Security

I need to know and verify that my site is secure.

All changes to code happen through Git.

Sometimes users commit broken code. But if they do...

There's no secret. It's right there in the Git log.

Who, When, and Where.

The server is read-only. No one can "fix it live" and forget it.

That means even if a site is compromised, the code can't be.

The Administrator can add Jorge to

the integration branch as a Contributor.

But don't worry.

While this user can commit to the integration branch...

They can't merge it to master without a review.

No one likes broken code, even on Fridays.

Security is on us.

You pick the major version; we handle security updates

  • Operating System
  • System software
  • Services

Secure-by-design architecture

Hardened services

We run hardened Linux Kernels, and all deployed packages come from internal signed repositories.

No-root operation

Operations are fully automated. All operations are logged.

Restrictive firewall

Only HTTP/S and SSH are allowed in. Services run in full network isolation.

Restricted access

SSH access is controlled per-environment. All users are unprivileged.

2FA available

Any login to the dashboard can be enforced through a second authentication method.

TLS everywhere

Free TLS certificates included in every project, or bring your own.

Compliance

Platform.sh is compliant with the GDPR, BDSG, and PIPEDA.

Our cloud partners are certified under

multiple compliance frameworks.