Our data center has redundant firewalls and many networks. Each of these networks contains devices that serve a single function. For example, the database servers are on one network, and the web servers are on another. This is very important, as it provides a much stronger defense against attack.
In addition, we instate a strict "block all" policy for communication between networks. No service is allowed to communicate across the network line unless it follows a strictly defined rule set. We regularly review both this rule set and actual inter-network communication to ensure that nothing "extra" crosses network boundaries.
Strict security controls permit only the FogBugz On Demand systems administration team and the FogBugz Development Lead to have access to the system. Fog Creek stands by a policy that strictly prohibits its employees from examining customer data without permission from the customer, and we maintain an audit trail.
Customer data is backed up daily onsite. Backup files are archived for historical purposes, so data can be recovered quickly in the unlikely event of a database server failure.
In addition, the historical data is encrypted and shipped to Amazon S3 every night. This means that your data is safe even in the event of a large-scale equipment loss or disaster.
Fog Creek Software has the ability to maintain a different version of FogBugz On Demand for each account. This enables us to first apply an upgrade to our own set of test accounts, then gradually roll out the upgrade to customers. Thus, any problem with upgrading is caught early and affects few, if any, On Demand customers.