Security
Platform.sh lets you deliver amazing digital experiences, while keeping your site safe, secure, and available—24x7. Now you can navigate through changing requirements and updates as you’re protected against cyberattacks.
Data privacy in today’s world
Platform.sh takes your privacy seriously. We’re compliant with the European GDPR (DPA available), German BDSG (DPA available), Canadian PIPEDA, and CCPA. We’ve demonstrated our commitment to data security by achieving SOC 2 Type 1 certification in Security and Availability on Amazon Web Services (AWS), Microsoft Azure, Orange Cloud for Business, and Google Cloud Platform (GCP). The Service Organization Control (SOC) 2 certification is developed by the American Institute of Certified Public Accountants (AICPA) and is recognized as the gold standard for data security and privacy. Platform.sh has also undergone a PCI DSS gap analysis.
When you use Platform, you can:
- Know that your security comes first in everything we do. We promptly notify you if we detect a breach of security.
- Control what happens to your data. You can access it or take it out at any time.
- Know where your data is stored and rely on it being available when you need it. You define where your data is stored. We operate our service from multiple data centers with strong security practices that are independently validated by third-party auditors.
- Be confident knowing that customer data is not used for advertising. You own your data. We don’t process your data for advertising purposes.
We keep all your data private and safe
Cryptography and user security
All of our sites adhere to our cryptographic controls policy, which mandates the use of strong, industry-standard cryptographic measures. These measures include TLS for data in transit and encrypted disks, and support for 2FA.
Auto-redundant architecture
Our Enterprise offering comes with automated triple redundancy for every element of your stack, as well as automated full-cluster backups.
Security updates and stack management
Platform.sh provides security updates for every element of the stack as soon as they’re available—without service interruption.
Permissions and access management
Retain tight control and governance over user access via fine-grained, per-environment permissions.
Project and data isolation
Each project runs in isolation, with the most minimal network surface possible. Every service is network isolated from other services.
Global managed CDN
Platform.sh makes it easier to integrate your application with a CDN versus configuring all the CDN/cloud bits yourself.
Security updates and stack management
We keep your services secure, so your team can focus on building cool stuff.
Platform takes over the activities needed to manage the stack and perform infrastructure security updates saving you time, frustration, and money. So you can focus your efforts on building and maintaining world-class applications.
Instant and global updates
No more outdated software and libraries. Our seamless infrastructure rollouts enable you to stay current with all the latest versions. Updating your application is simply a lightning-fast redeploy away. Do it manually or automate it to fit your change windows.
New releases as they go stable
We follow a strict testing procedure for every release of new versions of runtimes and stack components.
Git-driven architecture
Every change to your infrastructure configuration is versioned and auditable, so you can have peace of mind.
Immutable architecture
Every application is deployed to a read-only file system. Any software install or change to the application is through a secure and auditable process.
Incident commanders
Should an incident occur, a dedicated engineer is assigned and responsible for executing our incident-management process through resolution.
Rigorous security incident procedures
Should an infrastructure security incident occur, our security incident-management process will be triggered. Our dedicated security team will bring their experience to bear, determining the root cause and mitigating the issue.
Project data and isolation
Create multiple, byte-for-byte clones of production—securely and in isolation
You can clone your environments endlessly to meet your development workflows and know that these environments are isolated from all others—even your own. If your data needs to stay in a specific geographic region, you can specify where you want that to be.
Secrets management
Limit the secrets available on a specific environment, and override each value with a test value for non-production environments.
Project isolation
Every project is fully isolated from others, either logically or physically.
Backup and restore
Snapshots, a coherent set of all containers with their state and project data, can be captured and restored.
Geographic isolation
You can specify which region to host your project in, and we'll ensure that your data stays within that region.
Permissions and access management
Safeguard confidentiality, integrity, and availability.
Retain complete control and governance of your application, while giving full flexibility to your developers to build, test, and deploy new features quickly.
Permissions per environment
Let developers freely and fearlessly create and work on test environments without worrying about changing or seeing production.
Goodbye passwords
SSH access is restricted to Public Key authentication only, ensuring only those who are supposed to log in, can.
Two-factor authentication
Any dashboard login can be enforced through a second authentication method.
Principle of least privilege
Permissions are set at minimum level and are managed through a central directory for terminations and audits.
Hardening measures
Eliminate risks and threats with added layers of protection.
Reduced attack surface
Our fully automated, reproducible build chain creates microcontainers, with no extraneous packages.
Hardened kernel and services
We run hardened Linux Kernels. All deployed packages come from signed internal repositories.
Platform.sh provides a modern, secure infrastructure to provide you with peace of mind. We lock down access to the extent possible, while allowing you to specify your services and routes.
Rootless operations
Operations are performed without using root and are fully automated. All operations are logged.
Restrictive firewall
Our infrastructure employs both security groups and iptable firewalls. Only HTTP/S and SSH are allowed in. Services run in full network isolation. You specify the routes your application needs.
Restricted access
SSH access is controlled per environment. All users are unprivileged.
Read-only containers
In our Professional offering, user code is run on read-only file system, so no changes can be made in the code once it’s deployed.
Multitier, secure, global managed CDN
Performance, security, and protection.
We work with you to apply the best caching strategy to optimize your application performance, uptime, and costs—without compromising security. Our Enterprise offering gives you a solid foundation of vital security measures to protect your customers’ personal information and other sensitive data.
DDoS mitigation
The CDN provides Distributed Denial of Service prevention.
Modern features
Your developers will love our additional modern features, like a built-in reverse proxy cache and TLS encryption on all connections.
99.99% uptime guarantee
This extends to the worldwide cache layer, so you can consistently deliver the best digital experience to your audiences.