We want to make the Internet a safer place for everyone to live, work, and prosper. We believe in holding ourselves accountable to maintaining the trust of our customers and only collecting the data necessary to serve our customers.
We collect self-reported data, which is data you voluntarily provide so we can provide our service. Self-reported data includes account data such as email address, provided name, and billing information. This also includes customer-provided user preferences and the information in support tickets.
We also receive data from third parties about you and collect data when you interact with our service. Depending on how you use our products and services, interaction data may include things like internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, clickstream data, landing page, and referring URL.
If you use a credit or debit card as your payment method, we process your payments through a third party payment processor, which stores and maintains your complete payment information on our behalf. We do not store your complete payment card number ourselves.
Employees do not have access to the content of your Droplets or Spaces unless you give us permission for support, we are required to access them as part of an active abuse or fraud investigation or where access is necessary to comply with a valid legal process.Access to the systems where backups and snapshots are maintained is limited and based on necessity.
Please share the Trust Platform with your customers. We are working on building out more assets in this space to actually prove our commitment to protecting your trust. We believe that being transparent about how we secure DigitalOcean and your data is more valuable than third-party compliance certifications. However, we understand that at times auditors and third parties are interested in these certifications. We have a dedicated Certifications Report page for these types of requests. If you have any specific questions that are not answered, please contact your account manager.
We believe in the right to privacy for all of our customers. However, we do provide specific disclosures regarding how we comply with GDPR and CCPA. For any specific questions, please reach out to email@example.com.
We love a free and open internet at DO, and we also accept that means the internet can be a bit of a mixed bag. Hanging a server onto the internet with a public-facing IP means within seconds, bots, brute-forcers, and stressors may happen.
We suggest these resources to help protect your server:
For more ideas, please read 7 Security Measures to Protect Your Servers.
For our Infrastructure as a Service products, we secure the system and the network your service runs on, inclusive of the management control plane.
If you are someone who uses our PaaS products, we extend our responsibility for security of those platforms further up-stack. Secure configurations, access, and patching are all part of the as-a-Service model for these products.
We’ll regularly communicate with you on major security mitigations throughout our fleet, such as those for processor class vulnerabilities.
We secure the service as detailed below depending on the product you are using:
The data you store is always yours to own and secure. We provide guidance and a handful of technologies on our platform for you to secure your instances. As we release new security functionality, we’ll update you in the Trust & Security section of our blog.
Tight role-based access, two-factor authentication, secure network zones, bastion hosts, and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader “zero-trust” model for access to resources within our environment.
Although there are many reasons that we may need to alter or disable portions of our infrastructure, such as to maintain the integrity of our systems in an emergency, we do not typically take down customers’ infrastructure without warning under normal circumstances. However, our customers are sometimes targeted by malicious actors in ways outside of our control. For all our well-intended customers and community members whose Droplets might have been compromised and started doing illegal or harmful things on the internet, you may have your Droplet network interface shut down until you’re ready to recover and address the issue. In these cases, we’ll send you an email immediately upon shutting off the network interface and walk you through recovery. We always recommend employing best practices to secure your services, and more resources on this topic can be found in the Trust & Security section of our blog.
The dark side of the internet does exist, and there are those looking to harm others or defraud companies like us. It is a tricky balance to maintain and everyday we strive to keep the Internet a safer place for everyone.
We strive to create a safe, resilient environment where our customers and community can innovate with confidence. While we do a lot of things to make sure our environment is safe, we can make mistakes. When we do, we want you to let us know!
If you have discovered a vulnerability, please report it! We partner with HackerOne to run a public vulnerability disclosure program. We will not take legal action against nor ask law enforcement to investigate researchers who reach out and work with us in good faith, including:
If there are other things you want to talk with us about, please send an email to us at firstname.lastname@example.org. Our PGP key is on Github, or we can work with you to find a better way to communicate securely.
DigitalOcean is committed to working with third-party data center providers that maintain industry-leading access control, including video surveillance, security, access lists, and exit procedures. We regularly audit our data centers to meet our regulatory requirements and validate proper implementation of our security requirements.