Galaxy

Systems Policy

Galaxy's security practices and systems policy for protecting your applications and data.

Galaxy's Security Practices

Galaxy is committed to ensuring that the application code and data stored in the Galaxy platform is accessible only by authorized individuals. Security best practices are employed consistently and evolve to meet the needs of our customers.

Service Level Agreement

When you sign up, you agree to our standard SLA. If you need a customized SLA for your account, reach out to Galaxy Support.

Platform Architecture

Galaxy's physical infrastructure is hosted and managed in secure data centers operated by leading cloud providers, including Amazon Web Services (AWS) and OVHCloud.

Galaxy is composed of platform services built and run on top of cloud infrastructure provided by our partners. Most container orchestration is managed by the Galaxy team using modern, secure, and widely adopted tools available on the market. In specific scenarios, managed orchestration services provided directly by the cloud provider are also used.

Galaxy employs container-level isolation mechanisms to ensure separation of resources, processes, and environments between applications. These mechanisms are combined with container orchestration technologies such as Docker and RKE2. Each customer application runs in its own isolated container on dedicated virtual servers within our cloud infrastructure.

Risk Assessment

Our cloud providers continually manage risk and undergo recurring assessments to ensure compliance with industry standards.

Our cloud providers' data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 340
  • PCI DSS
  • GDPR compliance

Galaxy itself has not pursued independent certifications.

Policy around Software Security Updates

System configuration and consistency are maintained through standard images, configuration management software, and the replacement of select systems with updated deployments.

Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.

Customer Data Security

Customer application configuration secrets are stored in a Galaxy system database. This database is secured by standard system and authorization policies. Access to the database is restricted to authorized personnel only, for purposes of administration and support.

Customer application certificates and keys are stored in encrypted form in the Galaxy system database. These certificates are only decrypted on the Galaxy Proxy machines and are not exposed to application containers.

Access to private information is protected using Docker isolation in the application container.

Application Data

Galaxy provides SSL encryption to protect data transmission over the wire from external entities to the Galaxy Proxy layer. Internally in Galaxy, virtual machine and Docker container network isolation is utilized to protect data transmission over the wire.

Galaxy does not maintain databases that are utilized for production application use. These databases are provisioned, configured, and maintained by the customer.

Galaxy free MongoDB databases are only available for hobby projects and open-source demos.

Application Logs

Galaxy captures and stores Application Logs in an off-site database. This database is secured by standard system and authorization policies. Access to the database is restricted to authorized personnel for administration and support only.

Operational Policies

Galaxy employees do not access customer data or customer environments as part of day-to-day operations. When customers need support, authorized employees are able to view customer data when specifically requested.

All company employees are trained to understand that customer data privacy and confidentiality are paramount. Under no circumstances is customer data ever disclosed to a third party. Only a limited subset of employees have the ability to view customer environments and stored data.

Access is routinely evaluated to ensure those rights are retained only when necessary by job function. Galaxy maintains a policy and operational checklist for removing access for employees that are no longer associated with its operations.

Two-Factor Authentication

Meteor Developer Accounts support Two-Factor Authentication, so we recommend that all members of your organization have it enabled.

You can check if all members of your organization have this enabled in your Members tab on your account page on Galaxy. You will see a lock icon on each member with Two-Factor Authentication enabled.

Each member can enable Two-Factor Authentication on their Settings > Security Information.

It's important to save the backup codes in a safe place as well.

Our two-factor authentication works via email or authenticator app, so you will receive a code by email or app when you authenticate with your confirmation code.

GitHub Authentication

If you authenticate with GitHub, the confirmation code will not be sent as you should have two-factor on GitHub as well. So our two-factor is not going to do anything in the GitHub authentication.

DNSSEC

Starting from June 22, 2021, meteor.com is a domain with DNSSEC enabled. Check what DNSSEC is, and why it's important here.

What's Next?

Getting Started with Support

Learn how to reach Galaxy's support team when you need help

Container Environment

Understand how your app runs in Galaxy's isolated containers

Email Security Verification

Why you might see a security verification message and what to do if your email gets flagged.

Service Availability and Geographic Restrictions

Where Galaxy is available and why we sometimes can't serve certain regions due to legal requirements.

On this page

Galaxy's Security PracticesPlatform ArchitectureRisk AssessmentPolicy around Software Security UpdatesCustomer Data SecurityApplication DataApplication LogsOperational PoliciesTwo-Factor AuthenticationDNSSECWhat's Next?