Reference
6 min read

Security & Compliance Measures

Learn about the protection and compliance measures Vercel takes to ensure the security of your data, including DDoS mitigation, SOC 2 compliance and more.
Table of Contents

This page covers the protection and compliance measures Vercel takes to ensure the security of your data, including DDoS mitigation, SOC2 Type 2 compliance, Data encryption, and more.

System and Organization Control 2 Type 2 (SOC 2) is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that focuses on how an organization's services remain secure and protect customer data. The framework contains 5 Trust Services Categories (TSCs), which contain criteria to evaluate the controls and service commitments of an organization.

Vercel has a SOC 2 Type 2 attestation for Security, Confidentiality, and Availability.

More information is available at security.vercel.com.

ISO 27001 is an internationally recognized standard, developed by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), that provides organizations with a systematic approach to securing confidential company and customer information.

Vercel is ISO 27001:2013 certified. Our certificate is available here.

The EU General Data Protection Regulation (GDPR), is a comprehensive data protection law that governs the use, sharing, transfer, and processing of EU personal data. For UK personal data, the provisions of the EU GDPR have been incorporated into UK law as the UK GDPR

Vercel supports GDPR compliance, which means that we commit to the following:

  • Implement and maintain appropriate technical and organizational security measures surrounding customer data
  • Notify our customers without undue delay of any data breaches
  • Impose similar data protection obligations on our sub-processors as we do for ourselves
  • Respond to applicable data subjects rights, including requests for access, correction, and/or deletion of their personal data
  • Rely on the EU Standard Contractual Clauses and the UK Addendum as valid data transfer mechanisms when transferring personal data outside the EEA

For more information on how Vercel protects your personal data, and the data of your customers, refer to our Privacy Policy and Data Processing Addendum.

Payment Card Industry Data Security Standard (PCI DSS) is a standard that defines the security and privacy requirements for payment card processing. PCI compliance requires that businesses who handle customer credit card information adhere to a set of information security standards.

In alignment with Vercel’s shared responsibility model, Vercel serves as a service provider to customers who process payment and cardholder data. Customers should select an appropriate payment gateway provider to integrate an iframe into their application to ensure that any information entered in the iframe goes directly to their payment processor and is isolated from their application’s managed infrastructure on Vercel.

Learn about PCI DSS iframe integration.

Vercel provides a Self-Assessment Questionnaire D (SAQ-D) Attestation of Compliance (AOC) (SAQ-D AOC) under PCI DSS v3.2.1 for service providers. This is crucial for customers handling payments through their applications, as it may affect the scope of their cardholder data environment per PCI DSS standards. The SAQ-D AOC certifies Vercel's adherence to PCI DSS requirements as a service provider.

Contact us for more details or to access the SAQ-D AOC report.

The Health Information Portability and Accountability Act (HIPAA) is one of the most important sectoral regulations related to privacy within the United States (US). The Secretary for the Health and Human Services (HHS) developed a set of required national standards designed to protect the confidentiality, integrity, and availability of health data. Certain businesses, covered entities and business associates, are required to comply to these regulations to ensure that health data is transmitted without compromising its security.

Vercel supports HIPAA compliance as a business associate by committing to the following:

  • Implementing and maintaining appropriate technical and organizational security measures designed to safeguard a customer's Protected Health Information (PHI)
  • Notifying customers of any data breaches without undue delay
  • Signing Business Associate Agreements (BAAs) with enterprise customers

Customers subject to HIPAA may enable Vercel Secure Compute (available on Enterprise plans) for additional layers of protection. This allows customers to have more control over which resources they allow to have access to their information through:

  • Private, isolated cloud environments
  • Dedicated outgoing IP addresses

VPC peering and VPN support (built on top of Secure Compute) allows customers to create fewer entry points into their networks by establishing secure tunnels within their AWS infrastructure.

Learn about how Vercel supports HIPAA compliance.

Contact us to request a BAA or to add Secure Compute to your plan.

The Vercel Edge Network and deployment platform primarily uses Amazon Web Services (AWS), and currently has 18 different regions and an Anycast network with global IP addresses.

We use a multi-layered security approach that combines people, processes, and technology, including centralized IAM, to regulate access to production resources.

We use cloud security processes to develop and implement procedures for provisioning, configuring, managing, monitoring, and accessing cloud resources. Any changes made in production environments are managed through change control using Infrastructure as Code (IaC).

To ensure always-on security, Vercel's edge infrastructure uses a combination of cloud-native and vendor tooling, including cloud security posture management tooling for continuous scanning and alerting.

When an AWS outage occurs in a region, Vercel will automatically route traffic to the nearest available edge, ensuring network resilience.

Vercel operates on a shared responsibility model with customers. Customers have the ability to select their preferred region for deploying their code. The default location for serverless functions is the U.S., but there are dozens of regions globally that can be used.

Additionally, Vercel may transfer data to and in the United States and anywhere else in the world where Vercel or its service providers maintain data processing operations. Please see Vercel's Data Processing Addendum for further details.

  • Vercel uses AWS Global Accelerator and our Anycast network to automatically reroute traffic to another region in case of regional failure
  • Vercel Functions have multiple availability zone redundancy by default. Multi-region redundancy is available depending on your runtime
  • Our core database and data plane is a globally replicated database with rapid manual failover, using multiple availability zones

With region-based failover, Vercel data is replicated across multiple regions, and a failover is triggered when an outage occurs in a region. Rapid failover is then provided to secondary regions, allowing users continuous access to critical applications and services with minimal disruption.

To meet RTO/RPO goals, Vercel conducts recurring resiliency testing. This testing simulates regional failures. Throughout testing, service statuses are also monitored to benchmark recovery time, and alert on any disruptions.

Vercel encrypts data at rest (when on disk) with 256 bit Advanced Encryption Standard (AES-256). While data is in transit (on route between source and destination), Vercel uses HTTPS/TLS 1.3.

Vercel backs-up customer data at an interval of every hour, each backup is persisted for 30 days, and is globally replicated for resiliency against regional disasters. Automatic backups are taken without affecting the performance or availability of the database operations.

All backups are stored separately in a storage service. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.

These backups are not available to customers and are created for Vercel's infrastructure's use in case of disaster.

Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.

Vercel conducts regular penetration testing through third-party penetration testers, and has daily code reviews and static analysis checks.

Last updated on May 22, 2024