This page covers the protection and compliance measures Vercel takes to ensure the security of your data, including DDoS protection, SOC2 Type 2 compliance, Data encryption, and more.

DDoS protection

Whats the difference between DoS and DDoS?

A Denial of Service attack (DoS) happens when one computer attempts to exhaust the resources of a system by sending a large amount of data to a server or network. These attacks can often be mitigated by finding and closing off the connection to the source of the attack.

A Distributed Denial of Service attack (DDoS) happens when multiple connected devices are used to simultaneously overwhelm a website with targeted, fake traffic. The end goal of this attack is to bring down the servers hosting the website.

Open System Interconnection (OSI) Model

Different attack types can target different layers of the OSI model. The OSI model is a concept that outlines the different communication steps of a networking system.

The transmission of raw, unstructured data over the network.

Handles the connection between physically connected nodes in a network. This layer is itself split into two parts, Logical Link Control (LLC) - network protocols, and the Media Access Control (MAC) - uses MAC addresses to connect devices. The data layer split packets of data into frames.

The network layer receives frames from the data layer, and sends them to their destination using IP addresses. Routers use this layer to route information between networks.

Transmits data using Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) protocols.

Controls the communication between different computers by handling connections and services, including authentication. At this layer sessions are created and maintained while data is transferred, and closed once finished.

Data is prepared for the application layer. The presentation layer formats the data needed by the application layer based on the syntax it expects. Encryption and decryption is also handled at this layer.

The application layer is where the end user interacts with software, such as browsers or email clients. Common application layer protocols include:

  • HTTP - Hypertext Transfer Protocol (HTTP) is a stateless, request-response protocol. HTTP is used to send and receive data from a web server.
  • HTTPS - Hypertext Transfer Protocol Secure (HTTPS) is a secure version of HTTP. HTTPS is used to send and receive data from a web server.
  • SMTP - Simple Mail Transfer Protocol (SMTP) is a stateless, request-response protocol. SMTP is used to send and receive data from a mail server.

DDoS attacks often target the layer 3 (network), layer 4 (transport), and layer 7 (application) layers of the OSI model. Vercel's DDoS protection mitigates L3, L4, and L7 DDoS attacks, and protects the entire platform and all customers from attacks that would otherwise affect reliability.

Layer 3 DDoS

The goal of a Layer 3 (L3) DDoS attack is to crash and slow down networks, servers, and programs. They target the network layer, as opposed to the transport or application layer. Layer 3 DDoS attacks are often used to target specific IP addresses, but can also target entire networks.

Layer 4 DDoS

The goal of a Layer 4 (L4) DDoS attack is to crash and slow down applications. They target the 3-way-handshake performed on TCP connections. This is often called a SYN flood. Layer 4 DDoS attacks are used to target specific ports, but can also target entire protocols.

Layer 7 DDoS

The goal of a Layer 7 (L7) DDoS attack is to crash and slow down software at the application layer by targeting protocols such as HTTP GET and POST requests. They are often silent and look to leverage vulnerabilities by sending many innocuous requests to a single page.

Access control

Deployments can be protected with Password protection and SSO protection. Password protection is available for Teams on Pro and Enterprise plans, while SSO protection is only available for Teams on the Enterprise plan. Both methods can be used to protect Preview and Production deployments.

Password protection

Password protection applies to Preview deployments, not Production deployments. This feature can be enabled via the Teams Project dashboard.

SSO protection

Single Sign-on (SSO) protection applies to Preview deployments, not Production deployments. When enabled, a person with a Personal Account that is a member of a Team, can use their login credentials to access the deployment. This feature can be enabled via the Teams Project dashboard.

Both Password protection, and SSO protection can be enabled at the same time. When this is the case, the person trying to access the deployment will be presented with an option to use either method to access the deployment.

Compliance

SOC2

System and Organization Control type 2 (SOC2) is a form of auditing that ensures a cloud service provider manages customer data, and protects privacy. Vercel is SOC2 Type 2 compliant.

GDPR

General Data Protection Regulation (GDPR), is a comprehensive EU-wide data protection law that governs the use, sharing, transfer, and processing of EU resident personal data.

Vercel is GDPR compliant, which means that we commit to the following:

  • Maintaining appropriate technical and organizational security measures surrounding customer data
  • Notify our customers without undue delay of any data breaches
  • Hold our sub-processors to the same level of data protection that we are committed to
  • Honor our EU customer's right to access and erasure, among others

For more information on how Vercel protects your personal data, and the data of your customers, please refer to our Privacy Policy.

PCI

Payment Card Industry Data Security Standard (PCI) is a standard that defines the security and privacy requirements for payment card processing.

Vercel does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

Infrastructure

The Vercel Edge Network and deployment platform primarily uses Amazon Web Services (AWS), and currently has 16 different regions and an Anycast network with global IP addresses.

In the case of an AWS outage, our network is resilient to regional downtime. Vercel will automatically route traffic to the nearest available edge.

Data encryption

Vercel encrypts data at rest (when on disk) with 256 bit Advanced Encryption Standard (AES-256). While data is in transit (on route between source and destination), Vercel uses HTTPS/TLS 1.3.

Data backup

Vercel backs-up customer data at an interval of every hour, and each backup is persisted for 30 days. Automatic backups are taken without affecting the performance or availability of the database operations.

All backups are stored separately in a storage service, and those backups are globally replicated for resiliency against regional disasters. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.

Do Enterprise accounts run on a different infrastructure?

Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.

Penetration testing & Audit scans

Vercel conducts regular penetration testing through third-party penetration testers, and has daily code reviews and static analysis checks.