Technical Questions

What is the solution's availability (SLA)?

The solution's availability is determined by the chosen cloud provider (AWS or GCP).

Do you provide a disaster recovery plan (DRP/BCP)?

Yes.

What are your recovery time objectives (RTO) and recovery point objectives (RPO)?

The automated part depends on the AWS solutions we use, while the human part is influenced by your subscription level.

Is your solution highly available (load-balanced servers, etc.)?

Yes.

Is it possible to retrieve our data at any time (data reversibility)?

Yes.

Is it possible to automatically provision users (creation, modification, etc.) and how (API, SCIM, etc.)?

Yes, it's possible using various means such as APIs, SQL, LDAP, etc. For user storage, we use Keycloak.

Can we manage user rights through groups and roles, and how does it work?

Yes, you have the option to configure permissions using roles. For more details, you can refer to the documentation available here.

Could you provide a list of your interfaces: type of exchange (API, files, etc.) and description?

Primarily API, and you can also connect to the database using SQL.

Could you provide an interface diagram?

We do not use this type of diagram.

Do you provide reports and dashboards for users and administrators? Is it possible to customize them?

Yes, through the Directus dashboard or the Metabase dashboard.

Can we automatically extract DATA from the solution?

Direct access or API access to the database is included in the Webcapsule offering. Any intervention required by the Webcapsule team that was not initially planned in the roadmap will generate additional costs.

What skills are required and available during the integration project and for future internal support and maintenance?####

Depending on the tools deployed by Webcapsule, the IT and operational team will have a training plan.

Do you provide a development and test environment?

Yes.

In which languages is your application available? Are there possibilities to add other languages?

French and English

In which countries can the solution be deployed?

(France, Spain, Italy, Czech Republic, Slovakia, Hungary, Poland, Romania, Ukraine, Russia, China, Brazil, India, Vietnam, Switzerland, Belgium, Germany, Singapore, Balkans, Bulgaria, Slovenia, and Portugal) Any country with an AWS data center.

Are integrators (including you) available or mandatory in these countries for project management, training, support, etc.?

No.

What are the different offerings, and who provides support, also locally in the countries?

Depending on the subscription level, Webcapsule can respond within 24 hours.

What are the hotline opening hours? Is there an on-call service?

Office hours (9 am - 5 pm); on weekdays. Weekend availability depends on the subscription plan.

Which languages are supported?

French, English, Spanish (written only: Italian).

Could you provide the solution's roadmap? How can we contribute to the roadmap (partnership, cooperative R&D, etc.)?

You can find Webcapsule's roadmap here. You can contribute as a design partner. Your roadmap is accessible in a Notion document, which we can send via email.

What is the frequency of new versions (major version, minor version)?

Approximately 1 to 2 versions per week

How long is a major version supported?####

We have a release system like Chrome; the latest version is always deployed.

What is the version update procedure?

The update management is handled by our team.

What are the different pricing models (SaaS engagement duration, user licenses, global licenses, etc.)?

We offer a subscription-based pricing model per project and the number of contributors, and prices are subject to discussion.

What does the license include?

The license includes the following: custom domains, test, staging, and production environments, monitoring, customer support, the ability to bring your own cloud, one-month backups, Single Sign-On (SSO), access control lists (ACL), direct database access, carbon footprint tracking, region selection, Git repository access, branch versioning, logs, continuous deployment pipeline, and elastic infrastructure.

What is not included in the license or is considered an additional cost?

Any integration not already referenced that is included in the Webcapsule environment is considered an additional cost (deployment costs are only related to AWS costs).

Could you provide an architecture diagram to help understand the solution?

You can find the diagram in the Architecture - Technical section.

Is the solution in SaaS (Software as a Service) mode, self-hosted, or both?

Webcapsule is deployed on the client's infrastructure in a Bring Your Own Cloud model.

For a BYOC application, who is the data center provider (e.g., GCP, AWS, self-owned data center, etc.)?

We currently use AWS and GCP as the cloud for Webcapsule, but we are also capable of developing an integration with other cloud providers as needed.

For a SaaS application, where are the data centers located?

Our data centers are hosted on the AWS or GCP platform, and the infrastructure is within your own account.

What is the responsibility of the provider and the client?

You need to provide a RACI.

For the hosted solution only, could you provide the server specifications (operating system, CPU, memory, disk, etc.)?

