In addition to the security of your account information, we also treat the data you store on our services with the utmost sensitivity. A Droplet launched in a specific geographic region will stay in that region unless the customer performs an action to change datacenters. Furthermore, backups and snapshots also remain in the same region in which the associated Droplet resides to avoid any international data transfer issues.
International Privacy Requirements
We understand the need for strict privacy regulations required by certain countries. For the European data protection acts Bundesdatenschutzgesetz (BDSG) and General Data Protection Regulation (GDPR), DigitalOcean is the "Data Processor" and the customer is the "Data Controller". We have setup a Data Processing Agreement (DPA) which can be signed by both DigitalOcean and the customer to meet these regulatory requirements. To obtain the DPA, or if you have any other privacy related questions please contact our Customer Support team here.
Payment Data Security
Credit / debit card purchases for DigitalOcean services are processed by the third-party vendor Stripe. When our customers provide their credit / debit card information on our website the data is sent to Stripe, i.e., the payment data is not stored on our systems.
For PayPal transactions, DigitalOcean passes the request to PayPal and the transaction occurs directly on the PayPal website. Therefore, the payment data is not stored on our systems. Both Stripe and PayPal power online financial transactions for thousands of businesses globally, and they are compliant with PCI-DSS standards for the storage and handling of payment information.
All communications with DigitalOcean are transmitted over TLS (HTTPS) for all of our services. We provide connectivity to our customer Droplets via SSH and recommend that customers use SSH keys to securely set up their access.