Data Protection Measures

The Request Lifecycle: How Simptel Protects Data

Izahir

2 min read
The Request Lifecycle: How Simptel Protects Data
Photo by Rob King / Unsplash

At Simptel, we apply two guiding principles in the design of our infrastructure: least surface exposure and zero-trust networks. These principles ensure that every interaction with our platform presents the smallest possible attack surface, and that no step or connection is implicitly trusted.

In this text, we will explain step by step how a request is processed and secured. As an illustration, we use the domain id.terramobile.app of our customer TerraMobile.

1. DNS Resolution

The process begins at the DNS provider. For TerraMobile, id.terramobile.app points via a CNAME record to terramobile.cloudprovider-eu.tfplatform.com. Resolution is handled exclusively by Google Cloud DNS, without additional caching layers or external services.

This avoids unnecessary vulnerabilities and minimizes the risk of interception from the very first step.

2. WAF, DDoS Protection, and IP Resolution

Before a request reaches the platform, it is filtered through a Web Application Firewall (WAF) and protected against volumetric attacks with DDoS mitigation. Only traffic that meets the defined criteria proceeds to the tenant-specific cluster.

3. Gateway Handshake and Tenant Verification

The gateway is the only permitted entry point to the cluster. Here, a TLS 1.3+ handshake is performed. This process not only encrypts the connection but also verifies whether the tenant exists and is enabled. Without successful verification, the request is not processed further. This reflects the zero-trust principle: no connection is accepted without explicit proof.

4. Context Injection

Once verified, the gateway enriches the request with additional metadata, including:

  • traceparent and request identifiers
  • network data (country, ISP, IP address)
  • tenant-specific metadata

This context makes it possible to trace and analyze requests throughout the platform.

5. Security Checks

The request is then subjected to several layers of security, including:

  • IP allow list validation
  • payload sanitization
  • rate limiting
  • CORS enforcement
  • OAuth 2.0 authorization flows
  • policy enforcement via a policy enforcement point

All measures follow a deny-by-default strategy. Only explicitly approved requests are allowed.

6. Regional Processing and Storage

A central principle at Simptel is regional data sovereignty. For TerraMobile, which is hosted in Azure EU West, all processing and storage take place exclusively within that region. No replication or transfer occurs outside the chosen jurisdiction, ensuring compliance with regulations such as GDPR.

7. Business and Data Layers

After passing security checks, the request enters the business logic, where additional validation is applied. Communication with the data layer is always encrypted according to AES-256 standards, both at rest and in transit. Sensitive interactions are further traced and monitored.

8. Response and Logging

Once processing is complete, a response is returned to the user. Simultaneously, the full transaction is recorded in an encrypted event log. This ensures transparency and auditability, without compromising confidentiality.

Conclusion

The request lifecycle at Simptel demonstrates how security is not applied as a single measure but as an integrated process. By adhering to least surface exposure and zero-trust principles, risks are systematically minimized. The example of TerraMobile illustrates how this approach results in secure, transparent, and regulation-compliant data processing in practice.

Read more