Team Server
Deployment
Managed

Managed

Deployment Guide

Endura Security offers a fully managed Team Server service that eliminates the complexity of container deployment, infrastructure management, and ongoing maintenance. With the managed Team Server, Endura operates and maintains your Team Server instance in the cloud, allowing you to focus on security policy management rather than infrastructure concerns.

Core Service Information

Service Overview

The managed Team Server provides all the capabilities of a self-hosted Team Server deployment without the operational overhead:

What’s Included:

  • Fully managed Team Server instance hosted by Endura Security
  • Automatic updates and maintenance with high availability
  • Integrated PostgreSQL database management
  • 24/7 infrastructure monitoring and maintenance
  • Backup and disaster recovery services

What’s Different from Self-Hosted:

  • No container deployment or infrastructure management required
  • No database administration or backup management
  • No security patching or system updates
  • No capacity planning or scaling decisions
  • Configuration changes managed through Endura support

Regional Availability

Choose your preferred geographic region for data residency and optimal Runtime Sensor connectivity:

Available Regions:

  • United States: New York, San Francisco, Atlanta
  • Europe: Amsterdam, London, Frankfurt
  • Asia Pacific: Singapore, Bangalore, Sydney
  • North America: Toronto

Region selection affects data residency, latency to Runtime Sensors, and regulatory compliance. Contact Endura Security during onboarding to select your preferred region.

Service Architecture

Your managed Team Server operates in a dedicated, isolated environment:

  • Dedicated Instance: Each customer receives an isolated Team Server instance
  • Managed Database: PostgreSQL database fully managed by Endura with automated backups
  • High Availability: Infrastructure designed for 99.99% uptime
  • Security Isolation: Network-level isolation between customer instances
  • Automatic Scaling: Infrastructure automatically scales based on connected Runtime Sensors and telemetry volume

Getting Started

Onboarding Process

  1. Initial Consultation: Contact Endura Security to discuss requirements and region preference
  2. Service Agreement: Complete service agreement and select deployment region
  3. OIDC Configuration: Provide identity provider details and approved email domains
  4. Instance Provisioning: Endura deploys your dedicated Team Server instance (typically 1-2 business days)
  5. Access Credentials: Receive your Team Server URL and initial configuration
  6. First Login: Validate access and complete initial setup

Account Provisioning Timeline

  • Service Agreement: Same day processing
  • Instance Deployment: 1-2 business days after OIDC configuration provided
  • Access Delivery: Same day as deployment completion
  • Support Onboarding: Available immediately upon service activation

Initial Configuration Requirements

Before instance provisioning, provide Endura Security with:

Identity Provider Configuration:

  • OIDC Provider (Google, Microsoft, CyberArk, or Oracle)
  • client_id for your OIDC application
  • client_secret for your OIDC application
  • issuer_url for your identity provider

Email Domain Authorization:

  • List of email domains authorized to access your Team Server
  • Any specific user restrictions or group memberships required

Operational Preferences:

  • Preferred region for deployment
  • Tenant name for your organization
  • Primary administrative contact information

Security & Compliance

Data Security

Encryption:

  • All data encrypted in transit using TLS 1.3
  • Database encryption at rest using AES-256
  • Application-level encryption for sensitive configuration data

Network Security:

  • Dedicated network isolation per customer instance
  • Web Application Firewall (WAF) protection
  • DDoS protection and traffic filtering
  • VPC isolation with private subnets for database access

Access Controls:

  • All administrative access requires multi-factor authentication
  • Principle of least privilege for Endura operations staff
  • Regular access reviews and audit logging
  • Customer data access limited to authorized support activities

Data Residency

  • Your Team Server instance operates exclusively in your selected region
  • Database storage remains within the selected geographic region
  • Telemetry and policy data does not cross regional boundaries
  • Backup storage maintains the same regional residency

Shared Responsibility Model

Endura Security Responsibilities:

  • Infrastructure security and maintenance
  • Operating system and container security updates
  • Database backup, recovery, and maintenance
  • Network security and access controls
  • Application security updates and patches
  • Infrastructure monitoring and incident response

Customer Responsibilities:

  • Runtime Sensor deployment and configuration
  • Security policy creation and management
  • User access management within approved domains
  • OIDC identity provider configuration and maintenance
  • Monitoring and responding to security violations detected by Runtime Sensors

User Management & Authentication

OIDC Integration

Authentication is exclusively handled through OpenID Connect (OIDC) integration with your existing identity provider.

