We're Hiring!

DigitalOcean Security

We know how critical your data is to you and that you rely on DigitalOcean for your infrastructure. We run our production servers from DigitalOcean's cloud as well and so security is at the forefront of our thoughts as it is yours.

Need to Report a Security Vulnerability?

Responsible DisclosureWe would like to keep DigitalOcean safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner.

Publicly disclosing a vulnerability can put the entire DigitalOcean community at risk. If you have discovered a possible vulnerability we would greatly appreciate you emailing us at [email protected] We will work with you to assess and understand the scope of the issue and fully address any concerns. Any emails to [email protected] immediately are sent to our entire engineering staff to ensure that issues are addressed immediately. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.

We thank you in advance for any disclosures that you will send our way and would like to thank the following individuals for their contribution and help in keeping DigitalOcean secure!

  • Randy Morse
  • Kamal Nasser
  • Jesper Wallin
  • Luke Strickland
  • Kenneth White
  • Joshua Lund
  • Mike Cardwell
  • Neal Poole
  • Nicholas Zaillian
  • Rafael Pablos
  • Jigar Thakkar
  • Nitesh Shilpkar
  • J Muhammed Gazzaly
  • Alejandro Lazaro
  • Ehraz Ahmed
  • Umraz Ahmed
  • Sebastian Neef
  • Anand Prakash
  • Bitquark Security Research
  • Tejash Patel
  • Simon Brown
  • Bernardo Rodrigues
  • Harshit Shukla
  • Rupesh Reddy
  • Kamil Sevi
  • Osman Do─čan
  • Lin Song
  • Guillaume Parent
  • Agastya Rz
  • Morgan Smith

Virtual Server Security & Employee Access

Virtual server security and data integrity is of the utmost concern at DigitalOcean. As a result none of our technical support staff have any access to the backend hypervisors where virtual servers reside nor direct access to the NAS/SAN storage systems where snapshots and backup images reside. Only our engineering team has direct access to the backend servers.

Physical Security

We use only premier datacenter facilities for colocating our equipment including: Equinix, Telx, and Telecity. Each site is staffed 24/7/365 with onsite security and to protect against unauthorized entry. Each site has security cameras that monitor both the facility premises as well as each area of the datacenter internally. There are biometric readers for access as well as at least two factor authentication to gain access to the building. Each facility is unmarked so as not to draw any additional attention from the outside and adheres to strict local and federal government standards.

Credit Card Security

We hand off credit card processing to BrainTree Payment Solutions. They power online transactions for thousands of business and SaaS platforms and comply with PCI standards in the storage and handling of credit card information. For PayPal transactions we pass off customers directly to PayPal who is also PCI compliant.

Communications

All communications with DigitalOcean are transmitted over SSL (HTTPS) for both access to the public website as well as the API. We provide connectivity to the virtual servers via SSH and recommend that customers use SSH keys to setup their access.

Snapshot and Backup Security

Snapshots and Backups (images) are stored on an internal non-publicly visible network on NAS/SAN servers. Customers can manage directly in how many regions their snapshots exist which allows customers to increase the redundancy of the files that are stored in the backend.

Questions

We would love to hear from you if you have any questions regarding any specific policy that could be made clearer or any general inquiries regarding security.

Please email us directly at: [email protected]