SLA - Security, Maintenance, Infrastructure

We monitor for critical security updates through multiple channels. We follow all official Drupal security announcements and evaluate them in regards to their urgency and if they are in use in any of the projects we maintain. In practice, many updates are not urgent, as they only apply when certain modules are active or with a certain configuration. If we are certain that there is no attack vector for a given project, we schedule the update for a non-urgent release window. If necessary, we roll out security updates immediately.

We also automatically aggregate available security updates for Drupal and non-Drupal dependencies using composer audit for all our projects on a daily basis.

We developed and released our own Drupal Monitoring framework (https://www.drupal.org/project/monitoring) and have actively used and maintained it since 2013. This is one of the most used projects that supports site maintainers to monitor the health of their projects. Around 1500 projects rely on this to collect insights directly from Drupal such as built-in status checks, frequency of certain errors, performance indicators and other metrics. It is extensible and custom metrics and checks can be implemented to ensure integrations and other functionalities are working as expected.

We also ensure that projects are available and fast using health checks, monitor SSL expirations and more.

Over the last 10 years, we’ve been using a number of self-hosted solutions to track, aggregate and visualize all this information. We’ve used Icinga, Sensu, Grafana and others. Most recently, we migrated to SigNoz, an all-in-one solution for metrics, log aggregation and performance traces, based on the OpenTelemetry standard. We keep up to date with the latest best practices around monitoring and update our workflow accordingly.

If a project is unresponsive or a metric reaches a critical threshold, our team is alerted and can immediately start to investigate. We inform our clients about these incidents and their resolution, often before they even register the problem themselves.

We are very proud of our work making sure that we catch as many issues as possible on our websites so that they can all -even the most insignificant at first glance- be fixed, before they become a larger issue.

We use multiple tools as well as processes to ensure that changes we deploy have as few bugs and regressions as possible.

All changes are peer-reviewed and run through code analysis tools.

All projects that we develop are based on our internal distribution Primer. Over the last 10 years, we’ve built up an automated test suite using Behat that consists of 400 scenarios with almost 10’000 test steps which we run against every change to ensure that the shared functionality of all our projects is as stable as possible. Project specific tests using Behat or other tools complement this for functionality that has been implemented for specific projects.

We also run visual regression tests using Diffy, to identify visual problems as we’ve added new features to our distribution and updated our frontend framework.

In addition, we use our automated testing to evaluate new versions of Drupal as they are being developed. There have been few, if any, new minor or major releases of Drupal core where we haven’t identified and fixed some regressions.

Building and maintaining this testing infrastructure also gave us the expertise to recommend quality assurance methods for existing, inherited projects that provide the most value for the cost.

For hosting of your websites, we almost exclusively work with our PaaS hosting partner Upsun (previously platform.sh).

Their platform standardizes how applications and services are set up, we define our routing, service and storage requirements and they take care of the rest. Staging and additional test environments can be set up and synchronized with current production data in minutes. These environments are identical to production, fully isolated and with separate access controls. Automations allow us to sanitize client data, ensuring that it never leaves trusted and secure environments. Backups are consistent across all services and storage of an application and can be created and restored at any time, both automated and manual, which allows us to quickly revert to a safe state for the rare occasion, when something goes wrong.

Upsun guarantees availability, high security and data protection standards and takes care of any hardware or infrastructure issues, ensuring that we have a safe and reliable platform and can focus on the development and maintenance of our projects.

As experienced Drupal core subsystem and contributed project maintainers, we are actively involved in various foundational building blocks of Drupal. From the entity system in Drupal core to widely used contributed projects such as Token, Pathauto and Paragraphs.

This expertise, combined with our automated tests, allowed us to update all our client projects from Drupal 8 to 9 and then 10, and we are currently preparing the Drupal 11 update. All that with minimal regressions and bugs, with minimal or even no additional costs for clients using our distribution.