Our infrastructure is designed elastically, meaning it automatically adapts to your application's needs. Detailed server specifications can vary depending on demand, and we can adjust resources accordingly.

Is it compatible with proxy authentication?

Authentication will be via transparent proxy mode.

Could you detail the data backup procedure?

We use cloud tools to create backups.

What is the frequency and retention period of backups?

Backups are done every few hours, and the precise number depends on the assessment of criticality and associated costs. They are retained for a one-month period.

Could you detail the data recovery procedure?

For AWS, we use AWS RDS, and we can deploy a backup in a few clicks

If you have a disaster recovery plan (DRP), can you explain how it works technically?

Backups are stored in another region. All our infrastructures are written using Infrastructure as Code (IaaC). Thus, to deploy the solution in a new region, we simply run our IaaC script and use a backup. The estimated time for deployment ranges from 20 minutes to a few hours depending on the backup size.

Are test reports available to clients?

Currently, test reports are not available, but they are planned in our roadmap.

What technologies and versions are used (programming language, operating system, database, etc.)?

Webcapsule Technology: TypeScript (Node 18)

Is the solution compatible with the "ELK" (Elasticsearch) log management?

Yes.

How do you ensure the solution's high availability (server redundancy, load balancing, replication tools, etc.)?

We apply the AWS Well-Architected framework to use cloud best practices. For more information on infrastructure architecture, you can refer to the documentation here.

How can we monitor the solution (plugin system, SNMP, etc.)?

We have a connection to Datadog, Cloudwatch, and we can connect other monitoring tools with some adjustments

VIs your solution a fully web-based solution?

Yes

Is it compatible with the latest version of Chrome?

Yes

Is it compatible with Android and iOS tablets/smartphones?

Yes

Do you have security certifications?

Not for now.

Could you provide us with your latest audit reports and the covered scope regarding the certifications you hold?

No audits have been conducted yet.

Is the solution compliant with security standards for software development (e.g., NIST, WASC, OWASP...)?

Yes

Oui. Nous sommes une petite équipe entièrement dédiée à notre projet. Nous ne pouvons pas faire échouer un projet pour des raisons de sécurité ; c'est donc une priorité absolue.

Is it possible to enable two-factor authentication (2FA) for the solution? If yes, what second authentication mechanisms are available?

Yes, we support two-factor authentication (2FA) with Keycloak. By default, this uses OTP (One-Time Password) codes, but it's possible to customize the second authentication methods, including sending SMS, emails, etc.

Le système de chiffrement et de gestion des clés est basé sur les outils AWS.

What are the restrictions regarding physical access to the equipment hosting the solution?####

All hosting servers are on AWS or GCP.

If the solution is hosted in a server room, is there an appropriate intrusion alert response plan? Does the solution allow limiting access to sensitive data exclusively to users with a legitimate need? Data owners must authorize such access.

Yes.

How does the solution handle inactive accounts?

It's the application administrator who must manage inactive accounts.

Is it possible to create regular backup copies of the solution?

Yes

Can the solution generate logs for all activities, errors, and warnings? If yes, in what format can log files be exported?

Yes

Can log files generated by the solution be exported for a specific period? For example, log files from the past two weeks or the last month.

We use Cloudwatch to store logs, but you can use your own log manager.

Does the solution require network interconnection? If yes, what protocols are used to ensure secure interconnection (IPSEC, VPN, email filtering, etc.)?

Does the solution require HTTP network traffic? If yes, is it possible to redirect all HTTP traffic (port 80) to HTTPS (port 443)

HTTP is redirected to HTTPS.

Is it possible to perform remote access and modification of the solution? If yes, what type of connection is involved (SSH, telnet, etc.)?

You can connect to the cluster via the AWS command line.

Is any part of the development or maintenance of the solution done by a subcontractor?

No.

How often do you conduct a risk assessment of the solution?

Our solution is under development. We can continue to conduct new tests as features are added.

For security libraries, does the solution use frameworks, model languages, or libraries that systematically address implementation weaknesses if they are noticed?

NPM audit and AWS Guard Duty.

Another question?

Feel free to contact us to learn more.

