Security at every step of your development
Learn why companies and developers worldwide trust Netlify to run and secure their sites and applications.
Our commitment to security and privacy
Netlify is committed to a secure cloud environment, using end-to-end encryption, regular security testing, and strict access controls to protect customer data. We also conduct Disaster Recovery and Incident Response exercises to ensure readiness.
We prioritize privacy and compliance with General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), partnering with legal experts to align our products with these standards and updating practices as needed.
Certified security
-
ISO 27001
-
PCI DSS
-
HIPAA
-
SOC 2
-
ISO 27018
-
CCPA
-
GDPR
-
Encryption
All traffic over our networks is encrypted with a minimum of TLS 1.2 and AES-256 for data in transit and at rest, including sensitive information like access tokens.We provide free HTTPS certificates via Let’s Encrypt for every deployed domain, with the option for customers to install their own SSL certificates.
-
Data center security
Netlify leverages globally-distributed data center partners that comply with leading security policies and frameworks.Across our global Edge, content deployed to the edge nodes is fully prerendered and static, offering no active processes or surface area for attack.
-
Active DDoS mitigation
Netlify monitors for traffic pattern anomalies and spikes, and automatically handles mitigation as needed. Our DDoS protections include both Layer 3 and 4 TCP-level attack mitigations, as well as Layer 7 DDoS mitigation.
-
Vetted, top-tier cloud provider
Netlify deploys only to major cloud providers who regularly undergo extensive security audits and certifications.
Netlify Advanced Web Security
Unlock robust, customizable security features tailored for enterprise needs, offering greater control and visibility to safeguard your digital assets.
-
Netlify Web Application Firewall (WAF)
Netlify Web Application Firewall (WAF) enables you to implement a predefined set of security rules that can automatically detect and block malicious traffic to your web applications. These rules offer protection with minimal setup required and give the flexibility to customize the rules to fit your applications.
Read the docs -
Firewall traffic rules
Control who can access your site based on their IP address or geographic location with Netlify’s Firewall Traffic Rules.
Read the docs -
Log drains
With Log Drains that track visitor requests for assets and pages on Netlify, you can observe which incoming requests are blocked and why with detailed data.
Read the docs -
Rate limiting
On top of Netlify’s existing DDoS protections, Netlify provides highly customizable rate limiting controls that help you safeguard against threats, optimize performance, and manage bandwidth costs and API usage.
Read the docs
Enterprise compliant by design
Netlify undergoes rigorous annual audits and certifications by independent third-party auditors, meeting industry-leading security standards such as AICPA SOC 2 Type 2, ISO 27001, ISO 27018, PCI DSS v4.0, and HIPAA.
Enterprise customers can access detailed audit reports, including our SOC 2 Type 2 attestation, in the Trust Center, while all customers can view our ISO 27001 Certificate online.
Additionally, Netlify is PCI-compliant for SAQ-A requirements, ensuring secure credit card processing, and has completed a full RoC assessment to validate compliance.
-
Security scorecard
Improve your team’s security and reduce your vulnerabilities with the Security Scorecard. The scorecard offers actionable insights on using Netlify and applying security best practices.
-
Private connectivity
Use Private Connectivity to reduce the risk to your backend environment and improve compliance.Private Connectivity ensures your builds and functions use allowlist-friendly IPs to contact your backend.
-
Access control
Enterprise Team Management empowers admins to add and remove users as needed to support organization-wide team management. Create, partition, and customize teams by role.
Partnering for protection:
Our shared approach to cloud security
Customers are responsible for the security and compliance of their applications, including:
- Application architecture Designing secure and robust application structures.
- Data handling Ensuring proper management of data within the application.
- Response caching configuration Configuring caching to prevent unauthorized data access.
- Authentication mechanisms Implementing secure user authentication.
- TLS encryption Ensuring TLS is enabled for hosted sites (enabled by default on Netlify).
Netlify manages the security and compliance of the infrastructure, including:
- Data encryption Encrypting data at rest and in transit within our infrastructure.
- Vulnerability management Identifying and addressing infrastructure vulnerabilities.
- Network security Maintaining a secure network environment.
- Auditing and testing Regularly auditing and conducting security tests on our infrastructure.
Looking for more
-
Netlify Trust Center
Develop, scale, and innovate with the assurance of Netlify’s commitment to security, privacy, and compliance.
-
Netlify Privacy Policy
Discover how Netlify keeps your data secure and builds trust with industry-leading privacy and compliance standards.
-
Netlify Commitment to Privacy
Netlify is dedicated to protecting your data, with robust compliance to GDPR and CCPA ensuring privacy and transparency at every level.