Security that
scales with you.

Purpose-built for secure development, Vercel allows you to build, deploy, and protect applications with our suite of security features.

Get a Demo

Vercel Firewall

Resilient edge protection

Web Application Firewall

Secure application traffic

Workspace Security

Trusted access management

Trusted by security teams.
  • wiz Logowiz Logo
  • open-ai Logoopen-ai Logo
  • abnormal Logoabnormal Logo
  • snyk Logosnyk Logo
  • laurentian-bank Logolaurentian-bank Logo
  • truesec Logotruesec Logo

Automatic protections. Free for all users.

The Vercel Firewall provides system-wide protections to secure your apps at scale.

Learn More
Visit Your Firewall

Global protection

Edge-localized protection. 

L3/L4 protection at every edge location. Your site stays protected without adding latency.

DDoS mitigation

Automatic DDoS Mitigation for all plans. 

Embedded bot management and protection against traffic abuse.

Challenge Mode

Protect your site when under attack. 

Prevent malicious traffic by showing a verification challenge for visitors in real-time.

The invisible bot detection engine.

BotID is fast, reliable, and built for both your users and developers. No CAPTCHAs, API keys, or fine-tuning required.

Learn more

Customized application security. Instantly deployed at scale.

Vercel’s Web Application Firewall allows customers to create custom rules to log, block, challenge, or rate limit L7 traffic.

Learn moreAdd WAF rules now

  • Observability

    Utilize our observability dashboard to make informed security decisions.

  • Managed Rulesets

    Activate Vercel’s managed rulesets to protect against top priority risks, including OWASP Top 10.

  • Custom WAF Rules

    Create and enforce rules unique to your business with IP blocking, rate limiting, and more.

Right access. Right roles.

Protect deployments and workspaces with workspace security controls.

Learn More

Role-based Access Control

Assign roles to ensure that the right people have the right permissions to work on your projects.

Deployment Protection

Secure your Vercel project's preview and production URLs with fine-grained access control.

Audit Logs

Enterprise

Track and analyze your team members' activity. Accessed by team members with the owner role.

Directory Sync

Enterprise

Manage your organization's memberships by integrating with third-party identity providers.

Certificate of ISO 27001
ISO 27001
Certificate of SOC 2
SOC 2
Certificate of PCI DSS
PCI DSS
Certificate of HIPAA
HIPAA
Certificate of GDPR
GDPR
Certificate of DPF
DPF

Frequently asked questions.

Does Vercel offer DDoS protection?
Yes. Vercel Enterprise customers are covered by two forms of DDoS protection. Our systems can automatically detect and block malicious attacks on customer sites. For significantly larger, distributed attacks, we work closely with the customer to ensure your site(s) stay online. The combination of automated prevention and direct communication from our Customer Success Managers helps ensure your site is resilient to attacks. Contact us to learn more.
Is Vercel SOC 2 Type 2 compliant?
Yes, Vercel has a SOC 2 Type 2 attestation. Contact us for more details or to access the report.
Is Vercel GDPR compliant?
Yes. For more information, see our Privacy Policy. No data is stored permanently inside EU regions. Static assets and Serverless Functions responses can be cached in EU regions, but it is ephemeral. Vercel provides a Data Processing Addendum (DPA) which describe our Technical and Organizational Security Measures. For more information, our Privacy Policy explains how information is collected, used, processed and disclosed by Vercel.
Is Vercel ISO 27001 certified?
Yes, Vercel is ISO 27001:2013 certified. Contact us for more details or to access the certificate.
Is Vercel TISAX Compliant?

Yes, Vercel has completed TISAX Assessment Level 2 to serve the automotive industry. Customers can access results directly through the ENX portal.

To view the assessment details:

  • Sign in to your account on the ENX portal
  • Search for Vercel or look up the following details:
    • Assessment ID: AMR06H-1
    • Scope ID: SYN3TM
Is Vercel certified under the Data Privacy Framework (DPF)?
Yes, Vercel is certified under the DPF. Our public listing is available at https://www.dataprivacyframework.gov/list. For more information, see our Privacy Notice.
Does Vercel support HIPAA compliance?
Vercel supports HIPAA compliance for enterprise customers. Our HIPAA report is available upon request at security.vercel.com. Contact us for more details if HIPAA is important for you.
Does Vercel support PCI compliance?
Yes, Vercel has a Self-Assessment Questionnaire (SAQ)-D Attestation of Compliance (AOC) for Service Providers and a Self-Assessment Questionnaire (SAQ)-A Attestation of Compliance (AOC) for Merchants based on PCI DSS v4.0. Contact us for more details or to access these reports.
Can I protect my deployments?
Yes. Vercel offers flexible access options. Any plan has access to Deployment Protection which include Vercel Authentication and Shareable Links (Hobby plan limited to 1 link per account). Customers on the pro plan can opt-in to Advanced Deployment Protection for $150 which offers Password Protection, Deployment Protection Exceptions and Private Production Deployments.
Does Vercel encrypt data?
Yes. Data is encrypted at rest (AES-256) and in transit (HTTPS / TLS), including sensitive information like access tokens and secrets.
Does Vercel backup the data on its platform?
Yes. Our current backup interval is every two hours and each backup is persisted for 30 days. Automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service, and those backups are globally replicated for resiliency against regional disasters. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Vercel engineering team.
What infrastructure does Vercel use?
The Vercel Edge Network & deployment platform primarily uses Amazon Web Services (AWS). In the case of an AWS outage, our network is resilient to regional downtime. Vercel will automatically route traffic to the nearest available edge.
Vercel.com uses Azure CosmosDB to store and globally replicate data, which is different than our Edge Network. This is an additional step taken to ensure uptime for applications on our platform.
Does Vercel provide infrastructure segregation?
Enterprise Teams on Vercel have their own build infrastructure ensuring isolation from Hobby/Pro accounts on Vercel.
Does Vercel conduct regular penetration testing and vulnerability scans?
Yes. Vercel conducts regular penetration testing with third-party experts. In addition to our annual penetration tests, we consistently perform targeted assessments on an ongoing basis. We also implement daily code reviews, static analysis checks, and dependency scanning at the code level. Our cloud security posture management platform (CSPM) facilitates workload vulnerability scanning. Pro and Enterprise customers can request access to our latest annual penetration testing reports.
Does Vercel use subprocessors?
Yes, a list of our current subprocessors can be found on our subprocessors page.
Does Vercel have a bug bounty program?
Yes. Vercel has a Private Bug Bounty program that rewards researchers for finding and reporting security vulnerabilities. For more information, or to report a vulnerability, please reach out to us at responsible.disclosure@vercel.com
Does Vercel protect against OWASP Top 10?
Yes. Vercel offers managed rulesets, including one specifically designed to protect against the OWASP Top 10 risks. This feature is available on Enterprise plans.

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying
Talk to an Expert

Trial Vercel with higher execution, increased app bandwidth, Speed Insights, team features, and more.

Request a Trial