NetSuite is the world’s largest cloud ERP vendor, supporting over 40,000 organizations, processing over 500 million application requests per day with 9+ terabytes of data added every day. NetSuite also has a track record since 1998 of maintaining the security of our customers’ records.

NetSuite Data Center ArchitectureNetSuite operates five geographically separated data centers present in two Regions, US and Europe. The data centers operate in a hub-spoke architecture. Each region has a dedicated data center that provides data mirroring, disaster recovery and failover capabilities for the other data centers in that region in case any data center becomes non-operational. Customer data is not shared between the regions. All data center facilities are operated by a

leading collocation provider, which provides earthquake and fire protection, along with heating, cooling and backup power. The NetSuite application is multi-tenant, and all servers, storage and hard drives are built on several layers of redundancy.

NETSUITE DATA CENTER FACT SHEETEnterprise-Class Data Management, Security, Performance and Availability

Page 2Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Facts about NetSuite’s Data Center Infrastructure

Data Management• Redundancy: Many layers in the NetSuite

system implement multiple levels of redundancy.This design allows one or more elements tofail without any interruption in service byhaving multiple, redundant systems online toautomatically assume processing on behalfof the failed component.

• Disaster Recovery: Within one region, data isreplicated and synchronized between theactive data centers and the dedicated DRdata center by way of a proprietary replicationmechanism built in house. In the event thatthe primary data center fails, all operationsfail over to the DR data center. This failoverprocedure is tested and proven on the livesite twice annually. The failover procedure isautomated and can be triggered in pushbutton fashion. NetSuite has operationsengineers geographically distributed fromeach other, as well as the data centers inorder to be able to execute a failover in anydisaster scenario. NetSuite conducts semi-annual DR exercises to ensure that systemsand processes are in place, as well as toassess and enhance competency of allrelevant personnel key to the successfulimplementation of DR activities. NetSuitedata centers utilizes tape backups whichsupports customer-initiated data restores.

• Scalability: NetSuite supports over 40,000organizations with over 500 million applicationrequests per day with 9+ terabytes of dataadded every day. NetSuite has designed itssystems to accommodate surges and spikes

in usage, and to scale upward smoothly to address increased volume and transactions.

Application Security• Encryption: Transmission of users’ unique ID

and passwords, as well as all data in theresultant connection, are encrypted withindustry standard protocol and cipher suite.NetSuite supports Custom Attribute encryptionand provide encryption APIs. The applicationauthentication is token based while end userauthentication supports modern two factorauthentication with mobile devices orauthentication FOBs.

• Application-Only Access: The system isdivided into layers that separate data fromthe NetSuite application itself. Users of theapplication can only access the applicationfeatures, and not the underlying database orother infrastructure components.

• Role-Level Access and Idle Disconnect:Customers can assign each end user aspecific role with specific permissions to onlysee and use those features related to his orher own job. There is a complete audit trailwhereby changes to each transaction aretracked by the user login details and atimestamp for each change is provided. Thesystem also detects idle connections andautomatically locks the browser screen toprevent unauthorized access from anunattended computer screen.

• IP Address Restrictions: Restrictions onaccessing a NetSuite account from specificcomputers and/or locations can be enforced.This is very useful for customers who areconcerned not only about who is able to access

Page 3Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

their NetSuite account, but from where they access it as well. This feature significantly reduces the risk of unauthorized third parties accessing a user’s account.

• Robust Password Policies: NetSuite offersfine-grained password configurationoptions—from the length of the user’spasswords, to the expiration of a user’spassword at any timeframe they desire.Customers can set up strict password policiesto ensure that new passwords vary from priorpasswords, and that passwords are complexenough to include a combination of numbers,letters and special characters. Accounts arealso locked out after several unsuccessfulattempts. For customers who desire a higherlevel of access control, NetSuite offersmulti-factor authentication using a simplephysical token. In addition to entering theirown passwords, users must possess physicaltokens that generate random one-timepasswords. These cryptographically robustpasswords prevent key loggers, shouldersurfers, phishers and password crackers fromaccessing a user’s account.

