This page covers the protection and compliance measures Vercel takes to ensure the security of your data, including DDoS protection, SOC2 Type 2 compliance, Data encryption, and more.
A Denial of Service attack (DoS) happens when one computer attempts to exhaust the resources of a system by sending a large amount of data to a server or network. These attacks can often be mitigated by finding and closing off the connection to the source of the attack.
A Distributed Denial of Service attack (DDoS) happens when multiple connected devices are used to simultaneously overwhelm a website with targeted, fake traffic. The end goal of this attack is to bring down the servers hosting the website.
Different attack types can target different layers of the OSI model. The OSI model is a concept that outlines the different communication steps of a networking system.
The transmission of raw, unstructured data over the network.
Handles the connection between physically connected nodes in a network. This layer is itself split into two parts, Logical Link Control (LLC) - network protocols, and the Media Access Control (MAC) - uses MAC addresses to connect devices. The data layer split packets of data into frames.
The network layer receives frames from the data layer, and sends them to their destination using IP addresses. Routers use this layer to route information between networks.
Transmits data using Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) protocols.
Controls the communication between different computers by handling connections and services, including authentication. At this layer sessions are created and maintained while data is transferred, and closed once finished.
Data is prepared for the application layer. The presentation layer formats the data needed by the application layer based on the syntax it expects. Encryption and decryption is also handled at this layer.
The application layer is where the end user interacts with software, such as browsers or email clients. Common application layer protocols include:
- HTTP - Hypertext Transfer Protocol (HTTP) is a stateless, request-response protocol. HTTP is used to send and receive data from a web server.
- HTTPS - Hypertext Transfer Protocol Secure (HTTPS) is a secure version of HTTP. HTTPS is used to send and receive data from a web server.
- SMTP - Simple Mail Transfer Protocol (SMTP) is a stateless, request-response protocol. SMTP is used to send and receive data from a mail server.
DDoS attacks often target the layer 3 (network), layer 4 (transport), and layer 7 (application) layers of the OSI model. Vercel's DDoS protection mitigates L3, L4, and L7 DDoS attacks, and protects the entire platform and all customers from attacks that would otherwise affect reliability.
The goal of a Layer 3 (L3) DDoS attack is to crash and slow down networks, servers, and programs. They target the network layer, as opposed to the transport or application layer. Layer 3 DDoS attacks are often used to target specific IP addresses, but can also target entire networks.
The goal of a Layer 4 (L4) DDoS attack is to crash and slow down applications. They target the 3-way-handshake performed on TCP connections. This is often called a SYN flood. Layer 4 DDoS attacks are used to target specific ports, but can also target entire protocols.
The goal of a Layer 7 (L7) DDoS attack is to crash and slow down software at the application layer by targeting protocols such as HTTP GET and POST requests. They are often silent and look to leverage vulnerabilities by sending many innocuous requests to a single page.
Deployments can be protected with Password protection and SSO protection. Password protection is available for Teams on Pro and Enterprise plans, while SSO protection is only available for Teams on the Enterprise plan. Both methods can be used to protect Preview and Production deployments.
Password protection applies to Preview deployments and Production deployments. This feature can be enabled via the Teams Project dashboard. Read more about in the documentation here.
Vercel Authentication protection applies to Preview deployments and Production deployments. When enabled, a person with a Personal Account that is a member of a Team, can use their login credentials to access the deployment. This feature can be enabled via the Teams Project dashboard.
Both Password protection, and Vercel Authentication can be enabled at the same time. When this is the case, the person trying to access the deployment will be presented with an option to use either method to access the deployment.
Read more about in the documentation here.
System and Organization Control type 2 (SOC2) is a form of auditing that ensures a cloud service provider manages customer data, and protects privacy. Vercel is SOC2 Type 2 compliant.
General Data Protection Regulation (GDPR), is a comprehensive EU-wide data protection law that governs the use, sharing, transfer, and processing of EU resident personal data.
Vercel is GDPR compliant, which means that we commit to the following:
- Maintaining appropriate technical and organizational security measures surrounding customer data
- Notify our customers without undue delay of any data breaches
- Hold our sub-processors to the same level of data protection that we are committed to
- Honor our EU customer's right to access and erasure, among others
Payment Card Industry Data Security Standard (PCI) is a standard that defines the security and privacy requirements for payment card processing.
Vercel does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.
The Vercel Edge Network and deployment platform primarily uses Amazon Web Services (AWS), and currently has 18 different regions and an Anycast network with global IP addresses.
We use a multi-layered security approach that combines people, processes, and technology, including centralized IAM, to regulate access to production resources.
We use cloud security processes to develop and implement procedures for provisioning, configuring, managing, monitoring, and accessing cloud resources. Any changes made in production environments are managed through change control using Infrastructure as Code (IaC).
To ensure always-on security, Vercel's edge infrastructure uses a combination of cloud-native and vendor tooling, including cloud security posture management tooling for continuous scanning and alerting.
When an AWS outage occurs in a region, Vercel will automatically route traffic to the nearest available edge, ensuring network resilience.
- Vercel uses AWS Global Accelerator and Anycast network to automatically reroute traffic to another region in case of regional failure
- Edge functions and Edge Middleware switch to another region automatically using Cloudflare's automatic failover feature
- Our core database and data plane is a globally replicated database with rapid manual failover, using multiple availability zones
With region-based failover, Vercel data is replicated across multiple regions, and a failover is triggered when an outage occurs in a region. Rapid failover is then provided to secondary regions, allowing users continuous access to critical applications and services with minimal disruption.
To meet RTO/RPO goals, Vercel conducts recurring resiliency testing. This testing simulates regional failures. Throughout testing, service statuses are also monitored to benchmark recovery time, and alert on any disruptions.
Vercel encrypts data at rest (when on disk) with 256 bit Advanced Encryption Standard (AES-256). While data is in transit (on route between source and destination), Vercel uses HTTPS/TLS 1.3.
Vercel backs-up customer data at an interval of every hour, each backup is persisted for 30 days, and is globally replicated for resiliency against regional disasters. Automatic backups are taken without affecting the performance or availability of the database operations.
All backups are stored separately in a storage service. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.
Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.
Vercel conducts regular penetration testing through third-party penetration testers, and has daily code reviews and static analysis checks.