Measures of pseudonymization and encryption of personal data.Vercel maintains Customer Data in an encrypted format at rest using Advanced Encryption Standard (AES-256) and in transit (TLS 1.2 or higher).
Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services.Vercel's Customer agreements contain strict confidentiality obligations. Additionally, Vercel requires Subprocessors to sign confidentiality provisions that are substantially similar to those contained in Vercel's Customer agreements. All employees (and contractors) are bound by Vercel's internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.The Services operate on Amazon Web Services (“AWS”), Microsoft Azure (“Azure”), and Google Cloud Platform (“GCP”) and are protected by the security and environmental controls of Amazon and Google, respectively. The infrastructure for the Vercel Services spans multiple, fault-independent AWS availability zones in geographic regions physically separated from one another, supported by various tools and processes to maintain high availability of services.Vercel performs regular backups of Customer Data, which is hosted in AWS, Microsoft Azure, and GCP data centers. Backups are globally replicated for resiliency against regional disasters and periodically tested by the Vercel engineering team.Employees complete mandatory training annually, which covers privacy and data protection, confidentiality, social engineering, password policies, and information security.
Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.Vercel performs regular backups of Customer Data, which is hosted in AWS, Microsoft Azure, and GCP data centers. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.Vercel has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning, and threat analysis.
Processes for regular testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of processing.Vercel maintains a risk-based assessment security program. The framework for Vercel's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Vercel's security program is intended to be appropriate to the nature of the Services and the size and complexity of Vercel's business operations.Vercel has a separate and dedicated security team that manages Vercel's security program. This team facilitates and supports independent audits and assessments performed by third parties to provide independent feedback on the operating effectiveness of the information security program (e.g., SOC 2 Type 2, penetration testing, and vulnerability scanning).Vercel's security governance program covers: Policies and Procedures, Asset Management, Access Management, Data Handling, Encryption, Logging & Monitoring, Password Management, Personnel Security, Resiliency, Responsible Disclosure, Risk Assessment, Vendor Risk Management, Vulnerability, SDLC, Incident Response, Business Continuity & Crisis Management, Acceptable Use and Code of Conduct. Information security policies and standards are reviewed and approved by management at least annually and are made available to all employees.Security is managed at the highest levels of the company, with security and technology leadership meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Measures for user identification and authorization.Vercel personnel are required to use unique user access credentials and passwords for authorization. Vercel follows the principles of least privilege through role-based and time-based access models when provisioning system access. Vercel personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval prior to access provisioning. Employee access to Customer Data is promptly removed upon role change or termination.Vercel uses commercially reasonable practices to identify and authenticate users who attempt to access Vercel systems.
Measures for the protection of data during transmission.Customer Data is encrypted when in transit between Customer and the Vercel Services.
Measures for the protection of data during storage.Customer Data is stored encrypted using AES-256. Vercel uses AWS Key Management System (“KMS”) to encrypt data in our infrastructure. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect keys that cannot be retrieved from the service by anyone or transmitted beyond the AWS regions where they were created. AWS log-in credentials and private keys generated by the Service are for Vercel's internal use only.
Measures for ensuring physical security of locations at which personal data are processed.Vercel is a remote-first organization with limited physical presence globally. As needed, physical security controls for office space are inherited from our co-working office provider, which manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security.The Services operate on AWS, Microsoft, and GCP and are protected by the security and environmental controls of Amazon, Microsoft, and Google, respectively.Detailed information about AWS security is available at:For AWS SOC Reports, please see:Detailed information about Azure security is available at:Detailed information about GCP security is available at Measures for ensuring events logging.Vercel monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.User activity metrics are available to Customers within the Services. For further information, visit https://vercel.com/docs/concepts/dashboard-features/activity-log. Measures for ensuring systems configuration, including default configuration.Vercel applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; and (b) annual penetration testing by independent third parties.Vercel adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. Monitors are in place to notify the security team of changes made to critical infrastructure and services that do not adhere to the change management processes.
