Security at Netlify

We’re trusted by millions of companies and developers to run secure, performant sites and applications

A global platform that is secure by design

Commitment to Privacy

Netlify is committed to privacy and helping users understand the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and to comply with its requirements. We’ve partnered with legal experts in Europe and the US to ensure that our products and contractual commitments are in line with GDPR regulations.

We’ll also continue monitoring best practices around GDPR and CCPA compliance and update our commitments if they change.

Please see our privacy policy for privacy related information.

Reduced Attack Surface

Across our global Edge, content deployed to the edge nodes is fully prerendered and static, offering no active processes or surface area for attack.

Application code runs on Netlify's build infrastructure (prior to deployment) and when using cloud functions (in production). Both environments are ephemeral, spinning up new, temporary containers just long enough to execute each task. That means there are no idle environments to attempt to exploit, and limited exposure to public networks.

Enterprise Compliant

Netlify undergoes a SOC 2 Type 2 audit and ISO 27001 certification annually, both of which are performed by an independent third-party auditor. Enterprise plan customers can request a full audit report for SOC 2 Type 2, and all customers can find a copy of our ISO Certificate here. Additionally, Netlify is PCI compliant for all SAQ-A requirements to safely process credit card transactions.

Reinforced User Boundaries

Enterprise Team Management empowers admins to add/remove users as needed to support organization-wide team management. Create, partition, and customize teams by role.

HTTPS

Netlify uses Let's Encrypt to provide free HTTPS certificates for every domain deployed. You can also bring and install your own certs.

Vetted, Top-tier Cloud Provider

Netlify deploys only to major cloud providers who regularly undergo extensive security audits and certifications.

AWS Logo Learn more

Responsible Disclosure Policy

Netlify aims to keep its Services safe for everyone and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner. Our responsible disclosure process is hosted by HackerOne’s bug bounty program .

Reporting a Security Incident

Please report any suspected security incident to security@netlify.com

Checked. And double-checked.

  • Active DDoS mitigation

    Netlify monitors for traffic pattern anomalies and spikes, and effectively controls for them as needed.

  • Encryption

    All traffic over our networks is TLS encrypted and all sensitive information like access tokens are encrypted at rest.

  • Penetration testing

    Netlify engages with a third party on an annual basis to have our services penetration tested. An executive summary is available to our enterprise customers.

    Reach out to our business team
  • Datacenter security

    Netlify leverages globally-distributed data center partners that comply with leading security policies and frameworks.

  • Rate limiting

    Netlify provides more granular controls that help you safeguard against threats, optimize performance and manage bandwidth costs.

  • Security scorecard

    Netlify empowers Account and Team owners to identify and quickly resolve security vulnerabilities all in one place.

Secure your development

From audit logs to granular permissions, Netlify puts you in control of your development process.

Integrate Netlify into your organization with Single Sign-on

Teams can sign in to the Netlify UI with G Suite, Okta, OneLogin, Ping Identity, or most identity providers that support SAML 2.0.

For Enterprise teams, Netlify supports integrating an existing SSO provider to authenticate users. Contact sales for more information.

Logos of Okta, Google Suite, One Login and Ping
Logos of 1password and Google Authentification

Verify team members with two-factor authentication

Protect access to your Netlify account by requiring a time-based passcode from an app like Authy or Google Authenticator before allowing access.

Control who can do what

Users added to your Netlify account can be given access to all sites within the team, or only specific sites. You can restrict who can create sites, edit site settings, add or remove team members, manage billing information and more.

Screenshot of the logs in the app

Audit every action

Netlify audit logs provide transparency into the different actions taken by team members on various team and site settings.

Audit logs provide an overview and historical log of nearly every action that can be taken by your team members.

Secure your application

Netlify offers several powerful tools to easily add access controls to your site or application.

Manage signups, logins, password recovery, and more — all without rolling your own authentication service.

Register and authenticate visitors to your site so you can gate content, enable CMS functionality, make authenticated calls to outside services, and more. Securely integrate with any service that understands JSON Web Tokens.

Learn more about Identity in the docs
  • Authenticate users using Netlify Identity
  • Authorize users to view different parts of the site
  • Redirect users based on their permissions or location
  • Password protect the entire site or part of it

Request a demo

Get help with technical issues and general questions by visiting our Support Center.