This page covers the protection and compliance measures Vercel takes to ensure the security of your data, including DDoS mitigation, SOC2 Type 2 compliance, Data encryption, and more.
System and Organization Control type 2 (SOC2) is a form of auditing that ensures a cloud service provider manages customer data, and protects privacy. Vercel is SOC2 Type 2 compliant.
General Data Protection Regulation (GDPR), is a comprehensive EU-wide data protection law that governs the use, sharing, transfer, and processing of EU resident personal data.
Vercel is GDPR compliant, which means that we commit to the following:
- Maintaining appropriate technical and organizational security measures surrounding customer data
- Notify our customers without undue delay of any data breaches
- Hold our sub-processors to the same level of data protection that we are committed to
- Honor our EU customer's right to access and erasure, among others
For more information on how Vercel protects your personal data, and the data of your customers, please refer to our Privacy Policy.
Payment Card Industry Data Security Standard (PCI) is a standard that defines the security and privacy requirements for payment card processing.
Vercel does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.
The Vercel Edge Network and deployment platform primarily uses Amazon Web Services (AWS), and currently has 18 different regions and an Anycast network with global IP addresses.
We use a multi-layered security approach that combines people, processes, and technology, including centralized IAM, to regulate access to production resources.
We use cloud security processes to develop and implement procedures for provisioning, configuring, managing, monitoring, and accessing cloud resources. Any changes made in production environments are managed through change control using Infrastructure as Code (IaC).
To ensure always-on security, Vercel's edge infrastructure uses a combination of cloud-native and vendor tooling, including cloud security posture management tooling for continuous scanning and alerting.
When an AWS outage occurs in a region, Vercel will automatically route traffic to the nearest available edge, ensuring network resilience.
Vercel operates on a shared responsibility model with customers. Customers have the ability to select their preferred region for deploying their code. The default location for serverless functions is the U.S., but there are dozens of regions globally that can be used.
Additionally, Vercel may transfer data to and in the United States and anywhere else in the world where Vercel or its service providers maintain data processing operations. Please see Vercel's Data Processing Addendum for further details.
- Vercel uses AWS Global Accelerator and Anycast network to automatically reroute traffic to another region in case of regional failure
- Edge functions and Edge Middleware switch to another region automatically using Cloudflare's automatic failover feature
- Our core database and data plane is a globally replicated database with rapid manual failover, using multiple availability zones
With region-based failover, Vercel data is replicated across multiple regions, and a failover is triggered when an outage occurs in a region. Rapid failover is then provided to secondary regions, allowing users continuous access to critical applications and services with minimal disruption.
To meet RTO/RPO goals, Vercel conducts recurring resiliency testing. This testing simulates regional failures. Throughout testing, service statuses are also monitored to benchmark recovery time, and alert on any disruptions.
Vercel encrypts data at rest (when on disk) with 256 bit Advanced Encryption Standard (AES-256). While data is in transit (on route between source and destination), Vercel uses HTTPS/TLS 1.3.
Vercel backs-up customer data at an interval of every hour, each backup is persisted for 30 days, and is globally replicated for resiliency against regional disasters. Automatic backups are taken without affecting the performance or availability of the database operations.
All backups are stored separately in a storage service. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.
Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.
Vercel conducts regular penetration testing through third-party penetration testers, and has daily code reviews and static analysis checks.