Netlify: Secure by Design
We’re trusted by millions of companies and developers to run secure, performant sites and applications
Request demoA global platform that is secure by design
- SOC 2 Type 2
- HIPAA Compliant
- GDPR Compliant
- ISO 27001 Certified
- ISO 27018 Certified
- PCI DSS v4.0 Certified
- CCPA Certified
Visit the Netlify Trust Center to download the latest copies of our security and compliance related artifacts and whitepapers.
Commitment to Security
Netlify is committed to providing a secure cloud environment by design for customers. As part of this commitment, we support end-to-end encryption for customer data, both in transit and at rest. We also conduct regular internal and third-party penetration testing, alongside ongoing patch management, to identify, mitigate, and address potential security risks, and adhere to strict control mechanisms to ensure that only authorized personnel can access sensitive data. Furthermore, we conduct regular Disaster Recovery and Incident Response readiness exercises.
Commitment to Privacy
Netlify is committed to privacy and helping users understand the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and to comply with its requirements. We’ve partnered with legal experts in Europe and the US to ensure that our products and contractual commitments are in line with GDPR regulations.
We’ll also continue monitoring best practices around GDPR and CCPA compliance and update our commitments if they change.
Please see our privacy policy for privacy related information.
Reduced Attack Surface
Across our global Edge, content deployed to the edge nodes is fully prerendered and static, offering no active processes or surface area for attack.
Application code runs on Netlify's build infrastructure prior to deployment, and when using cloud functions in production. Both environments are ephemeral, spinning up new, temporary containers just long enough to execute each task. That means there are no idle environments to attempt to exploit, and limited exposure to public networks.
Enterprise Compliant by Design
Netlify undergoes an annual audit and certification process, performed by an independent third-party auditor, against industry-recognized security standards, including AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA. Enterprise plan customers can request access to our full audit reports, including our SOC 2 Type 2 attestation, in our Trust Center. All customers can find a copy of our ISO 27001 Certificate here. Additionally, Netlify is PCI compliant for all SAQ-A requirements to safely process credit card transactions, and has undergone a full RoC assessment.
Access Control
Enterprise Team Management empowers admins to add/remove users as needed to support organization-wide team management. Create, partition, and customize teams by role.
End-to-end Encryption of Customer Data
Netlify uses a minimum of TLS 1.2 and AES-256 to encrypt customer data in transit and at rest. We also use Let's Encrypt to provide free HTTPS certificates for every domain deployed. Customers can also bring and install their own SSL certificates.
Vetted, Top-tier Cloud Provider
Netlify deploys only to major cloud providers who regularly undergo extensive security audits and certifications.
Learn moreResponsible Disclosure Policy
Netlify aims to keep its Services safe for everyone and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner. Our responsible disclosure process is hosted by HackerOne’s bug bounty program .
Reporting a Security Incident
Please report any suspected security incident to security@netlify.com
Shared Responsibility
Maintaining security in the cloud requires a shared responsibility between Netlify and our customers.
Customer’s responsibility: Security and compliance of your application
- Application architecture
- Handling of data in the application
- Authentication mechanisms
- Response caching configuration
- Ensuring that TLS encryption is enabled for hosted sites, which is the default configuration
Netlify’s responsibility: Security and compliance of our infrastructure
- Encryption of data at rest and in transit within our infrastructure
- Vulnerability management of our infrastructure
- Network security of our infrastructure
- Auditing and security testing of our infrastructure
Checked. And double-checked.
Active DDoS mitigation
Netlify monitors for traffic pattern anomalies and spikes, and automatically handles mitigation as needed. Our DDoS protections include both Layer 3 and 4 TCP-level attack mitigations, as well as Layer 7 DDoS mitigation.
Encryption
All traffic over our networks is TLS encrypted and all sensitive information like access tokens are encrypted at rest.
Vulnerability management
Netlify engages with top-tier third-party offensive security vendors on an annual basis to have our services penetration tested, in addition to a robust vulnerability and patch management program. An executive summary of our latest penetration testing report is available to our enterprise customers in our Trust CenterDatacenter security
Netlify leverages globally-distributed data center partners that comply with leading security policies and frameworks.
Rate limiting
Netlify provides more granular controls that help you safeguard against threats, optimize performance and manage bandwidth costs.
Security scorecard
Netlify empowers Account and Team owners to identify and quickly resolve security vulnerabilities all in one place.
Secure your development
From audit logs to granular permissions, Netlify puts you in control of your development process.
Integrate Netlify into your organization with Single Sign-on
Teams can sign in to the Netlify UI with G Suite, Okta, OneLogin, Ping Identity, or most identity providers that support SAML 2.0.
For Enterprise teams, Netlify supports integrating an existing SSO provider to authenticate users. Contact sales for more information.
Verify team members with two-factor authentication
Protect access to your Netlify account by requiring a time-based passcode from an app like Authy or Google Authenticator before allowing access.
Control who can do what
Users added to your Netlify account can be given access to all sites within the team, or only specific sites. You can restrict who can create sites, edit site settings, add or remove team members, manage billing information and more.
Audit every action
Netlify audit logs provide transparency into the different actions taken by team members on various team and site settings.
Audit logs provide an overview and historical log of nearly every action that can be taken by your team members.