Security at Vercel
Vercel is trusted by the best teams to develop, preview, and ship their websites.
Trusted by the best frontend teams
SOC 2 Type 2
We're committed to keeping customers' information secure, available, and confidential.
GDPR
We help our clients (both EU and globally) comply with GDPR.
ISO 27001:2013
Processes in place to manage risk and secure systems.
Secure Compute
A dedicated, private Build Container and Runtime.
SSO/SAML Login
Securely authenticate with platforms like Okta, Auth0, and more.
Scalable DDoS Mitigation
Vercel automatically detects and blocks malicious attacks.
HTTPS/SSL by default
Industry standard encryption (≥ TLS V1.2) by default with the Vercel platform.
Automated backups
Backups occur every hour and are persisted for 30 days.
Vercel Firewall
Create custom rules for IP blocking, in conjunction with DDoS mitigation.
The Most Secure Platform For Next.js
Developers love Next.js, the open source React framework Vercel built together with Google and Meta. Vercel is the platform built for Next.js.
Google Chrome
The Google Chrome team works closely with Vercel to consistently improve the performance and security of Next.js.
Meta
The React team at Meta ensures the latest security updates and patches are immediately released to Next.js.
AWS
In rare cases of large distributed attacks on our customers, we work directly with AWS to prevent downtime.
Frequently Asked Questions
Vercel is a global deployment network using Serverless technology, taking advantage of sandboxing and isolation to ensure no two customers share the same virtual machine. Vercel makes teams productive by giving teams a seamless developer experience to build modern, scalable web apps.
Yes. Vercel Enterprise customers are covered by two forms of DDoS protection. Our systems can automatically detect and block malicious attacks on customer sites. For significantly larger, distributed attacks, we work closely with the customer to ensure your site(s) stay online. The combination of automated prevention and direct communication from our Customer Success Managers helps ensure your site is resilient to attacks. Contact our sales team to learn more.
Yes, Vercel has a SOC 2 Type 2 attestation. Contact us for more details or to access the report.
Yes. For more information, see our Privacy Policy. No data is stored permanently inside EU regions. Static assets and Serverless Functions responses can be cached in EU regions, but it is ephemeral. Vercel provides a Data Processing Addendum (DPA) which describe our Technical and Organizational Security Measures. For more information, our Privacy Policy explains how information is collected, used, processed and disclosed by Vercel
Yes, Vercel is ISO 27001:2013 certified. Contact us for more details or to access the certificate.
Vercel helps support the healthcare sector, but our services are not intended to process any Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). At this time Vercel does not sign Business Associate Agreements (BAA). Contact us for more details if HIPAA is important for you.
Vercel does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.
Yes. Vercel offers flexible access options. Any plan has access to Deployment Protection which include Vercel Authentication and Shareable Links (Hobby plan limited to 1 link per account). Customers on the pro plan can opt-in to Advanced Deployment Protection for $150 which offers Password Protection, Protection Bypass for Automation and Private Production Deployments.
Yes. Data is encrypted at rest (AES-256) and in transit (HTTPS / TLS), including sensitive information like access tokens and secrets.
Yes. Our current backup interval is every hour and each backup is persisted for 1 month. Automatic backups are taken without affecting the performance or availability of the database operations.
All the backups are stored separately in a storage service, and those backups are globally replicated for resiliency against regional disasters. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.
The Vercel Edge Network & deployment platform primarily uses Amazon Web Services (AWS). In the case of an AWS outage, our network is resilient to regional downtime. Vercel will automatically route traffic to the nearest available edge.
Vercel.com uses Azure CosmosDB to store and globally replicate data, which is different than our Edge Network. This is an additional step taken to ensure uptime for applications on our platform.
Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.
Yes. Vercel conducts regular penetration testing with third-party experts. In addition to our annual penetration tests, we consistently perform targeted assessments on an ongoing basis. We also implement daily code reviews, static analysis checks, and dependency scanning at the code level. Our cloud security posture management platform (CSPM) facilitates workload vulnerability scanning. Pro and Enterprise customers have access to our latest annual penetration testing reports.
Yes, a list of our current subprocessors can be found on our subprocessors page.
Yes. Vercel has a Private Bug Bounty program that rewards researchers for finding and reporting security vulnerabilities. For more information, or to report a vulnerabilitiy, please reach out to us at responsible-disclosure@vercel.com