feat(functions): add general faq questions

pages/serverless-containers/faq.mdx

@@ -162,6 +162,46 @@ No, deploying a new version of your Serverless Container generates a **rolling u
 
 This process ensures a seamless update experience, minimizing user disruption during deployments. If needed, you can also manage traffic splitting between versions during the update process, allowing you to test new versions with a subset of traffic before fully migrating to it.
 
+### Are data stored on ephemeral storage encrypted at rest?
+
+At the moment, we do not provide encryption at rest on the filesystem of customer containers. However, the underlying volumes comply with our security standards. For more details, please refer to:
+[https://www.scaleway.com/en/security-and-resilience/](https://www.scaleway.com/en/security-and-resilience/)
+
+Within customer containers:
+
+- In sandbox v2, everything under `/tmp` is stored in RAM.
+- Everything else is written to disk, but access is restricted to authorized personnel only. Please refer to the question *Who are the authorized users?*
+
+### Is there any antimalware or antivirus system in place for containers to secure the environment?
+
+We do not use any antimalware or antivirus system to secure customer environments.
+In the future, the Scaleway registry will include an image vulnerability scanning system.
+
+The environment is secured by the fact that each customer container runs in an isolated system. For isolation, we use **Kata Containers** and **gVisor**, corresponding to sandbox v1 and sandbox v2 respectively, which allow us to strongly isolate customer containers.
+
+As a result, application security remains the responsibility of the customer.
+
+### Who are the authorized users (internal to Scaleway and possibly external) who can access applications running on serverless containers?
+
+The only users with infrastructure-level access to customer containers are developers working within the team or on the team’s underlying infrastructure.
+Even though such access may be possible for debugging purposes, it will never be performed without the customer’s explicit authorization.
+
+### More generally, what measures has Scaleway put in place to secure this service and ensure its availability?
+
+As mentioned above, the primary security measure we implement is strong isolation between customer containers.
+
+Regarding availability, there is always at least one team member responsible for the proper operation of the infrastructure from Monday to Friday, 9:00 AM to 6:30 PM.
+We also have trained SREs on call for part of the product’s infrastructure.
+
+From a security standpoint, this service provides the ability to:
+
+- Isolate containers from one another
+- Protect private resources (IAM / JWT)
+- Connect to a private network, if configured
+- Securely store environment variables and secrets
+- Secure request routing
+- Provide logs and metrics to help customers diagnose issues
+
 ## Usage and management
 
 ### How can I deploy my containers?

pages/serverless-functions/faq.mdx

@@ -275,6 +275,48 @@ Some products are not listed but for example, on specific use cases Secret Manag
 
 Scaleway Serverless Functions support [Virtual Private Cloud (VPC)](/vpc/) and can be attached to a Private Network, which allows you to securely connect your resources in an isolated environment. Refer to the [dedicated documentation](/serverless-functions/how-to/use-private-networks/) for more information.
 
+## Security
+
+### More generally, what measures has Scaleway put in place to secure this service and ensure its availability?
+
+As mentioned above, the primary security measure we implement is strong isolation between customer functions.
+
+Regarding availability, there is always at least one team member responsible for the proper operation of the infrastructure from Monday to Friday, 9:00 AM to 6:30 PM.
+We also have trained SREs on call for part of the product’s infrastructure.
+
+From a security standpoint, this service provides the ability to:
+
+- Isolate functions from one another
+- Protect private resources (IAM / JWT)
+- Connect to a private network, if configured
+- Securely store environment variables and secrets
+- Secure request routing
+- Provide logs and metrics to help customers diagnose issues
+
+### Are data stored on ephemeral storage encrypted at rest?
+
+At the moment, we do not provide encryption at rest on the filesystem of customer functions. However, the underlying volumes comply with our security standards. For more details, please refer to:
+[https://www.scaleway.com/en/security-and-resilience/](https://www.scaleway.com/en/security-and-resilience/)
+
+Within customer functions:
+
+- In sandbox v2, everything under `/tmp` is stored in RAM.
+- Everything else is written to disk, but access is restricted to authorized personnel only. Please refer to the question *Who are the authorized users?*
+
+### Is there any antimalware or antivirus system in place for functions to secure the environment?
+
+We do not use any antimalware or antivirus system to secure customer environments.
+In the future, the Scaleway registry will include an image vulnerability scanning system.
+
+The environment is secured by the fact that each customer function runs in an isolated system. For isolation, we use **Kata Containers** and **gVisor**, corresponding to sandbox v1 and sandbox v2 respectively, which allow us to strongly isolate customer functions.
+
+As a result, application security remains the responsibility of the customer.
+
+### Who are the authorized users (internal to Scaleway and possibly external) who can access applications running on serverless functions?
+
+The only users with infrastructure-level access to customer functions are developers working within the team or on the team’s underlying infrastructure.
+Even though such access may be possible for debugging purposes, it will never be performed without the customer’s explicit authorization.
+
 ## Support and troubleshooting
 
 ### How to reduce cold-start of Serverless Functions?