Key Takeaways
* Extreme Data Isolation: eRAG ensures complete data isolation between customers through isolated deployments, dedicated Kubernetes namespaces, and separate, enterprise-grade LLM vendor accounts.
* No Customer Data for Training: GigaSpaces commits to not using any machine learning library or training any models on customer data.
* Security by Design Principles: The platform is built on key security principles, including threat modeling, least privilege, defense in depth, secure defaults, and fail securely.

In my roles as CISO and VP R&D at GigaSpaces, I’m often asked about how eRAG assures security of our customer’s data. This blog post gathers the most common questions and answers, providing a comprehensive overview of the security architecture, principles, and procedures implemented in eRAG to ensure robust data protection and compliance.

How does eRAG ensure data isolation between customers?

eRAG ensures data isolation between customers through the following measures:

• Isolated Deployments: eRAG deployments are entirely isolated, meaning not a single component shares data between customers.
• Dedicated Kubernetes Namespace: Each deployment is entirely isolated as a dedicated namespace deployment in the Kubernetes cluster.
• Separated LLM Vendor Accounts: Communication with the LLM SaaS vendor is done using separated, enterprise-grade accounts per deployment. This guarantees that the LLM provider does not keep, use, or share any of the customer data.
• No ML/Training on Customer Data: GigaSpaces does not use any machine learning library nor does it train any models on the customer data.2.What are some of the Key Principles implemented to reach Security by Design in eRAG?

The Key Principles implemented to reach Security by Design in eRAG are:

• Threat Modeling: Identifying potential security risks early in the development process by our Software Architects to be mitigated in the design phase of each feature.
• Least Privilege: Granting only the necessary access to users and systems.
• Defense in Depth: Implementing multiple layers of security controls.
• Secure Defaults: Ensuring the default settings are the most secure options.
• Fail Securely: Designing the system to handle failures without exposing vulnerabilities.
• Security Reviews & Testing: Conducting regular code audits, penetration testing, and security assessments.
• Automated Security Measures: Integrating security tools into CI/CD pipelines to detect vulnerabilities early.

What are the methods eRAG uses to protect PII data?

The methods eRAG uses to protect PII data are:

• Data in Transit Encryption: All data in transit is encrypted using HTTPS protocol with TLS 1.3.
• Data in Rest: eRAG stores all data in isolated encrypted storage per customer, and in a   forthcoming version will not save any customer data at rest. The design utilizes the customer’s cloud storage for persistence, and the entire usage of data by eRAG is solely in memory.
• Data Governance: Implemented by separate deployments for different user profiles, ensuring people can only see the data exposed to the deployment they were invited to.
• Data Isolation: Deployments are isolated with no single component sharing data between customers. Each deployment is a dedicated namespace in the Kubernetes cluster. Additionally, communication with the LLM SaaS vendor uses separated, Enterprise-grade accounts per deployment, guaranteeing the LLM provider does not keep, use, or share any customer data. GigaSpaces also does not use any machine learning library or train any models on customer data.

What compliance standards and certifications does GigaSpaces uphold for eRAG?

GigaSpaces upholds the following compliance standards and certifications for eRAG:

• ISO 27001 certified
• GDPR compliant
• EU AI Act compliant
• DORA (standard ICT provider) compliant
• Currently seeking SOC2 certification by Q2 of 2025

Which security reviews and measures do you execute? 

The following principles and procedures ensure security throughout the process:

• Security Reviews & Testing: Regular code audits, penetration testing, and security assessments are conducted.
• Automated Security Measures: Security tools are integrated into CI/CD pipelines to detect vulnerabilities early.
• Incident Response: The SOC team provides a 24/7 response model and monitors production environments. The incident handling procedure for code-related issues includes:
  • Configuration/Code investigation for the incident root cause.
  • Fix of the root cause either by code or configuration change.
  • Test the code/configuration fix (with runbooks and automation for configuration changes).
  • Deploy a hotfix to all production environments.
  • RCA documentation and a Lesson Learnt session.

How does eRAG ensure Access Control?

eRAG deployments are isolated, and each deployment is entirely isolated as a dedicated namespace deployment in our Kubernetes cluster. Data governance is implemented by separate deployments for different user profiles. Only invited users can connect to the eRAG deployment (application), and invites are managed solely by GigaSpaces/Organization administrators. We will support the RBAC (Role-Based Access Control) system designed to manage user access efficiently and provide essential access management capabilities.

Last Words

The eRAG platform adheres to key principles such as Threat Modeling, Least Privilege, and Defense in Depth. Customer data is protected through extreme data isolation measures, including dedicated Kubernetes namespaces and separate, enterprise-grade LLM vendor accounts, with GigaSpaces committing not to train any models on customer data. For PII protection, all data is encrypted in transit (TLS 1.3) and is only used in memory, meaning eRAG does not save any customer data at rest. 

The platform’s security is maintained through regular Security Reviews & Testing, automated security measures in CI/CD pipelines, and a 24/7 SOC Incident Response team. Furthermore, GigaSpaces upholds strong compliance standards, being ISO 27001, GDPR, EU AI Act, and DORA compliant, and is actively seeking SOC2 certification by Q2 of 2025.