Operational Security• Continuous Monitoring: NetSuite employs

numerous Intrusion Detection Systems (IDS)to identify malicious traffic attempting toaccess its networks. Unauthorized attemptsto access the data center are blocked, andany unauthorized connection attempts arelogged and investigated. Enterprise-gradeanti-virus software is also in place to guardagainst Trojans, worms, viruses and othermalware from affecting the corporatesoftware and applications.

• Separation of Duties: In addition to mandatoryemployee background checks at all levels ofNetSuite operations, job responsibilities areseparated. The Principle of Least Authority(POLA) is followed and employees are givenonly those privileges that are necessary to dotheir duties.

• Physical Access: All data centers’ operatorsmaintain stringent physical security policiesand controls to allow unescorted access topre-authorized NetSuite Operations personnel:

º The first layer of security includes photo IDproximity access cards and a biometric identification system. This multi-factor authentication system provides additional assurance against lost badge risks or other attempts at impersonation. Proximity card reader devices are located at major points of entry and are used to secure critical areas within the data centers.

º Single-person portals and T-DAR man traps guarantee that only one person is authenticated at one time to prevent tailgating. Reliable detection and prevention of tailgating and piggybacking through secure doors significantly increases the effectiveness of the access control system.

º In addition, all perimeter doors are alarmed and monitored and all exterior perimeter walls, doors, windows and the main interior entry are constructed of materials that afford Underwriters Laboratory (UL) rated ballistic protection. Vegetation and other objects around the data center are landscaped in a manner such that an intruder would not be concealed.

Page 4Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

• Guarded Premises: On-premise securityguards monitor all alarms, personnel activities,access points and shipping and receiving,and ensure that entry and exit proceduresare correctly followed on a 24x7 basis. Guardsare provided with ongoing awareness trainingand skills-building. Numerous CCTV videosurveillance cameras with pan-tilt-zoomcapabilities are located at points of entry tothe collocation and other secured areaswithin the perimeter. Video is monitored andis stored for review for non-repudiation.

• Dedicated Security Team: NetSuite employsa global security team dedicated to enforcingsecurity policies, monitoring alerts andinvestigating any anomalous behavior withinthe system. This team is active 24x7 frommultiple worldwide locations. All access toproduction is reviewed and granted by thesecurity team.

• Data Center Performance Audits: NetSuiteOperations management implements suchauditing controls as appropriate for SSAE16 Type II, ISAE 3402 Type II and PCIcompliance. NetSuite’s comprehensive riskmanagement process has been modeledafter the National Institute of Standards andTechnology’s (NIST) special publication800-30 and the ISO 27000 series ofstandards. Periodic audits are carried outto help ensure that personnel performance,procedural compliance, equipmentserviceability, updated authorization recordsand key inventory rounds are above par.

• Security Certifications: NetSuite has passed aSSAE 16 Type II and ISAE 3402 Type II audits,is certified for PCI-DSS, and is EU-US PrivacyShield Compliant. NetSuite has defined itsInformation Security Management System inaccordance with NIST standards, including800-53 and ISO27000 series standards.

º NetSuite’s SSAE 16 Type II and ISAE 3402 Type II audit is prepared by and audited by a Big Four audit firm. SSAE 16 Type II and ISAE 3402 Type II reports show that we have been through an in-depth audit of our control environment, including controls over data and network security, backup and restoration procedures, system availability and application development. The requirements of Section 404 of the Sarbanes-Oxley Act make a SAS 70 Type II audit report essential to the process of reporting on the effectiveness of internal control over a company’s financial reporting.

º In complying with PCI-DSS requirements, NetSuite offers optional 3D Secure credit card authentication—also known as Verified by Visa and MasterCard SecureCode. 3D Secure adds a higher level of credit card fraud protection. It requests shoppers to create authentication passwords for their credit cards, or requires them to enter their password if they already have one assigned.

