Security Policy

Security is a top priority at Contentful. We follow a holistic and collaborative approach to guarantee the confidentiality, availability, and integrity of your data. On this page, you can read about the various policies and security measures taken by Contentful to protect content and user data hosted on our platform from unauthorized access.

How we protect your content

Our infrastructure runs purely on Amazon Web Services (AWS), which delivers infrastructure as a service with prime security capabilities.

ISO 27001 compliant data centers

The data centers used for storing your content and allowing it to be delivered to your users are certified for compliance with the ISO 27001 standard. This standard details requirements for an information security management system (ISMS) within an organization, that is AWS, to ensure they systematically evaluate risks, threats and vulnerabilities to their information security, and having controls and a management process to constantly manage risk and meet security needs. To provide unbiased neutrality, certification is carried out by independent third-party auditors.

Data storage and encryption at rest

Your data is encrypted at rest in AWS S3 buckets, AWS RDS instances and our internally-managed databases. AES256 encryption is used by default via AWS’ encryption services, while key management is handled by AWS KMS. This ensures the content is preserved and safe from prying eyes and manipulation.

Encryption in transit

All communication between you, your services and Contentful, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. In addition, data is also encrypted during transit between Contentful and our Content Delivery Networks (CDNs). This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerability found are fixed based our specifications in an internal SLA.

Code reviews

Our applications are also protected through the implementation of a secure Software Development Life Cycle (SSDLC), where code is always reviewed by peers before being merged into our testing, staging, and production environments.

Backups

All our data, including S3 buckets and database daily backups, is replicated between multiple regions thanks to the use of AWS. Backup data is encrypted at rest using AES-256 encryption with keys provided by AWS KMS. Our source code lives in GitHub, where we also contribute to the community with several open source projects.

Access to data

Access to your data is extremely restricted. We have hand-picked and trained support staff and Engineers on support that, after your explicit permission, are able to help fix your problem by accessing the affected data that you authorize. These actions are recorded, audited and monitored.

Physical security

Did we mention we are a cloud native service? We do not have data centers. Physical security to our servers and to your data is managed by AWS security certifications. Physical security at our offices is also governed by our security program.

Security groups

Networking in the cloud is very different from the standard data center. All communications to and from our servers are controlled by tight security groups, an AWS security feature for stateful firewalling.

WAF from Incapsula

Applications available on the internet are constantly under threat of attacks. One of the protections implemented to protect our applications is the Web Application Firewall delivered by Imperva Incapsula.

Secure headers

To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection.

Data retention policy

Your data lives in our servers for as long as you need them. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement.

Brute force protection

To prevent your account to be compromised by brute forcing our web application and APIs, we implement rate limits and captchas.

Monitoring and reporting

Access to customer data is logged along with SSH session commands in production. This provides a trail that can be easily followed in any security audits.

How we keep our service reliable

AWS

Our infrastructure runs in Amazon Web Services, where all components are deployed in at least three availability zones, minimizing disruptions caused by any failure and keeping your content constantly available. Elastic Load Balancers are used to automatically split the load and segregate traffic from the Internet to all nodes of our frontend layer.

Auto-scalable Kubernetes

All our software components run in Docker containers orchestrated by Kubernetes. The clusters are automatically resized when the load on the system exceeds than the pre-defined threshold. CoreOS in its latest version powers this Kubernetes environment, which makes rolling upgrades fairly simple. Our platform has been designed from scratch to support high volumes of web traffic and this technology stack, alongside a microservice architecture, is the fundamental piece that caters to our high availability needs.

CDN

More than 80% of Content Delivery API traffic is served directly by Fastly, our global choice of content delivery network. We utilize Fastly's API heavily for cache population and invalidation, so in the unlikely event our infrastructure ever experiences technical difficulties, content can still be served by the CDN and remain online in the meantime.

Distributed denial of service (DDOS) protection

Our APIs and web application are protected in multiple ways against denial of service attacks. AWS provides volumetric denial of service protection through AWS Shield and Elastic Load Balancing to ensure high availability. Our security CDN, provided by Imperva Incapsula, performs application-layer denial of service protection alongside web application firewall protection.

How we keep our code secure

Open source SDKs

All our software development kits are open source and we encourage contribution from the community. To further facilitate that, we engage with developers and users of our APIs through our SDKs and document our development decisions on GitHub.

Vulnerability management

All vulnerabilities are managed internally in our internal vulnerability management tool. Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system, and an owner. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, while progress is tracked by tools and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.

Code peer review

Our development process is based on GitHub's pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle. Our developers and engineers are also heavy practitioners of pair programming, which lets them detect bugs and vulnerabilities more effectively before code makes it into the final product.

Automatic static code analysis

When code is committed to GitHub, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies. Dependency management is performed locally per repository, where all dependencies are tagged by version and downloaded from reputable sources over encrypted HTTPS.

