As part of DigitalOcean’s shared responsibility model, you are responsible for securing data stored on our services.
For data security purposes, we recommend that you protect DigitalOcean account credentials and set up individual user accounts with DigitalOcean Teams to help maintain proper access for your services. We also recommend that you secure your data in the following ways:
Enable 2fa by default
Use SSL/TLS to communicate with DigitalOcean resources. We recommend TLS 1.2 or later.
Following our VPC Best Practices Guide
You can configure cloud firewalls with varying layers of granularity to filter traffic to and from your Droplet’s services, such as only allowing inbound SSH connections from a specific range of IPs to your Droplet. These are called rules. Each firewall can have up to 50 total incoming and outgoing rules. A DigitalOcean Cloud Firewall can protect a maximum of 10 individual Droplets. A cloud firewall can protect more than 10 Droplets if the firewall is applied to an entire tag of Droplets.
You can create and apply cloud firewalls using the DigitalOcean Control Panel or API. You can also use third-party firewall software on your Droplets, such as UFW, iptables, or CSF, but they require some manual configuration and ongoing maintenance. You are solely responsible for the third-party firewall or software of any kind installed on your Droplet.
Users can set up SSL passthrough to send encrypted SSL packets directly to the backend Droplet pool via VPC Network. This helps secure traffic between the Load Balancer and the backend droplets. You can integrate with the Let’s Encrypt Certificate.
Users can set up SSL termination, which decrypts SSL requests at the load balancer and sends them unencrypted to the backend via the Droplets’ private IP addresses. SSL termination places the slower and more CPU-intensive work of decryption on the load balancer and simplifies certificate management. Decrypted traffic between the load balancer and its Droplets is secured by routing over the VPC network.
Traffic between the LBaaS and the Droplet/DOKS nodes are no longer TLS encrypted. If you are a service reseller, hosting multiple customers in the same VPC will mean your customers are visible to one another in the VPC.
DigitalOcean’s Marketplace offers Papertrail, a log management solution capable of installing in seconds and providing instant log visibility.
Networking products are audited by third-parties as part of DigitalOcean’s SOC 2 Type 2 report. For details on how to request, please visit our Trust Platform Certifications page.
As a platform as a service offering, DigitalOcean maintains the security of the infrastructure Networking products are hosted on. For more details, please review our Infrastructure Security Overview page.
VPC is available in all regions. You can create multiple, non-overlapping VPCs in the same region.