Measures for internal IT and IT security governance and management.Vercel maintains a risk-based assessment security program. The framework for Vercel's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Vercel's security program is intended to be appropriate to the nature of the Services and the size and complexity of Vercel's business operations.Vercel has a separate and dedicated Information Security team that manages Vercel's security program. This team facilitates and supports independent audits and assessments performed by third parties to provide independent feedback on the operating effectiveness of the information security program (e.g., SOC 2 Type 2, penetration testing, and vulnerability scanning).Vercel's security governance program covers Policies and Procedures, Asset Management, Access Management, Data Handling, Encryption, Logging & Monitoring, Password Management, Personnel Security, Resiliency, Responsible Disclosure, Risk Assessment, Vendor Risk Management, Vulnerability, SDLC, Incident Response, Business Continuity & Crisis Management, Acceptable Use and Code of Conduct. Information security policies and standards are reviewed and approved by management at least annually and are made available to all employees.Security is managed at the highest levels of the company, with security and technology leadership meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Measures for certifications/assurance of processes and products.Vercel conducts various third-party audits to attest to various frameworks including SOC 2 Type 2 and annual application penetration testing.AWS, Azure, and GCP have achieved: SOC 1, 2, and 3; ISO 27001, 27017, 27018, 27701, and 9001; Cloud Security Alliance Security, Trust, Assurance and Risk (CSA STAR); FedRAMP; and use FIPS 140-2 validated cryptographic modules, in addition to meeting compliance standards for many other legal, security, and privacy frameworks. Further information about these providers' security practices can be found on their respective websites.
Measures for ensuring data minimization.Vercel Customers unilaterally determine what Customer Data they route through the Vercel Services and how the Services are configured. As such, Vercel operates on a shared responsibility model. Vercel provides tools within the Services that gives Customers control over exactly what data enters the platform and enables Customers with the ability to block data at the Source level. Additionally, Vercel allows Customers to delete and suppress Customer Data on demand.
Measures for ensuring data quality.Vercel has a three-fold approach for ensuring data quality. These measures include: (i) unit testing to ensure the quality of logic used to make API calls, (ii) volume testing to ensure the code is able to scale, and (iii) daily end-to-end testing to ensure that the input values match expected values. Vercel applies these measures across the board, both to ensure the quality of any Service-Generated Data that Vercel collects and to ensure that the Vercel Services are operating in accordance with the documentation.Each Vercel Customer chooses what Customer Data they route through the Vercel Services and how the Services are configured. As such, Vercel operates on a shared responsibility model. Vercel ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data leaves Vercel to flow to a downstream destination.Vercel has a process that allows individuals to exercise their privacy rights, as described in Vercel's Privacy Notice available at https://vercel.com/legal/privacy-policy. Measures for ensuring limited data retention.Vercel Customers unilaterally determine what Customer Data they route through the Vercel Services and how the Services are configured. As such, Vercel operates on a shared responsibility model. Customers have the ability to delete Customer Data via the self-service functionality of the Services. Vercel will, within a commercially reasonable timeframe after request by Customer following the termination or expiration of the Agreement, delete all Customer Data from Vercel's systems, unless required by law.
Measures for ensuring accountability.Vercel has adopted measures for ensuring accountability, such as implementing data protection policies across the business, publishing Vercel's Information Security Policy (available at https://security.vercel.com), maintaining documentation of processing activities, and recording and reporting Security Incidents involving Personal Data. Vercel conducts regular third-party audits to ensure compliance with our privacy and security standards. Measures for allowing data portability and ensuring erasure.Vercel's Customers have direct relationships with their end users and are responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws.Vercel has self-service functionality that allows Customers to delete and suppress their Customer Data.Vercel specifies in the Addendum that it will provide assistance to such Customer as may reasonably be required to comply with Customer's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). If Vercel receives a request from a Data Subject in relation to their Customer Data, Vercel will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.Vercel has a process that allows individuals to exercise their privacy rights, as described in Vercel's Privacy Notice available at https://vercel.com/legal/privacy-policy. For transfers to [sub]-processors, also describe the specific technical and organisational measures to be taken by the [sub]-processor to be able to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the data exporter.When Vercel engages a Subprocessor under this Addendum, Vercel and the Subprocessor enter into an agreement with data protection terms substantially similar to those contained herein. Each Subprocessor agreement must ensure that Vercel is able to meet its obligations to Customer. In addition to implementing technical and organisational measures to protect personal data, Subprocessors must a) notify Vercel in the event of a Security Incident so Vercel may notify Customer; b) delete data when instructed by Vercel in accordance with Customer's instructions to Vercel; c) not engage additional Subprocessors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Customer's instructions to Vercel.