Quality Assurance (QA)

Once the code is ready to be tested, it is deployed to our staging environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different AWS account that is configured with different domain names to ensure complete separation from production.

Secure SDLC

Security is part of the Product organization and influences the product roadmap and specific features. We implement the philosophy of "security by design" where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.

How to report vulnerabilities

Found a vulnerability? Would you like to report something interesting? The best way to reach out to us is either via e-mail to support@contentful.com or opening a ticket at https://support.contentful.com. For encrypted communication, our PGP key is available on Keybase at https://keybase.io/contentful

Contentful engages with the community via our Responsible Disclosure Program, also known as our Bug Bounty Program, via HackerOne at https://hackerone.com/contentful

Other information

Our staff regularly performs security and awareness training. If you have any questions regarding our practices and standards, contact us at support@contentful.com. Other security related information can be found below.

1. Data Storage

Contentful stores your content on Amazon S3 servers. Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure integrity and safety of customers’ data. Among others, these measures include:

  • Secure access: Data transferred between Contentful servers and S3/RDS storage facilities is secured via SSL endpoints using the HTTPS protocol;
  • Multi-factor authentication: Contentful staff exclusively uses multi-factor authentication to access AWS Accounts thus reducing the risk of unauthorized access. Access rights are granted on the least access principle.
  • Encryption at rest: All data stored is encrypted at rest. Contentful utilizes the AWS provided encryption mechanisms where possible. All storage systems are encrypted using AES256 by default.

Amazon comes with a built-in network and security monitoring systems designed to provide increased protection against threats like Distributed Denial of Service (DDoS), Man in the Middle (MITM) attacks, password brute-force detection, and packet sniffing. We deploy network and host-based intrusion detection systems and perform regular AWS configuration audits as part of our security standards.

All user content and data is backed up on S3 storage every six hours. Additionally, redundancy of the stored data is ensured by making copies of the existing data in undisclosed locations. You are free to download all your content to back it up off-site by fetching data via the Contentful Delivery API.

Find out more about Amazon’s security offerings:

2 .Data transfer & delivery

Contentful uses a secure channel using Transport Layer Security (TLS) 1.2 encryption, the standard for secure Internet connections for all the traffic between desktop clients, mobile devices and our servers as well as all the content delivered to end-users. The Content Delivery API is also available on a non-secure channel for applications that can not make use of encryption. Contentful encourages its customers to use TLS and up to date cryptographic technologies at any time.

3. Payment data

Contentful uses Stripe’s infrastructure to process credit card payments, which means that no credit card information or related personal information is stored on our servers. Stripe enforces stringent PCI DSS (Payment Card Industry) compliance criteria to ensure that any data stored and/or processed on its servers is handled in a secure way.

In addition to privacy and safety measures, Stripe employs an extensive range of checks designed to minimize payment fraud and unauthorized access. These checks include 3D-Secure authorization, credit card background checks, flagging suspicious transactions for manual verification, and real-time monitoring of payment transactions with automated anti-fraud algorithms.

More about Stripe security measures:

4. Passwords

All user passwords are stored in the database in an encrypted form. Contentful uses salts and the bcrypt library to increase the complexity of encryption technique and thus way minimize the risk that passwords will be cracked.

While Contentful’s team puts a lot of effort into securing your login credentials, it is important to remember that poorly chosen passwords, even when properly encrypted, are vulnerable to common cracking techniques employed by professional attackers. For this reason, we urge our users to follow security guidelines for choosing a password outlined below:

Generic passwords based on popular words, common names, birth dates or favorite brands are easy to guess or harvest from online profiles. Combining several not connected words with additional random characters makes your password stronger and more difficult to guess.

Use a unique password per site. By recycling identical passwords for multiple websites you subject your accounts to be compromised as a result of a security breach on one of the websites. The use of tools or services like KeepassX and 1Password is strongly encouraged.

Use creative spelling. A common technique to hacking passwords is using dictionaries to generate random passwords. For this reason "unc*nvent^onal spe!!ing" and upPeRc@siNg as well as the use of non-obvious numb5rs and §ymbols will make your passwords harder to crack.

5. Privacy

For information on our privacy guidelines, please view our privacy policy.

Contentful's staff is performing a regular privacy training, and is bound to the European data privacy laws.

6. Bug reporting

We encourage responsible reporting of security vulnerabilities and software bugs. In the case that you found a vulnerability, please report it to security@contentful.com and abstain from publicly announcing it before we got in touch with you to work on a fix. Please note that we discourage attempts to gain illegitimate access to another user's account or data, compromise the reliability and/or integrity of our services, and use of automated tools to find vulnerabilities.

Please make sure that you are working within our Terms of Service.

We also run a private responsible disclosure program on hackerone.com/contentful. If you want to participate or found some vulnerabilities you would like to report, send us a short email with the details: security@contentful.com.

Our community plays an important role in helping us stay bug-free and secure.