DORA at DO

Customers can deploy on DigitalOcean with trust in the organization’s risk management, security controls, operational resilience, incident management and reporting, and outsourcing and third party risk management.

Overview

The European Union's (“EU”) Digital Operational Resilience Act (DORA) is a regulation designed to strengthen the security and operational resilience of the financial services industry (FSI). The Act applies to FSI organizations (e.g., banks, insurance providers, and investment firms) as well as certain critical Information and Communications Technologies (ICT) providers that support those institutions. DORA aims to ensure that financial organizations maintain robust operational capabilities and can effectively withstand, respond to, and recover from disruptions, including cyber-attacks and significant IT outages.

DigitalOcean’s Support of DORA and Operational Resilience

The Company provides security, operational resilience, and risk management features intended to support customers with their internal DORA compliance and assessment efforts. The information in this section describes certain capabilities, tools, and resources available through the Company’s services and is provided for informational purposes only. These features do not constitute a representation or guarantee of DORA compliance.

Risk Management

  1. DigitalOcean (“we”) enforces and reviews existing security policies, procedures, and processes which guide our personnel in security practices
  2. We conduct annual risk assessments to evaluate threats to systems and data under its ownership or management. Identified risks are formally documented, prioritized, and tracked through remediation and mitigation activities overseen by our security team

Security Controls

  1. We maintain logical access policies and procedures, which cover aspects such as password requirements, access provisioning, and access termination
  2. We maintain logging and monitoring systems which analyze potential security vulnerabilities and alert the appropriate teams, as necessary
  3. We deploy routine vulnerability scans and penetration tests
  4. We manage and maintain a bug bounty program (see here for more information) to help identify and surface potential vulnerabilities and threats to our infrastructure

Operational Resilience

  1. We provide real-time updates to our service infrastructure on the DigitalOcean Status Page
  2. We maintain logging and monitoring systems which analyze resource utilization and system performance, and alerts the appropriate teams of relevant issues we may need to address
  3. We have dedicated resources for managing platform availability and resiliency incidents. These resources review incident trends, conduct post-incident reviews, and manage post-incident mitigation activities
  4. We review business continuity and disaster recovery plans on an annual basis

Incident Management & Reporting

We document applicable incident response policies and procedures. Procedures include documenting, identifying, mitigating, and remediating security incidents

Outsourcing & Third-Party Risk Management

  1. We provide available DigitalOcean and data center provider certifications to customers through our Trust Center
  2. We perform vendor security reviews as part of the vendor onboarding process regarding the storage, access, or other processing of service content involving customer data, pursuant to our terms in our Data Processing Agreement

DigitalOcean Service Customer Controls and DORA Compliance Considerations

Customers are responsible for evaluating whether the services they deploy are configured, monitored, and governed in a manner appropriate for their compliance obligations. Customers may access additional information and supporting documentation provided by DigitalOcean as indicated below to assist in their further evaluation of the following areas.

Physical security

DigitalOcean’s colocated data center providers manage facility physical security. Information concerning each providers’ certifications can be found here.

Availability

DigitalOcean’s service level agreements (SLAs) of our products and services can be accessed on the DigitalOcean SLA page.

Monitoring

  1. Customers can use the DigitalOcean Monitoring service and Uptime Checks to obtain insights into the availability of their resources.
  2. Third-party logging tools may be available to support additional system logging and audit trail features. Customers can review available tools at the DigitalOcean’s Marketplace (which tools are subject to applicable provider terms, and not provided as part of the core DigitalOcean service).

Security Reviews

Customers may perform penetration testing on DigitalOcean services they deploy on the platform, provided such activities are conducted in accordance with platform guidelines and other service restrictions, and do not negatively affect other customers, shared infrastructure, or service availability (see our Acceptable Use Policy for more information on service restrictions).

Third-Party Risk Management

  1. DigitalOcean Service certification reports, as well as certification of our colocated data center providers, are available through our Trust Center.
  2. DigitalOcean will execute DORA Addendums upon a customer’s request. Please contact our Sales team to guide you through the process.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.