Security at Contentful

Security being just important to us is a huge understatement. Security is a top priority at Contentful and we live it in our day-to-day activities. We’ve built a comprehensive security program that is governed by our Information Systems Management System (ISMS) and is in line with the ISO 27001 international standard. Our Senior Management team is accountable for security and ensure that security capabilities and competence exist in all levels of our business.

As a whole, we follow a holistic and collaborative approach to guarantee the confidentiality, availability, and integrity of your data. On this page, you can read about the various policies and security measures taken by Contentful to secure user content and data hosted on our platform from unauthorized access.

How we protect your content

Our infrastructure runs purely on Amazon Web Services (AWS), which delivers infrastructure as a service with prime security capabilities.

ISO 27001 compliant data centers

The data centers used for storing your content and allowing it to be delivered to your users are certified for compliance with the ISO 27001 standard. This standard details requirements for an information security management system (ISMS) within an organization, that is AWS, to ensure they systematically evaluate risks, threats and vulnerabilities to their information security, and having controls and a management process to constantly manage risk and meet security needs. To provide unbiased neutrality, certification is carried out by independent third-party auditors.

Data storage and encryption at rest

Your data is encrypted at rest in AWS S3 buckets, AWS RDS instances and block devices used by AWS EC2 instances. AES256 encryption is used by default via AWS’ encryption services, while key management is handled by AWS KMS. This ensures the content is preserved and safe from prying eyes and manipulation.

All user passwords are hashed using the Bcrypt password hashing function and stored in the database. Bcrypt uses salts and 11 rounds of algorithm to increase the complexity of hashing to minimize risk of passwords being cracked.

Encryption in transit

All communication between you, your services and Contentful, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. In addition, data is also encrypted during transit between Contentful and our Content Delivery Networks (CDNs). This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerability found are fixed based our specifications in an internal SLA.

Backups

All our data, including S3 buckets and database daily backups, is replicated between multiple regions thanks to the use of AWS. Backup data is encrypted at rest using AES-256 encryption with keys provided by AWS KMS.

Access to data

Access to your data is extremely restricted. We have hand-picked and trained support staff and Engineers on support that, after your explicit permission, are able to help fix your problem by accessing the affected data that you authorize. These actions are recorded, audited and monitored.

Physical security

Did we mention we are a cloud native service? We do not have data centers. Physical security to our servers and to your data is managed by AWS security certifications. Physical security at our offices is also governed by our security program.

Security groups

Networking in the cloud is very different from the standard data center. All communications to and from our servers are controlled by tight security groups, an AWS security feature for stateful firewalling.

Web Application Firewall

Applications available on the internet are constantly under threat of attacks. One of the protections implemented to protect our applications is the Web Application Firewall delivered by our security CDN. Furthermore, a second layer of defense is provided by AWS WAF for all our applications.

Threat detection

Provided by AWS GuardDuty, we monitor and respond to threats when they happen. We detect inbound and outbound connections from and to known malicious IP addresses, unusual or unauthorized activities in our AWS accounts and much more.

Secure headers

To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection. We also constantly monitor our SSL configuration rating, where we target to a minimum of an A grade for all our general domains and an A+ for all domains under our full control.

Data retention policy

Your data lives in our servers for as long as you need them. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement.

Brute force protection

To prevent your account to be compromised by brute forcing our web application and APIs, we implement rate limits and captchas.

Monitoring and reporting

Access to customer data is logged along with SSH session commands in production. This provides a trail that can be easily followed in any security audits.

How we keep our service reliable

AWS

Our infrastructure runs in Amazon Web Services, where all components are deployed in at least three availability zones, minimizing disruptions caused by any failure and keeping your content constantly available. Elastic Load Balancers are used to automatically split the load and segregate traffic from the Internet to all nodes of our frontend layer.

Auto-scalable Kubernetes

All our software components run in Docker containers orchestrated by Kubernetes. The clusters are automatically resized when the load on the system exceeds than the pre-defined threshold. CoreOS in its latest version powers this Kubernetes environment, which makes rolling upgrades fairly simple. Our platform has been designed from scratch to support high volumes of web traffic and this technology stack, alongside a microservice architecture, is the fundamental piece that caters to our high availability needs.

CDN

More than 80% of Content Delivery API traffic is served directly by Fastly, our global choice of content delivery network. We utilize Fastly's API heavily for cache population and invalidation, so in the unlikely event our infrastructure ever experiences technical difficulties, content can still be served by the CDN and remain online in the meantime.

Distributed denial of service (DDOS) protection

Our APIs and web application are protected in multiple ways against denial of service attacks. AWS provides volumetric denial of service protection through AWS Shield and Elastic Load Balancing to ensure high availability. Our security CDN performs application-layer denial of service protection alongside web application firewall protection.

Disaster recovery and business continuity

Contentful utilizes database replication architectures to ensure redundancy and uptime. Encrypted backups are made frequently and stored both onsite at the data center and copied to a remote storage location. Each key service layer has redundant components, such as multiple servers that provide the same service and content, to ensure any failures do not impact the rest of the system. Data centers are also equipped with controls to enforce physical security and protection against environmental hazards

How we keep our code secure

Open source SDKs

All our software development kits are open source and we encourage contribution from the community. To further facilitate that, we engage with developers and users of our APIs through our SDKs and document our development decisions on GitHub.

Vulnerability management

All vulnerabilities are managed internally in our internal vulnerability management tool. Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system, and an owner. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, while progress is tracked by tools and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.

Code peer review

Our development process is based on GitHub's pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle. Our developers and engineers are also heavy practitioners of pair programming, which lets them detect bugs and vulnerabilities more effectively before code makes it into the final product.

