StepZen runs your GraphQL as a managed service on Google Cloud. It provides the following capabilities.
| AutoScaling | StepZen automatically scatters your workload across our Kubernetes cluster. Scales to meet your traffic throughput. |
| Low latency | We typically see a 6-12msec. latency in our optimized, in memory (for both data and runtime state) GraphQL engine. Latencies to our system and to your backend data sources will vary. You can test/measure latencies for yourself using the free performance tool. |
| Security and data protection | See Data Protection on StepZen Cloud. |
| A stable IP address to whitelist at your firewall | See IP Whitelisting for StepZen Public Cloud. |
| Global points of presence (PoP) | Google Cloud has a global point-of-presence (PoP) footprint. In practice, regardless of where your traffic originates, it enters the Google network at the nearest PoP and is subsequently routed to our servers within the Google backbone fiber optic network. |
| Hermetic builds | We can recreate each released version of our cloud service exactly (including compiler and other build tools used, and libraries included). This enables us to diagnose, validate and trace any problems in our codebase with precision, and address issues quickly when they occur. |
| Fully automated deployments and frequent releases | We release small increments frequently. This enables more reliable testing and avoids complex side effects with multiple interacting and conflicting updates. |
| See the StepZen website for more information about regions and public cloud support. |
Data Protection on StepZen Cloud
StepZen takes the protection of your data seriously.
- All account information is encrypted before it is stored in Google's secure storage.
- Your secrets are safe by design. Deployment artifacts (secrets and configuration), once provided to StepZen, can never be downloaded from StepZen. Information only flows one way — from the developer's machines to our cloud. The only operation supported is deletion using a valid admin key.
- Schema and configuration can only be created or updated using admin API Keys.
- Each GraphQL API you create can be called using Admin Key, API Key, valid JWT token, or with no credentials (public). You specify which applies in a configuration setting.
- Our data retention polices are GDPR compliant and for enterprise customers, a Data Protection Agreement (DPA) is standard.
Protecting your Data Sources
StepZen accesses your backend data sources using SQL queries, REST API calls, or GraphQL API calls.
- Databases:
- SQL calls are always prepared statically, to prevent SQL injection attacks.
- We access your databases with the least privilege needed to get the data or perform the mutation you have requested.
- REST API and GraphQL backends:
- StepZen uses the right authentication as required by the target data source, and protects your secrets and keys.
- To make sure that the backend can further do the right checks, StepZen will also pass through the headers needed by the backend (e.g. your JWT tokens, or API Keys)