|
| 1 | +# Security |
| 2 | + |
| 3 | +Craft Cloud is designed as a fully managed, secure cloud PaaS hosting platform optimized for Craft CMS applications. |
| 4 | + |
| 5 | +This document outlines the security principles, controls, and practices that govern ****Craft Cloud to protect customer applications, data, and infrastructure against unauthorized access and vulnerabilities. |
| 6 | + |
| 7 | +## Shared Responsibility Model |
| 8 | + |
| 9 | +Security in Craft Cloud environments follows the industry standard cloud shared responsibility model: |
| 10 | + |
| 11 | +### Craft Cloud’s responsibilities: |
| 12 | + |
| 13 | + - Underlying infrastructure |
| 14 | + - Network security |
| 15 | + - Platform configuration |
| 16 | + - Service availability and stability |
| 17 | + |
| 18 | +### Customer’s Responsibilities: |
| 19 | + |
| 20 | + - Keep Craft CMS, plugins, and dependencies up to date, including the Craft Cloud extension |
| 21 | + - Manage application credentials securely |
| 22 | + - Implement secure coding practices to prevent common vulnerabilities |
| 23 | + - Review application logs |
| 24 | + |
| 25 | +## Infrastructure & Platform Security |
| 26 | + |
| 27 | +### Physical and Cloud Provider Controls |
| 28 | + |
| 29 | +Craft Cloud’s infrastructure runs on industry-leading cloud providers that implement robust controls. These companies use fully SOC-2 compliant access procedures. |
| 30 | + |
| 31 | +You can read more about their compliance and security policies here: |
| 32 | + |
| 33 | +- AWS: [https://aws.amazon.com/compliance/](https://aws.amazon.com/compliance/) |
| 34 | +- Cloudflare: [https://www.cloudflare.com/trust-hub/compliance-resources/](https://www.cloudflare.com/trust-hub/compliance-resources/) |
| 35 | + |
| 36 | +### Network Security and Segregation |
| 37 | + |
| 38 | +Craft Cloud leverages: |
| 39 | + |
| 40 | +- Enterprise-grade firewalls and DDoS protection |
| 41 | +- Encrypted network connections for internal traffic |
| 42 | +- Isolation of customer environments to prevent unauthorized lateral movement |
| 43 | + |
| 44 | +Every Craft Cloud project includes firewall and global CDN protections by default. |
| 45 | + |
| 46 | +Since portions of Craft Cloud are multi-tenant, it utilizes some shared infrastructure across projects. To ensure that different projects cannot communicate with each other, it maintains strict network segregation between components. |
| 47 | + |
| 48 | +### Ephemeral Filesystems |
| 49 | + |
| 50 | +All Craft Cloud projects run on a read-only, ephemeral file system, which offers some inherent security benefits. If a site is compromised, redeploying will remove any scripts or payloads left behind and reset the code to a known good state prior to the compromise. |
| 51 | + |
| 52 | +## Data Protection |
| 53 | + |
| 54 | +- Databases and backups are fully encrypted, with encryption provided by the underlying storage service providers. |
| 55 | + |
| 56 | +### Backups and Recovery |
| 57 | + |
| 58 | +- Daily automated database backups are performed for all customer projects |
| 59 | +- Customers can trigger optional manual backups |
| 60 | +- Backups are retained for 30 days. |
| 61 | + |
| 62 | +## Identity and Access Management |
| 63 | + |
| 64 | +### Platform Access Controls |
| 65 | + |
| 66 | +Craft Cloud enforces role-based access controls via Craft Console Organizations. Customers are highly encouraged to create their Craft Cloud projects within a Craft Console Organization to take advantage of these role-based access controls. |
| 67 | + |
| 68 | +### Two-Factor Authentication (2FA) |
| 69 | + |
| 70 | +Customers are highly encouraged to enable two-factor authentication (2FA) for their Craft Console accounts, as well as for their Craft installations hosted on Craft Cloud. |
| 71 | + |
| 72 | +### Staff Access |
| 73 | + |
| 74 | +Craft Cloud staff have secure access to client projects, but will only access that data for the purposes of debugging and supporting the customer. |
| 75 | + |
| 76 | +## Incident Response and Monitoring |
| 77 | + |
| 78 | +Craft Cloud incorporates monitoring for: |
| 79 | + |
| 80 | +- Unauthorized access attempts |
| 81 | +- Anomalous platform activity |
| 82 | +- Infrastructure alerts |
| 83 | + |
| 84 | +Customers are notified of incidents via [https://status.craftcms.com](https://status.craftcms.com/) where they can subscribe to any incidents and updates. |
| 85 | + |
| 86 | +## Reporting a Vulnerability |
| 87 | + |
| 88 | +Please report any security vulnerabilities to [support@craft.cloud](mailto:support@craft.cloud). |
| 89 | + |
| 90 | +You can read our policy on reporting vulnerabilities here: [https://github.com/craftcms/cms/security/policy](https://github.com/craftcms/cms/security/policy). |
0 commit comments