Trust Controls
DigitalOcean is proud to maintain SOC 2, SOC 3, Global CBPR certifications as well as eligibility to process HIPAA and DORA workloads.
DigitalOcean provides a reliable cloud infrastructure platform designed to help you deploy, manage, and scale applications without the friction of traditional hardware management. The platform operates across multiple global regions.
Platform Service Offerings and Availability
The infrastructure consists of a multi-tier virtualized architecture including web and database servers, storage, and network monitoring tools.. Services are divided into three primary models with specific uptime service level agreements (SLAs):
| Service Category | Core Products | Uptime SLA |
|---|---|---|
| IaaS (Infrastructure) | Droplets, GPU Droplets, Volumes Block Storage, and Spaces | For more information on Product SLAs, please see our Service-Level Agreements homepage. |
| PaaS (Platform) | Kubernetes (DOKS), Managed Databases, App Platform, and Container Registry | For more information on Product SLAs, please see our Service-Level Agreements homepage. |
| FaaS (Function) | Functions (on-demand code blocks) | For more information on Product SLAs, please see our Service-Level Agreements homepage. |
IaaS (Infrastructure)
PaaS (Platform)
FaaS (Function)
Security and Operational Procedures
DigitalOcean follows standardized procedures to maintain platform stability and protect your assets:
- Access and Authentication: Employee access to system information is protected by authentication and authorization mechanisms defined in detailed policies, which are audited annually. These policies also formalize the procedures and systems which facilitate the provisioning and deprovisioning of employee access (e.g. All access to sensitive systems must be approved by a direct supervisor or software owner).
- System Monitoring: Logging and monitoring tools analyze, identify, and report possible or actual security vulnerabilities or malicious activities on production hosts in real time. These tools are configured to alert the appropriate team once predefined thresholds are exceeded.
- Penetration Testing: Independent security professionals perform penetration tests on at least an annual basis to identify security vulnerabilities. These vulnerabilities are triaged by the security team and monitored through resolution as appropriate.
- Bug Bounty Program: DigitalOcean partners with Intigriti to maintain a paid bug bounty program, which provides a safe, structured method for security researchers to report potential issues to the security team.
- Encryption and Malware: Web communication sessions are encrypted and encrypted VPNs are used for remote access.Anti-malware software is installed on workstations to scan endpoints in real time.
- Incident Response: A dedicated security team manages incident response through a formalized process of identification, containment, remediation, and documentation.
- Change Management: DigitalOcean uses an automated deployment tool to support a continuous integration and deployment (CI/CD) model for managing infrastructure as code. A production pipeline is configured within the automated deployment tool for each added product or service as a component of the Operational Acceptance Review (OAR) process. Once a pipeline build is created within the automated deployment tool, changes made within the software development platform undergo the configured steps included in the build. The ability to make changes to high-severity pipeline builds is restricted to authorized personnel and requires automated validation testing.
- Business Continuity: The engineering team meets weekly to review incident trends, post-incident reviews (PIR), and action items associated with PIRs. Action items consider the time to detect, severity, root cause, impact to availability, and customer impact of incidents. The team also conducts annual tabletop exercises to test disaster recovery plans.
- Media Destruction: Third-party vendors are contracted to destroy physical hardware at collocated data centers and provide certificates of destruction to evidence destruction services.
- Vendor Due Diligence: Security personnel perform due diligence on vendors by reviewing third-party compliance reports or requiring completed security questionnaires. Ongoing relationships are re-evaluated during the contract renewal process.
Performance and Privacy Compliance
DigitalOcean effectively manages its privacy and security commitments. We have implemented necessary safeguards, including physical and technical access controls, regular employee training, and breach notification processes. Our third party audits are free from exceptions, demonstrating that our platform meets established standards for security and availability.
Your Responsibilities
While DigitalOcean manages the platform, you are responsible for several key areas:
Account Safety
You should establish strong passwords and use multi-factor authentication for the user interface.
Data Resilience
You must develop your own data backup procedures and disaster recovery plans.
Incident Reporting
You are responsible for immediately notifying DigitalOcean of any suspected security breaches or compromised accounts.
Service Supervision
You are responsible for the supervision and management of the use of DigitalOcean services by your personnel.
Working Together
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.