Supported Identity Providers:

  • Google Workspace: Full Google SSO integration
  • Microsoft Azure AD/Entra ID: Enterprise Microsoft identity integration
  • CyberArk Identity: Enterprise privileged access management
  • Oracle Identity Cloud: Oracle identity and access management

Authentication Configuration

Customer Requirements:

  • Provide OIDC client_id and client_secret for your chosen provider
  • Provide issuer_url for your identity provider
  • Specify authorized email domains for user access
  • Ensure your identity provider supports OIDC standard claims

Endura Configuration Process:

  • Endura Security configures your Team Server with provided OIDC details
  • Email domain validation ensures only authorized users can authenticate
  • Configuration changes require support ticket for security and audit purposes

User Access Management

Domain-Based Access Control:

  • Only users with email addresses from pre-approved domains can authenticate
  • Domain list can be updated through Endura support requests
  • Support for multiple domains per customer instance

Multi-Factor Authentication:

  • MFA is handled entirely by your OIDC identity provider
  • Endura recommends enabling MFA in your identity provider configuration
  • No additional MFA configuration required within Team Server

Role-Based Access Control:

Team Server uses three roles to manage user permissions:

RoleDescription
AdministratorFull access to all features including user management, system configuration, and role assignment
OperatorManage deployments, sensors, pipelines, builds, violations, and policies. Cannot modify user roles
ViewerRead-only access to view dashboards, pipelines, builds, and violations. Cannot make any changes

By default, all new users who authenticate are assigned the Viewer role. For managed deployments, Endura Security configures your first Administrator during the onboarding process. Once your Administrator account is set up, you can promote additional users to Administrator or Operator roles through the Administration menu in Team Server.

Operations & Maintenance

Automatic Updates

Application Updates:

  • Team Server updates applied automatically during scheduled maintenance windows
  • Updates follow the same semantic versioning and release channels as self-hosted deployments
  • Customers are notified of major version updates in advance
  • Zero-downtime rolling updates for patch and minor version releases

Infrastructure Maintenance:

  • Operating system and security updates applied automatically
  • Database maintenance performed during low-usage periods
  • Infrastructure scaling adjustments made transparently
  • All maintenance activities monitored and logged

Backup & Disaster Recovery

Automated Backups:

  • Database backups performed every 6 hours
  • Configuration backups taken before any changes
  • Backups retained for 90 days
  • Cross-region backup replication for disaster recovery

Disaster Recovery:

  • Recovery Time Objective (RTO): 4 hours for complete service restoration
  • Recovery Point Objective (RPO): Maximum 6 hours of data loss
  • Automated failover to backup infrastructure
  • Regular disaster recovery testing performed by Endura operations team

Business Continuity:

  • Multiple availability zones within each region
  • Automated health monitoring and failover
  • Redundant database infrastructure
  • Load balancing across multiple application instances

Monitoring & Observability

Service Health Monitoring:

  • 24/7 automated monitoring of all service components
  • Application performance monitoring and alerting
  • Database performance and capacity monitoring
  • Network connectivity and security monitoring

Customer Visibility:

  • Service status page available for real-time service health
  • Planned maintenance notifications sent via email
  • Incident notifications and resolution updates
  • Monthly service reports available upon request

Data Retention and Deletion Policies

Data Retention

Operational Data:

  • Runtime Sensor telemetry: Retained for 2 years
  • Security policy configurations: Retained for the life of the service
  • User activity logs: Retained for 1 year
  • Audit logs: Retained for 7 years
  • Configuration changes: Retained for 5 years

Backup Retention:

  • Daily backups: Retained for 90 days
  • Monthly backups: Retained for 1 year
  • Annual backups: Retained for 7 years
  • Configuration snapshots: Retained for 2 years

Data Deletion

Service Termination:

  • 30-day notice required for service termination
  • Data export available during 30-day notice period
  • Complete data deletion performed within 90 days of service termination
  • Cryptographic deletion of encryption keys ensures data is unrecoverable

Data Export Process:

  • Customer can request data export at any time during active service
  • Export includes all telemetry, policies, configurations, and audit logs
  • Data provided in industry-standard formats (JSON, CSV)
  • Export delivery within 5 business days of request

Secure Deletion:

  • Multi-pass data overwriting on physical media
  • Cryptographic key destruction for encrypted data
  • Certificate of destruction provided upon request
  • Compliance with data protection regulations (GDPR, CCPA)

Right to Erasure:

  • Specific data deletion requests processed within 30 days
  • User account data deleted upon user removal
  • Audit trail maintained for deletion activities
  • Compliance with applicable data protection regulations

Legal and Regulatory Compliance

Data Protection:

  • GDPR compliance for European customers
  • CCPA compliance for California customers
  • Data processing agreements available upon request
  • Regular compliance audits and assessments

Data Sovereignty:

  • Data remains within selected geographic region
  • No cross-border data transfers without explicit customer consent
  • Local data protection laws respected and followed
  • Government data requests handled according to applicable law

Support & Service

Customer Support

Support Channels:

  • Email Support: support@endurasecurity.com
  • Response Times: Best effort response within 24 hours
  • Business Hours: Monday-Friday, 9 AM - 5 PM in customer’s region

Support Scope:

  • Team Server configuration assistance
  • Runtime Sensor connectivity issues
  • User access and authentication problems
  • Security policy configuration guidance
  • Service health and performance questions

Escalation Process:

  • Critical service issues receive priority response
  • Security incidents escalated to Endura Security response team
  • Service outages communicated via status page and email
  • Customer success manager assigned for enterprise customers

Service Management

Configuration Changes:

  • OIDC provider updates processed within 1 business day
  • Email domain changes require verification and approval
  • Configuration backup created before all changes
  • Change confirmation provided via email

Account Management:

  • Primary contact updates processed immediately
  • Billing contact changes require verification
  • Service region changes require migration (additional fees may apply)
  • Account suspension/reactivation processed within 4 hours
Configuration