Security Policy

This page provides an overview of the security measures taken by Contentful to protect content and user data hosted on our platform from unauthorized access. Where relevant, we include links to security guidelines and resources developed by third parties.

1. Data Storage

Contentful stores your content on Amazon S3 servers. Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure integrity and safety of customers’ data. Among others, these measures include:

• Secure access: Data transferred between Contentful servers and S3/RDS storage facilities is secured via SSL endpoints using the HTTPS protocol;
• Multi-factor authentication: Contentful staff exclusively uses multi-factor authentication to access AWS Accounts thus reducing the risk of unauthorized access. Access rights are granted on the least access principle.
• Encryption at rest: All data stored is encrypted at rest. Contentful utilizes the AWS provided encryption mechanisms where possible. All storage systems are encrypted using AES256 by default.

Amazon comes with a built-in network and security monitoring systems designed to provide increased protection against threats like Distributed Denial of Service (DDoS), Man in the Middle (MITM) attacks, password brute-force detection, and packet sniffing. We deploy network and host-based intrusion detection systems and perform regular AWS configuration audits as part of our security standards.

All user content and data is backed up on S3 storage every six hours. Additionally, redundancy of the stored data is ensured by making copies of the existing data in undisclosed locations. You are free to download all your content to back it up off-site by fetching data via the Contentful Delivery API.

Find out more about Amazon’s security offerings:

• AWS Compliance Center
• AWS Security Center

Data transfer & delivery

Contentful uses a secure channel using Transport Layer Security (TLS) 1.2 encryption, the standard for secure Internet connections for all the traffic between desktop clients, mobile devices and our servers as well as all the content delivered to end-users. The Content Delivery API is also available on a non-secure channel for applications that can not make use of encryption. Contentful encourages its customers to use TLS and up to date cryptographic technologies at any time.

3. Payment data

Contentful uses Stripe’s infrastructure to process credit card payments, which means that no credit card information or related personal information is stored on our servers. Stripe enforces stringent PCI DSS (Payment Card Industry) compliance criteria to ensure that any data stored and/or processed on its servers is handled in a secure way.

In addition to privacy and safety measures, Stripe employs an extensive range of checks designed to minimize payment fraud and unauthorized access. These checks include 3D-Secure authorization, credit card background checks, flagging suspicious transactions for manual verification, and real-time monitoring of payment transactions with automated anti-fraud algorithms.

More about Stripe security measures:

• Security at Stripe

4.Passwords

All user passwords are stored in the database in an encrypted form. Contentful uses salts and the bcrypt library to increase the complexity of encryption technique and thus way minimize the risk that passwords will be cracked.

While Contentful’s team puts a lot of effort into securing your login credentials, it is important to remember that poorly chosen passwords, even when properly encrypted, are vulnerable to common cracking techniques employed by professional attackers. For this reason, we urge our users to follow security guidelines for choosing a password outlined below:

Generic passwords based on popular words, common names, birth dates or favorite brands are easy to guess or harvest from online profiles. Combining several not connected words with additional random characters makes your password stronger and more difficult to guess.

Use a unique password per site. By recycling identical passwords for multiple websites you subject your accounts to be compromised as a result of a security breach on one of the websites. The use of tools or services like KeepassX and 1Password is strongly encouraged.

Use creative spelling. A common technique to hacking passwords is using dictionaries to generate random passwords. For this reason "unc*nvent^onal spe!!ing" and upPeRc@siNg as well as the use of non-obvious numb5rs and §ymbols will make your passwords harder to crack.

5. Privacy

For information on our privacy guidelines, please view our privacy policy.

Contentful's staff is performing a regular privacy training, and is bound to the European data privacy laws.

6. Bug reporting

We encourage responsible reporting of security vulnerabilities and software bugs. In the case that you found a vulnerability, please report it to security@contentful.com and abstain from publicly announcing it before we got in touch with you to work on a fix. Please note that we discourage attempts to gain illegitimate access to another user's account or data, compromise the reliability and/or integrity of our services, and use of automated tools to find vulnerabilities.

Please make sure that you are working within our Terms of Service.

We also run a private responsible disclosure program on hackerone.com/contentful. If you want to participate or found some vulnerabilities you would like to report, send us a short email with the details: security@contentful.com.

Our community plays an important role in helping us stay bug-free and secure.

7. General

Security is a top priority at Contentful, and our staff is regularly performing security and awareness training. If you have any questions regarding our practices and standards, please to contact us at support@contentful.com.