Technical Questions

What is the solution's availability (SLA)?​

Do you provide a disaster recovery plan (DRP/BCP)?​

What are your recovery time objectives (RTO) and recovery point objectives (RPO)?​

Is your solution highly available (load-balanced servers, etc.)?​

Is it possible to retrieve our data at any time (data reversibility)?​

Is it possible to automatically provision users (creation, modification, etc.) and how (API, SCIM, etc.)?​

Can we manage user rights through groups and roles, and how does it work?​

Could you provide a list of your interfaces: type of exchange (API, files, etc.) and description?​

Could you provide an interface diagram?​

Do you provide reports and dashboards for users and administrators? Is it possible to customize them?​

Can we automatically extract DATA from the solution?​

What skills are required and available during the integration project and for future internal support and maintenance?####​

Do you provide a development and test environment?​

In which languages is your application available? Are there possibilities to add other languages?​

In which countries can the solution be deployed?​

Are integrators (including you) available or mandatory in these countries for project management, training, support, etc.?​

What are the different offerings, and who provides support, also locally in the countries?​

What are the hotline opening hours? Is there an on-call service?​

Which languages are supported?​

Could you provide the solution's roadmap? How can we contribute to the roadmap (partnership, cooperative R&D, etc.)?​

What is the frequency of new versions (major version, minor version)?​

How long is a major version supported?####​

What is the version update procedure?​

What are the different pricing models (SaaS engagement duration, user licenses, global licenses, etc.)?​

What does the license include?​

What is not included in the license or is considered an additional cost?​

Could you provide an architecture diagram to help understand the solution?​

Is the solution in SaaS (Software as a Service) mode, self-hosted, or both?​

For a BYOC application, who is the data center provider (e.g., GCP, AWS, self-owned data center, etc.)?​

For a SaaS application, where are the data centers located?​

What is the responsibility of the provider and the client?​

For the hosted solution only, could you provide the server specifications (operating system, CPU, memory, disk, etc.)?​

Is it compatible with proxy authentication?​

Could you detail the data backup procedure?​

What is the frequency and retention period of backups?​

Could you detail the data recovery procedure?​

If you have a disaster recovery plan (DRP), can you explain how it works technically?​

Are test reports available to clients?​

What technologies and versions are used (programming language, operating system, database, etc.)?​

Is the solution compatible with the "ELK" (Elasticsearch) log management?​

How do you ensure the solution's high availability (server redundancy, load balancing, replication tools, etc.)?​

How can we monitor the solution (plugin system, SNMP, etc.)?​

VIs your solution a fully web-based solution?​

Is it compatible with the latest version of Chrome?​

Is it compatible with Android and iOS tablets/smartphones?​

Do you have security certifications?​

Could you provide us with your latest audit reports and the covered scope regarding the certifications you hold?​

Is the solution compliant with security standards for software development (e.g., NIST, WASC, OWASP...)?​

GDPR compliance: What measures have you implemented to protect personal data (information about individuals, exercise of data rights, data retention periods, security measures, data location, privacy by design, etc.)?​

Is there a policy to ensure that permanent and temporary staff are sufficiently aware of all information security requirements related to service delivery and properly trained?​

Is it possible to enable two-factor authentication (2FA) for the solution? If yes, what second authentication mechanisms are available?​

Which data is or can be encrypted, and how is encryption and related subjects (encryption, key management, escrow, key recovery, etc.) implemented and managed?​

What are the restrictions regarding physical access to the equipment hosting the solution?####​

If the solution is hosted in a server room, is there an appropriate intrusion alert response plan? Does the solution allow limiting access to sensitive data exclusively to users with a legitimate need? Data owners must authorize such access.​

How does the solution handle inactive accounts?​

Is it possible to create regular backup copies of the solution?​

Can the solution generate logs for all activities, errors, and warnings? If yes, in what format can log files be exported?​

Can log files generated by the solution be exported for a specific period? For example, log files from the past two weeks or the last month.​

Does the solution require network interconnection? If yes, what protocols are used to ensure secure interconnection (IPSEC, VPN, email filtering, etc.)?​

Does the solution require HTTP network traffic? If yes, is it possible to redirect all HTTP traffic (port 80) to HTTPS (port 443)​

Is it possible to perform remote access and modification of the solution? If yes, what type of connection is involved (SSH, telnet, etc.)?​

Is any part of the development or maintenance of the solution done by a subcontractor?​

Does the solution have a catalog for users to identify and respond to security incidents related to the solution?​

How often do you conduct a risk assessment of the solution?​

For security libraries, does the solution use frameworks, model languages, or libraries that systematically address implementation weaknesses if they are noticed?​

Another question?​

What is the solution's availability (SLA)?

Do you provide a disaster recovery plan (DRP/BCP)?

