These guidelines are intended for those seeking information about a DigitalOcean account, or looking to take action against a resource hosted on our network.
Safeguarding our users' data is vital to the trust our users place in our service to keep their data secure. For the most part, DigitalOcean's ability to disclose user information is governed by the Electronic Communications Privacy Act, 18 U.S.C. §2701, et seq. ("ECPA"). ECPA mandates that DigitalOcean disclose certain user information to law enforcement only in response to specific types of legal process, including subpoenas, court orders, and search warrants.
To request information for a site hosted on DigitalOcean, the site's IP address and a date range must be specifically included in the request. We can't process overly broad or vague requests. If your inquiry alerts us to a violation of our policies or Terms of Service, we will handle it via our usual abuse procedures which may include contacting the user regarding their misconduct or suspending the site entirely.
We cannot guarantee that we will have any given set of information for any particular user.
The length of time data is retained varies based on the type of information and actions of the user. Generally, Droplet contents are purged immediately upon deletion by the customer. Additionally, customers can control the format of their content (e.g. plain text, masked, or encrypted) and can delete or destroy server content whenever they choose. DigitalOcean accounts can contain various information, which is unverified and is provided at the user's discretion.
Before revealing information to anyone who is not the account owner, we require a valid subpoena, warrant, or court order that specifically requests it, unless we have a good faith belief that there is an emergency involving death or serious physical injury. See below for more details.
Here are some examples of data which we are unable to provide:
As US law permits, we may disclose user information to law enforcement without a subpoena or warrant when we believe that doing so without delay is necessary to prevent death or serious physical harm to an identifiable victim. We require emergency requests to be made in writing via email and include all the information available so that we may evaluate the urgency of the request. Please see the example imminent harm request below for emergency process details.
We notify users and provide them with a copy of any legal process regarding their account unless we are prohibited by law or court order from doing so (e.g., an order under 18 U.S.C. § 2705(b)). In those cases, we will notify users and provide them with a copy of the legal process when the non-disclosure order expires.
If a request for information is valid, we will preserve the necessary information, and then make a reasonable effort to notify any affected account owner(s) by sending a message to their verified email address. In most cases, upon notification to the user, that user will be provided with 7 calendar days to file an objection with the court or otherwise legally challenge the request. If, prior to the deadline, we receive notice from the user that he or she has filed an objection to challenge a request, no information will be delivered until that process concludes.
DigitalOcean honors requests from law enforcement to preserve information in accordance with 18 U.S.C. § 2703(f). Upon receiving a valid preservation request, DigitalOcean will preserve available account information associated with the username listed in the request in an offline file for up to 90 days and will extend the preservation for one additional 90-day period on a renewed request.
Preservation of data is restricted to what is specifically and explicitly requested. You must specify the type of data that is subject to the preservation request, including whether the request relates to subscriber/account information or server content data.
Any request for user information must include a valid email address for us to return the information or contact with questions. DigitalOcean communicates only via email with a confirmed receipt.
Where permitted, DigitalOcean prefers to receive service via email to firstname.lastname@example.org. Legal process can also be served by mail to:
Attn: Legal Department
101 Avenue of the Americas, 10th Floor
New York, NY 10013
Please make your requests as specific and narrow as possible, including the following information:
Please allow at least two weeks for us to be able to look into your request. DigitalOcean reserves the right to make changes to any of the foregoing practices in its sole discretion.
(Must be on the investigating agency or department letterhead and sent from an official governmental email address. Use the email subject "Emergency Disclosure Request". Please note that DigitalOcean's policy is to notify a customer when we receive emergency law enforcement requests 90 days after the request is received.)
I request release of records for the DigitalOcean account associated with _________________ [IP address, time range] on an emergency basis pursuant to 18 U.S.C. § 2702(b)(8) and § 2702(c)(4).
I have provided below answers to the following questions in enough detail as I am able in order to provide a good-faith basis for releasing records on an emergency basis:
Signature of Sworn Officer
Printed Name of Sworn Officer
(Must be on law enforcement department letterhead and sent from an official governmental email address)
Dear DigitalOcean Legal Team:
The below listed account is the subject of an ongoing criminal investigation at this agency, and it is requested pursuant to 18 U.S.C. § 2703(f) that the subscriber information associated with said account be preserved pending the issuance of a search warrant or other legal process seeking disclosure of such information:
If you have any questions concerning this request please contact me at [insert e-mail address and phone contact].
Thank you for your assistance in this matter.