Automatic static code analysis

When code is committed to GitHub, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies. Dependency management is performed locally per repository, where all dependencies are tagged by version and downloaded from reputable sources over encrypted HTTPS.

Quality Assurance (QA)

Once the code is ready to be tested, it is deployed to our staging environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different AWS account that is configured with different domain names to ensure complete separation from production.

Secure SDLC

Security is part of the Product organization and influences the product roadmap and specific features. We implement the philosophy of "security by design" where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.

How we secure our business

Security monitoring and Incident Management

Contentful continually looks out for any indicators that could potentially lead to incidents. To supplement this, any event-alerting tools we use also escalate into PagerDuty rotations for Contentful’s 24x7 incident response team. We also maintain an incident response plan that details ways to address an incident, including the processes of notification, escalation, managing and reporting as a result of an incident.

Security awareness program

All Contentful employees and contracted third-parties are required to comply with Contentful policies relevant to their scope of work, including security and data privacy policies. Our standard work contract includes confidentiality clauses.

Contentful ensures its employees undergo regular security and privacy training. Employees with developer and administrative roles also undergo secure code training annually, while employees with responsibilities in the area of information security are also provided with additional training on security protection techniques, risks, and latest trends.

Mobile device management (MDM)

All hardware devices (desktops, laptops, phones) issued to Contentful employees come with encrypted storage partitions as well as MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. We make use of the ability to remotely wipe a device in the event of devices getting lost or stolen.

Security policies

Contentful has multiple internal policies directly pertaining to or containing details about data privacy, security, and acceptable use; the most widely distributed and available of which is the employee handbook that includes documentation on security, data privacy, and related measures. In addition, Contentful also has a public-facing privacy policy, as well as a security whitepaper and numerous security data sheets that are available on request from your Contentful sales contact or account manager.

Credit card/payment security

Contentful uses an integration between Zuora and Stripe’s infrastructure to process credit card payments, which means that no credit card information or related personal information is stored on our servers. Zuora and Stripe enforces stringent PCI DSS (Payment Card Industry) compliance criteria to ensure that any data stored and/or processed on its servers is handled in a secure way.

In addition to privacy and safety measures, Stripe employs an extensive range of checks designed to minimize payment fraud and unauthorized access. These checks include 3D-Secure authorization, credit card background checks, flagging suspicious transactions for manual verification, and real-time monitoring of payment transactions with automated anti-fraud algorithms.

Password managers and policy

To ensure an acceptable level of password security, we have an existing password policy in place, that will be refreshed in 2019 to comply with new standards based on NIST (National Institute of Standards and Technology) guidelines. Passwords that are too generic are not allowed while the use of unique passwords per website is strongly advised. We also encourage the use of password managers, for example LastPass, that help make it easier and safer for you to keep track of your credentials.

Vendor security management

Every technology, SaaS or tool is assessed to ensure a good understanding of the risks involved. Our Vendor Security Assessment Questionnaire, or VSAQ, is based in the VSA - Vendor Security Alliance - and CSA - Cloud Security Alliance - standards. Confidentiality and non-disclosure agreements are required when sharing any sort of confidential information, that could be sensitive, proprietary and/or personal in nature, between Contentful and an external third-party. Any third-party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments based on their level of access and handling of information.

Multi-factor authentication

The use of multi-factor authentication (MFA) is enforced throughout the main services Contentful relies on. MFA is also encouraged by Contentful to both its employees and customers. The use of MFA provides an additional measure for verifying a user’s claimed identity over the use of just a password. Currently, the minimum requirement for our MFA implementation is the use of a password combined with an access token (for instance, a code provided by Google Authenticator). MFA is also mandatorily enforced for AWS and GitHub access.

How you can protect your data

SSO

We provide Single Sign-On capabilities via SAMLv2. This means our customers have full control over who has access to the use of our product and how authentication takes place. Customers can implement their own password policies and multi-factor authentication implementations.

API keys - key rotation

Your data is protected behind multiple API keys, used in different contexts for particular use cases. Keys are assigned to the user and follow the user's privilege associated with an organization and space. Our application enforces authorization for every API call, apart from assets.

Roles and permissions

Contentful highly encourages the use of roles and permissions in order to provide different users with different levels of access rights to content, features, and functionality. This is in line with “least privilege” and “need to know” security principles, which adds another safeguarding layer to prevent unauthorized access and limit damage in the event of a user’s credentials being compromised.

HTTPS

While all activities relevant to content and data traversing the Internet are conducted with HTTPS enforced on Contentful’s side, we absolutely recommend that customers and users also enforce HTTPS so that content and data integrity is maintained and free from manipulation as it is served from our service to your users’ machines. The use of HTTPS websites also safeguards your important data and credentials away from the view of unauthorized third-parties.

How to report vulnerabilities

Found a vulnerability? Would you like to report a bug or something interesting that you found? The best way to reach out to us is either via e-mail to support@contentful.com or opening a ticket. For encrypted communication, our PGP key is available on Keybase. We advise abstaining from publicly announcing a vulnerability or bug before we get in touch with you and work on a fix.

Contentful engages with the community via our Responsible Disclosure Program, also known as our Bug Bounty Program. Our community plays an important role in helping us stay bug-free and secure.

In case of a security incident

Incidents can happen to anyone — we are ready for such an event when it happens. We manage security incidents via a documented process, which includes notification of and cooperation with customers, data protection authorities, and law enforcement. Contentful will notify affected customers within undue delay following incident detection, where we share a preliminary assessment of the incident and are open to cooperation. We follow article 33 of the GDPR when personal data is involved, and alert the supervisory authority regarding breach of personal data.