App Platform

Data Security

As part of DigitalOcean’s shared responsibility model, you are responsible for securing the data you store on our services.

For data security purposes, we recommend that you protect your DigitalOcean account credentials and set up individual user accounts with DigitalOcean Teams to help maintain proper access for your services. We also recommend that you secure your data in the following additional ways:

• Enable 2fa by default

• Use SSL/TLS to communicate with external databases or use Trusted Sources with Managed Databases to enable TLS by default.

• Securely forward App Platform logs

• Use the Rollback feature to revert to a former instance in case of a security event in your live instance. This will allow a previous production ready version of your application to be live while you work on fixing the most current version.

Encryption At Rest

There are three ways to store files and data in App Platform apps: Managed Databases, Spaces, and a file system. Our managed database clusters are encrypted at rest with LUKS (Linux Unified Key Setup). Spaces are encrypted on physical disks with 256-bit AES-XTS full-disk encryption. You may use file level encryption if needed.

Encryption In Transit

App Platform serves web content with HTTPS on domains linked to your application. Clear-text HTTP requests will be redirected to HTTPS. Customers should use TLS/SSL when connecting to Managed Databases. The default connection string requests TLS, but it is up to your app to interpret that string and use the TLS certificate authority key correctly. You are responsible for maintaining HTTPS or TLS encryption connections with your Spaces instance or local file system if used as your database.

Workload Isolation

App Platform uses Kata Containers, which results in a more secure container runtime with lightweight virtual machines that feel and perform like containers, but help provide stronger workload isolation using hardware virtualization technology as a second layer of defense. This helps create a more resilient container.

Key Management

Encrypted Environment variables allow you to add secrets as ENV vars for your app that won’t be exposed through the UI or API.

Logging and Monitoring

For more information on how to forward App Platform logs for monitoring please visit our App Platform Logs Documentation.

Compliance

App Platform is audited by third-parties as part of DigitalOcean’s SOC 2 Type 2 report. For details on how to request access to this report, please visit our Trust Platform Certifications page.

Infrastructure Security

As a platform as a service offering, DigitalOcean maintains the security of the infrastructure App Platform is hosted on. For more details, please review our Infrastructure Security Overview page.

Data Center Location Availability

Data center locations available are listed in our App Platform Availability guide. Utilizing multi-regions for redundancy is a best practice for your services. If using Spaces for storage, please review the Spaces Availability Guide. If using Managed Databases, please review the Managed Databases Availability Guides: MongoDB, PostgreSQL, MySQL, and Redis. If using a local file system, identify an appropriate backup solution for your needs.