Fleet Wage

Security at DigitalOcean

At DigitalOcean, our customers’ trust is critical to us. We know that you need a secure foundation to build on, which is why we are dedicated to product and platform security, and providing you with security best practices so both you and your own customers can stay secure.

DigitalOcean’s security pillars

DigitalOcean takes a thorough approach to security, and helps customers stay secure through four main pillars.

Product security

Each DigitalOcean product has several security features to help you secure your infrastructure.

Platform security

We abstract away the complexities of security at the infrastructure layer to give you peace of mind.

Trust and privacy

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Security best practices

We provide documentation and articles on security best practices.

Infrastructure Security

DigitalOcean follows the most up-to-date infrastructure security controls.

Shared Responsibility Model

Read these product guides to learn how we can work together to secure your DigitalOcean instance.

Product security features

Each of our products has several built-in security features.

SSH keys provide a more secure way to log in to your Droplet.

The Droplet Console provides a secure way to connect to your Droplets through one-click SSH access to your Droplets from the terminal.

Cloud Firewalls are a network-based, stateful firewall service for Droplets provided at no additional cost. Cloud firewalls block all traffic that isn’t expressly permitted by a rule.

Trusted Sources allow you to securely connect your apps and functions to Managed Databases.

Encrypted Environment variables allows you to add secrets as ENV vars for your app that won’t be exposed through the UI

We help shield Apps from DDoS attacks at our network’s edge.

App Platform uses Kata Containers, which results in a more secure container runtime with lightweight virtual machines that feel and perform like containers, but help provide stronger workload isolation using hardware virtualization technology as a second layer of defense

Standard Kubernetes network policies and Cilium network policies can be used to limit network traffic to/from workloads in a DOKS cluster.

All traffic to worker nodes from the internet is blocked by default. Ports are automatically opened when NodePort services are created.

Worker nodes are in a user’s VPC. LB<->worker and worker<-> worker communication happens over VPC.

Kubernetes Secrets stored in etcd are encrypted at rest using a per-cluster key.

Etcd data is encrypted at rest.

DigitalOcean is on the Kubernetes Private Distributors List and receives advance notification of critical security issues. We release security fixes as soon as possible.

Users can configure their cluster to receive automatic patch version upgrades.

Users can configure SSL termination or passthrough on DOKS-managed load balancers using annotations

Compute and networking resources isolated for each of your functions.

Functions operate over HTTPS and TLS by default.

Encrypted Environment variables allows you to add secrets asn ENV vars for your functions that won’t be exposed through the UI, CLI or API.

We help functions from DDoS attacks at our network’s edge.

The platform is managed to perform updates of software which powers customer instances. This includes database engines and related software.

Backups of customer managed database instances are taken and stored off-site. They are encrypted while stored to prevent unauthorized access to customer database data without the required decryption keys.

Managed Database customer instances connection occur over TLS/SSL, which provides encryption of traffic in transit between the customer applications and the customer managed databases.

Managed Databases support customer-controlled users and permissions – the user decides which users connect with which privilege to which database.

Managed Databases support an application firewall which allows the user to configure from which sources a connection can be made to the managed database instance.

S3 V4 authentication provides identity verification of the requestor and in-transit data protection.

Each customer has one or more unique identity keys and can use Access Control Lists to control access to the data.

Data is encrypted on the disk. If an attacker obtains physical access to the disks they will not be able to access the data.

Customers can provide temporary, secure access to specific data to other users.

HTTPS ensures that the data is encrypted in transit.

Allows customers to set their own encryption keys.

Spaces is secure by default, reducing the likelihood that data is leaked by accident. For example, by default file listing is restricted only to users with keys, and by default static site hosting is disabled.

Data is encrypted on the disk.

Users can enable LUKS encryption, which helps ensure data is inaccessible without a user-provided passphrase or key.

Users can use linux file permissions on a Volume in the same way that they can on the primary/root disk system.

Virtual Private Cloud is a isolated network for cloud resources, giving you more control over how your resources communicate with isolation, reminiscent of what you might achieve running systems on premises.

Users can secure their infrastructure and define what services are visible on your Droplets.

Users can set up SSL passthrough to send encrypted SSL requests directly to the backend Droplet pool via VPC Network. This helps secure traffic between the Load Balancer and the backend droplets. Integration with Let’s Encrypt Certificate.

Users can set up SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend via the Droplets’ private IP addresses. SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management. Traffic between the load balancer and its Droplets is secured by routing over the VPC network.

When images are submitted to the Marketplace they go through an automated image check. This helps check for and fix potential security concerns and verifies the image is compatible with the marketplace. The check also helps identify any configuration issues that would need to be fixed by the image vendor before it goes live in the Marketplace for customers.

DigitalOcean has partnered with GitHub to join their secret scanning program to protect our joint customers from leaking API tokens in their code. When GitHub detects a DigitalOcean API token committed to a repository, we are alerted. The token is automatically revoked and we notify the customer.

Certification reports

SOC 2 and SOC 3

DigitalOcean is AICPA SOC 2 Type II and SOC 3 Type II certified. By achieving compliance with this globally recognized information security controls framework, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information.

Cloud Security Alliance (CSA)

DigitalOcean has achieved Cloud Security Alliance (CSA) STAR Level 1 which addresses fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.

 

GDPR

DigitalOcean is GDPR compliant and we show it through our actions. DigitalOcean uses clear and concise language in our Data Processing Agreement (DPA) and Privacy Policy and backs that up with transparent security and privacy controls.

SOC 2 and SOC 3

DigitalOcean is AICPA SOC 2 Type II and SOC 3 Type II certified. By achieving compliance with this globally recognized information security controls framework, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information.

Cloud Security Alliance (CSA)

DigitalOcean has achieved Cloud Security Alliance (CSA) STAR Level 1 which addresses fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.

GDPR

DigitalOcean is GDPR compliant and we show it through our actions. DigitalOcean uses clear and concise language in our Data Processing Agreement (DPA) and Privacy Policy and backs that up with transparent security and privacy controls.

Global Cross-Border Privacy Rules (CBPR)

The CBPR is a global privacy standard that an organization can certify and attest to the controls it has in place to protect the privacy of personal data. DigitalOcean aims to become one of the first cloud providers to certify to the rigid CBPR requirements.

Security resources

Recommended security measures to protect your servers

Security in DigitalOcean Teams

Security updates and vulnerability mitigation