Data Security

As part of DigitalOcean’s shared responsibility model, you are responsible for securing data stored on our services.

For data security purposes, we recommend that you protect DigitalOcean account credentials and set up individual user accounts with DigitalOcean Teams to help maintain proper access for your services. We also recommend that you secure your data in the following ways:

On Kubernetes 1.19 and later versions, we now provision two fully-managed firewalls for each new Kubernetes cluster. One firewall manages the connection within the VPC, and the other manages connections between worker nodes and the public internet.

Encryption At Rest

Kubernetes Secrets maintained in etcd are encrypted at rest. This is an additional layer of hardware encryption that provides even stronger security.

Encryption In Transit

All traffic to and from the Kubernetes API is secured by TLS.

Logging and Monitoring

For more information on how to set up monitoring for Kubernetes, please refer to the Kubernetes Monitoring Documentation. DigitalOcean does not offer audit logging at this time.


Kubernetes is audited by third-parties as part of DigitalOcean’s SOC 2 Type 2 report. For details on how to request, please visit our Trust Platform Certifications page.

Infrastructure Security

As an infrastructure as a service offering, DigitalOcean maintains the security of the infrastructure the Droplets are hosted on. For more details, please review our Infrastructure Security Overview page.

Data Center Location Availability

You can enable high-availability for your Kubernetes cluster. Please refer to the High Availability Documentation. At least one data center in every region supports Kubernetes.

Key Management

DigitalOcean manages encryption keys for etcd, TLS keys, and certificates for the Kubernetes API. We hand out credentials in the form of configuration files to your Kubernetes clusters (aka the kubeconfig) You are responsible for securing those credentials.