Law Enforcement Guidelines
These guidelines are intended for those seeking information about a DigitalOcean account, or looking to take action against a resource hosted on our network.
Requesting DigitalOcean User Information
Safeguarding our users' data is vital to the trust our users place in our service to keep their data secure. For the most part, DigitalOcean's ability to disclose user information is governed by the Electronic Communications Privacy Act, 18 U.S.C. §2701, et seq. ("ECPA"). ECPA mandates that DigitalOcean disclose certain user information to law enforcement only in response to specific types of legal process, including subpoenas, court orders, and search warrants.
To request information for a site hosted on DigitalOcean, the site's IP address and a date range must be specifically included in the request. We can't process overly broad or vague requests. If your inquiry alerts us to a violation of our policies or Terms of Service, we will handle it via our usual abuse procedures which may include contacting the user regarding their misconduct or suspending the site entirely.
What Information Is Available?
- The email address currently assigned to the account.
- The IP address from which a site was created.
- The date and time at which a site was created.
- First name, last name, and phone number (if a user elects to provide this information).
- The PayPal or Stripe transaction information for purchases (this does not include credit card or bank account information, but may include country code or postal code).
- Physical address (if a user elects to provide this information).
- The contents of the Droplet itself (if the Droplet has not been deleted by the user).
We cannot guarantee that we will have any given set of information for any particular user.
The length of time data is retained varies based on the type of information and actions of the user. Generally, Droplet contents are purged immediately upon deletion by the customer. Additionally, customers can control the format of their content (e.g. plain text, masked, or encrypted) and can delete or destroy server content whenever they choose. DigitalOcean accounts can contain various information, which is unverified and is provided at the user's discretion.
Before revealing information to anyone who is not the account owner, we require a valid subpoena, warrant, or court order that specifically requests it, unless we have a good faith belief that there is an emergency involving death or serious physical injury. See below for more details.
What Information Is Unavailable?
Here are some examples of data which we are unable to provide:
- Connection Logs.
- Credit Card information.
- Local and long distance telephone connection records.
- Records of session times and durations.
- MAC addresses.
- Telephone or instrument numbers.
Requests from Government Agencies/Law Enforcement
- Except in emergencies (see more below), DigitalOcean turns over protected user information only upon receipt of a valid subpoena, ECPA US court order, or search warrant. Additionally, we will notify affected users about any requests for their account information, unless prohibited from doing so by law or court order (see more below).
- Upon receipt of a valid subpoena, if these pieces of information are available, we can provide user registration information such as the first and last names, phone number, email address, the date/time stamped IP address from which a site was created, the physical address, and the PayPal / Stripe transaction information.
- Upon receipt of a valid ECPA court order, if these pieces of information are available, we can provide access logs which might reveal a user's movements over a period of time, account or private repository settings (for example, which users use certain services, etc.), security access logs other than account creation or for a specific time and date.
- Upon receipt of a valid search warrant, if these pieces of information are available, we can disclose content of customer virtual machines, the content of user communications with customer support, or other forms of content data.
- For legal requests from government agencies/law enforcement outside of the United States, we require that the request be served via (1) a United States court, (2) an enforcement agency under the procedures of an applicable mutual legal assistance treaty (MLAT), or (3) an order from a foreign government that is subject to an executive agreement that the Attorney General of the United States has determined and certified to Congress satisfies the requirements of 18 U.S.C. 2523.
As US law permits, we may disclose user information to law enforcement without a subpoena or warrant when we believe that doing so without delay is necessary to prevent death or serious physical harm to an identifiable victim. We require emergency requests to be made in writing via email and include all the information available so that we may evaluate the urgency of the request. Please see the example imminent harm request below for emergency process details.
Notification to DigitalOcean Users
We notify users and provide them with a copy of any legal process regarding their account unless we are prohibited by law or court order from doing so (e.g., an order under 18 U.S.C. § 2705(b)). In those cases, we will notify users and provide them with a copy of the legal process when the non-disclosure order expires.
If a request for information is valid, we will preserve the necessary information, and then make a reasonable effort to notify any affected account owner(s) by sending a message to their verified email address. In most cases, upon notification to the user, that user will be provided with 7 calendar days to file an objection with the court or otherwise legally challenge the request. If, prior to the deadline, we receive notice from the user that he or she has filed an objection to challenge a request, no information will be delivered until that process concludes.
Preservation Requests for DigitalOcean Sites
DigitalOcean honors requests from law enforcement to preserve information in accordance with 18 U.S.C. § 2703(f). Upon receiving a preservation request on law enforcement department letterhead, DigitalOcean will preserve available account information associated with the username listed in the request in an offline file for up to 90 days and will extend the preservation for one additional 90-day period on a renewed request.
Serving Process on DigitalOcean and Making Inquires
Any request for user information must include a valid email address for us to return the information or contact with questions. DigitalOcean communicates only via email with a confirmed receipt.
Where permitted, DigitalOcean prefers to receive service via email to email@example.com. Legal process can also be served by mail to:
Attn: Legal Department
101 Avenue of the Americas, 10th Floor
New York, NY 10013
Please make your requests as specific and narrow as possible, including the following information:
- Full information about authority issuing the request for information
- The name and badge/ID of the responsible agent
- An official email address and contact phone number
- The IP address, date range, domain name(s) of interest
- The description of the types of records you need
Please allow at least two weeks for us to be able to look into your request. DigitalOcean reserves the right to make changes to any of the foregoing practices in its sole discretion.
Example form for an imminent harm request
(Must be on the investigating agency or department letterhead and sent from an official governmental email address. Use the email subject "Emergency Disclosure Request". Please note that DigitalOcean's policy is to notify a customer when we receive emergency law enforcement requests 90 days after the request is received.)
I request release of records for the DigitalOcean account associated with _________________ [IP address, time range] on an emergency basis pursuant to 18 U.S.C. § 2702(b)(8) and § 2702(c)(4).
I have provided below answers to the following questions in enough detail as I am able in order to provide a good-faith basis for releasing records on an emergency basis:
- What is the nature of the emergency involving a danger of death or serious physical injury?
- Whose death or serious physical injury is threatened?
- What specific information in DigitalOcean's possession related to the emergency are you requesting?
Signature of Sworn Officer
Printed Name of Sworn Officer
Example form for a Preservation Request
(Must be on law enforcement department letterhead and sent from an official governmental email address)
Dear DigitalOcean Legal Team:
The below listed account is the subject of an ongoing criminal investigation at this agency, and it is requested pursuant to 18 U.S.C. § 2703(f) that the subscriber information associated with said account be preserved pending the issuance of a search warrant or other legal process seeking disclosure of such information:
- [Specify IP address and date of account to be preserved]
If you have any questions concerning this request please contact me at [insert e-mail address and phone contact].
Thank you for your assistance in this matter.