º NetSuite has achieved the International Organization for Standardization (ISO) 27001 certification, the leading international

Page 5Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

standard for measuring Information Security Management Systems (ISMS). The standard requires a systematic examination of security risks, threats, vulnerabilities and their impact. To achieve certification, an organization must design and implement a comprehensive suite of information security controls and adopt an overarching management process to ensure that information security controls continue to meet the organization’s needs on an ongoing basis. NetSuite’s compliance with this important industry certification demonstrates the company’s continued commitment to maintaining and improving its information security management and data custodianship programs.

Performance• Scalable Application Architecture: NetSuite’s

application runs on a three tiered architecture.All three tiers—web, application, and database—are horizontally scalable and support multi-datacenter deployment. NetSuite currently operateson over 4000 hosts in production.

• Performance Team: NetSuite invests heavilyin performance at every layer. This includes adedicated performance team of developersand DBAs whose sole purpose is to proactivelyverify application performance benchmarks andtune the application for maximum performance.

• High Performance Databases: NetSuite runson high performance database server hardwarewith multiple cores and maximum RAMconfiguration. NetSuite production databaseservers run exclusively on flash SSD storageensuring the fastest possible database IOperformance available in the industry.

• Performance Monitoring Tool: NetSuite’sApplication Performance Monitoring toolprovides a comprehensive performancedashboard that allows you to easily and quicklydrill down and investigate the root cause ofyour site’s performance issues. By capturingcritical performance data and quickly identifying,analyzing and fixing the problem areas, youcan optimize performance, improve customerexperience and maintain critical transactions.

Availability• Service Level Commitment: NetSuite’s SLC

guarantees a 99.5% uptime (outside thescheduled service windows) for the NetSuiteproduction applications for all our customers.A credit is available if NetSuite does notdeliver its application services with 99.5%uptime. We have consistently averaged anactual uptime of 99.98% and provide customersa publicly available webpage to display systemstatus at all times at http://status.netsuite.com.

• World Class Hosting Operations Team:NetSuite has a global team of dedicatedhosting operations personnel with decadesof cumulative experience running large cloudand SaaS business applications demandinghigh performance and high availability. Thisteam proactively monitors the health of theentire system with industry leading alert andtrend based tools designed to identify andresolve events before they impact the livesite. This team provides 24x7 coverage torespond to any incident with automatedrecovery procedures.

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

• Redundant Internet Connections: The networkwas built to meet or exceed commercialtelecommunications standards worldwide foravailability, integrity and confidentiality. AllNetSuite data centers have three 10 Gbpsdiverse-path pipes, designed so that any twoconnections can simultaneously fail withoutimpacting user experience. This redundancyensures reliable connectivity and maximumuptime with no single-point data transmissionbottlenecks to or from the data center.Additionally, each data center has 2 dedicated10 Gbps circuits for data replication.

• Backup Power Systems: NetSuite has designeda solution for clean, continuous power.Uninterruptible Power Systems (UPSs) areprovisioned in a redundant configurationsupport environmental controls in thecollocation spaces. Each UPS battery systemis designed to carry full load for 15 minuteswithout a generator. Emergency generatorstypically provide backup power in less than10 seconds and are sized to support theentire facility at maximum load. In addition toUPS systems, NetSuite makes use of powermanagement modules and power distributionunits on data center floors for a physicallyintegrated and electrically redundant systemfor source selection, isolation, distribution,monitoring and control of power to computerequipment loads.

• HVAC Systems: Air conditioning in all datacenters is configured to allow for proper heatdissipation, permitting the sites to operatewithin an acceptable temperature range. Tomaintain the flow of air conditioning, an N+1redundant system of HVAC units is employedwithin each location. The HVAC units arepowered by normal and emergency electricalsystems to maintain their availability. Additionally,cold water tanks have been installed to keepair conditioning units functioning when transitionfrom direct power to generator power duringemergencies is required.

• Fire Suppression: The latest fire suppressionmethods have been employed at NetSuite’sdata centers. The systems utilize state-of-the-art “sniffer” systems, augmented by heatdetection and dry-pipe sprinkler systems.

• Seismic Engineering: NetSuite-operated datacenters provide seismic isolation equipmentto cushion facilities against movement, inaddition to installing earthquake bracing onall equipment racks. Racks are anchored tothe concrete slab below the site’s raised floor.