What are your recovery time objectives (RTO) and recovery point objectives (RPO)?

Is your solution highly available (load-balanced servers, etc.)?

Is it possible to retrieve our data at any time (data reversibility)?

Is it possible to automatically provision users (creation, modification, etc.) and how (API, SCIM, etc.)?

Can we manage user rights through groups and roles, and how does it work?

Could you provide a list of your interfaces: type of exchange (API, files, etc.) and description?

Could you provide an interface diagram?

Do you provide reports and dashboards for users and administrators? Is it possible to customize them?

Can we automatically extract DATA from the solution?

What skills are required and available during the integration project and for future internal support and maintenance?####

Do you provide a development and test environment?

In which languages is your application available? Are there possibilities to add other languages?

In which countries can the solution be deployed?

Are integrators (including you) available or mandatory in these countries for project management, training, support, etc.?

What are the different offerings, and who provides support, also locally in the countries?

What are the hotline opening hours? Is there an on-call service?

Which languages are supported?

Could you provide the solution's roadmap? How can we contribute to the roadmap (partnership, cooperative R&D, etc.)?

What is the frequency of new versions (major version, minor version)?

How long is a major version supported?####

What is the version update procedure?

What are the different pricing models (SaaS engagement duration, user licenses, global licenses, etc.)?

What does the license include?

What is not included in the license or is considered an additional cost?

Could you provide an architecture diagram to help understand the solution?

Is the solution in SaaS (Software as a Service) mode, self-hosted, or both?

For a BYOC application, who is the data center provider (e.g., GCP, AWS, self-owned data center, etc.)?

For a SaaS application, where are the data centers located?

What is the responsibility of the provider and the client?

For the hosted solution only, could you provide the server specifications (operating system, CPU, memory, disk, etc.)?

Is it compatible with proxy authentication?

Could you detail the data backup procedure?

What is the frequency and retention period of backups?

Could you detail the data recovery procedure?

If you have a disaster recovery plan (DRP), can you explain how it works technically?

Are test reports available to clients?

What technologies and versions are used (programming language, operating system, database, etc.)?

Is the solution compatible with the "ELK" (Elasticsearch) log management?

How do you ensure the solution's high availability (server redundancy, load balancing, replication tools, etc.)?

How can we monitor the solution (plugin system, SNMP, etc.)?

VIs your solution a fully web-based solution?

Is it compatible with the latest version of Chrome?

Is it compatible with Android and iOS tablets/smartphones?

Do you have security certifications?

Could you provide us with your latest audit reports and the covered scope regarding the certifications you hold?

Is the solution compliant with security standards for software development (e.g., NIST, WASC, OWASP...)?

GDPR compliance: What measures have you implemented to protect personal data (information about individuals, exercise of data rights, data retention periods, security measures, data location, privacy by design, etc.)?

Is there a policy to ensure that permanent and temporary staff are sufficiently aware of all information security requirements related to service delivery and properly trained?

Is it possible to enable two-factor authentication (2FA) for the solution? If yes, what second authentication mechanisms are available?

Which data is or can be encrypted, and how is encryption and related subjects (encryption, key management, escrow, key recovery, etc.) implemented and managed?

What are the restrictions regarding physical access to the equipment hosting the solution?####

If the solution is hosted in a server room, is there an appropriate intrusion alert response plan? Does the solution allow limiting access to sensitive data exclusively to users with a legitimate need? Data owners must authorize such access.

How does the solution handle inactive accounts?

Is it possible to create regular backup copies of the solution?

Can the solution generate logs for all activities, errors, and warnings? If yes, in what format can log files be exported?

Can log files generated by the solution be exported for a specific period? For example, log files from the past two weeks or the last month.

Does the solution require network interconnection? If yes, what protocols are used to ensure secure interconnection (IPSEC, VPN, email filtering, etc.)?

Does the solution require HTTP network traffic? If yes, is it possible to redirect all HTTP traffic (port 80) to HTTPS (port 443)

Is it possible to perform remote access and modification of the solution? If yes, what type of connection is involved (SSH, telnet, etc.)?

Is any part of the development or maintenance of the solution done by a subcontractor?

Does the solution have a catalog for users to identify and respond to security incidents related to the solution?

How often do you conduct a risk assessment of the solution?

For security libraries, does the solution use frameworks, model languages, or libraries that systematically address implementation weaknesses if they are noticed?

Another question?