**Tags:** #Process #OPSEC > [!info] > This information is shared as part of Decombine's commitment to [[Open Core]] practices. ### Remote Offices Decombine is a remote-native company which authorizes users to work from home or other secondary locations as warranted. Decombine employees and contractors are offered software and best practices to maintain security hygiene at their personal home office. ### Virtual Private Network Decombine employees and contractors access corporate resources such as email by first connecting to a Virtual Private Network (VPN) service to ensure traffic is encrypted. Users can then authenticate to our centralized identity access management (CIAM) solution Azure Active Directory (AAD). ## Virtual Networks Decombine operates private, regional Virtual Networks (VNets) spread globally across Azure datacenters to enable private networking and security solutions for our services. The private networks are used exclusively to operate Decombine backend services and are not utilized for any other business operations. Decombine employees and contractors do not access Decombine's Infrastructure Virtual Networks using personal devices. Decombine Virtual Networks are exclusively managed and operated through software-based configuration which is stored in GitHub. Each network uses only private IP addresses (RFC 1918) which are not publicly routable, although specific services may have Public IPs that are exposed in order to provide Internet routing for services to end users. ### Web Application Firewalls (WAF) Decombine Virtual Networks are monitored using Microsoft Defender for Cloud and use Web Application Firewalls (WAF) on ingress points to our backend private networks and services. WAF policies are continuously updated by our underlying vendor [[Cloud Service Providers (CSP)#^d98587]]. ### Private Links Decombine primarily leverages the use of Private Link and Private Endpoint services to securely communicate directly between our confidential compute services and vendor Platform-as-a-Service (PaaS). Traffic between Decombine services and Azure services does not use the Internet and instead leverages Azure's private network backbone. ### Virtual Network Restrictions Decombine Virtual Networks cannot be accessed through the Internet. Decombine engineers requiring access to resources within the Virtual Networks to administer resources or perform manual configurations instead access the Virtual Networks using a dedicated zero trust gateway [Azure Bastion Host](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview). The Bastion Host is limited to privileged users within Azure Active Directory (AAD) and is only used for occasional access as required. The Bastion Host is the first access layer which then connects to a dedicated "jump-box" Virtual Machine which can then be used to communicate with Decombine backend services that do not have Internet connectivity. ## On-premises network Decombine does not operate an on-premises network of any kind for contractors or employees, so there is no physical centralized network. Decombine employees and contractors *do* access a centralized network at its office space in Helsinki, Finland which is operated by the Maria01 startup campus. Decombine does not maintain any corporate resources on the Maria01 network, and it is only used as an initial Internet access point. Maria01 terms can be found [here](https://maria.io/privacy-policy-and-terms/).