Security that
scales with you.

Yes. Vercel Enterprise customers are covered by two forms of DDoS protection. Our systems can automatically detect and block malicious attacks on customer sites. For significantly larger, distributed attacks, we work closely with the customer to ensure your site(s) stay online. The combination of automated prevention and direct communication from our Customer Success Managers helps ensure your site is resilient to attacks. Contact us to learn more.

Yes, Vercel has a SOC 2 Type 2 attestation. Contact us for more details or to access the report.

Yes. For more information, see our Privacy Policy. No data is stored permanently inside EU regions. Static assets and Serverless Functions responses can be cached in EU regions, but it is ephemeral. Vercel provides a Data Processing Addendum (DPA) which describe our Technical and Organizational Security Measures. For more information, our Privacy Policy explains how information is collected, used, processed and disclosed by Vercel.

Yes, Vercel is ISO 27001:2013 certified. Contact us for more details or to access the certificate.

Yes, Vercel is certified under the DPF. Our public listing is available at https://www.dataprivacyframework.gov/list. For more information, see our Privacy Notice.

Vercel supports HIPAA compliance for enterprise customers. Our HIPAA report is available upon request at security.vercel.com. Contact us for more details if HIPAA is important for you.

Yes, Vercel has a Self-Assessment Questionnaire (SAQ)-D Attestation of Compliance (AOC) for Service Providers and a Self-Assessment Questionnaire (SAQ)-A Attestation of Compliance (AOC) for Merchants based on PCI DSS v4.0. Contact us for more details or to access these reports.

Yes. Vercel offers flexible access options. Any plan has access to Deployment Protection which include Vercel Authentication and Shareable Links (Hobby plan limited to 1 link per account). Customers on the pro plan can opt-in to Advanced Deployment Protection for $150 which offers Password Protection, Deployment Protection Exceptions and Private Production Deployments.

Yes. Data is encrypted at rest (AES-256) and in transit (HTTPS / TLS), including sensitive information like access tokens and secrets.

Yes. Our current backup interval is every two hours and each backup is persisted for 1 month. Automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service, and those backups are globally replicated for resiliency against regional disasters. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.

The Vercel Edge Network & deployment platform primarily uses Amazon Web Services (AWS). In the case of an AWS outage, our network is resilient to regional downtime. Vercel will automatically route traffic to the nearest available edge. Vercel.com uses Azure CosmosDB to store and globally replicate data, which is different than our Edge Network. This is an additional step taken to ensure uptime for applications on our platform.

Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.

Yes. Vercel conducts regular penetration testing with third-party experts. In addition to our annual penetration tests, we consistently perform targeted assessments on an ongoing basis. We also implement daily code reviews, static analysis checks, and dependency scanning at the code level. Our cloud security posture management platform (CSPM) facilitates workload vulnerability scanning. Pro and Enterprise customers have access to our latest annual penetration testing reports.

Yes, a list of our current subprocessors can be found on our subprocessors page.

Yes. Vercel has a Private Bug Bounty program that rewards researchers for finding and reporting security vulnerabilities. For more information, or to report a vulnerability, please reach out to us at responsible.disclosure@vercel.com

Yes, Vercel offers a project-level configurable WAF. This builds upon the robust protection of our platform-wide firewall, adding an extra layer of defense against common web threats. Our WAF gives you greater visibility and control over your application's security, empowering you to build with confidence. Learn more about Vercel's WAF in our blog post.

Yes. Vercel offers managed rulesets, including one specifically designed to protect against the OWASP Top 10 risks. This feature is available on Enterprise plans.

Vercel Access Security is a multi-layered system that ensures the right people have access to the right resources, including deployments and workspaces. It uses role-based access control (RBAC), single sign-on (SSO), directory synchronization, and other features to verify user identities and control their permissions within the Vercel dashboard. This ensures that only authorized users can access sensitive information and perform specific actions.

Vercel Infrastructure Security is our comprehensive approach to protecting your applications and data at the infrastructure level. We implement multiple layers of security, including SSL Certificates and HTTPS encryption, hardened backend, Vercel-managed infrastructure, and Secure Compute for customers to define a trusted perimeter around their applications and connected services, providing an additional layer of isolation and protection.

Vercel's Application Security is a comprehensive suite of built-in security tools that act as a protective shield for your applications, filtering out malicious or unwanted traffic and ensuring that only legitimate users can access your applications. This approach enhances security by protecting your applications from attacks and vulnerabilities, optimizes performance by ensuring efficient infrastructure use, and improves cost efficiency by preventing unnecessary traffic. Vercel's native application security tools provide a level of protection and performance optimization that sets us apart from other providers.