction steps. - Expect a response within 48 hours acknowledging your report.
Security best practices
- Enable 2FA on your Suji account.
- Use a unique, strong password.
- Keep AI provider keys and channel tokens out of public logs / repos.
- Take snapshots before risky changes (schema migrations, major app upgrades).
- Restrict SSH to your office/VPN IP rather than
0.0.0.0/0. - Review the audit log periodically for unexpected actions.
- Export critical data before destroying VMs you don’t intend to keep.