Security Policy

This page provides an overview of the security measures taken by Contentful to protect content and user data hosted on our platform from unauthorized access. Where relevant, we include links to security guidelines and resources developed by third parties.

1. Data Storage

Contentful stores your content on Amazon S3 servers. Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure integrity and safety of customers’ data. Among others, these measures include:

• Secure access: Data transferred between Contentful servers and S3 storage facilities is secured via SSL endpoints using the HTTPS protocol;
• Multi-factor authentication: Contentful staff exclusively uses multi-factor authentication to access AWS Accounts thus reducing the risk of unauthorized access.

Amazon S3 comes with a built-in network and security monitoring systems designed to provide increased protection against threats like Distributed Denial of Service (DDoS), Man in the Middle (MITM) attacks, password brute-force detection, and packet sniffing.

All user content and data is backed up on S3 storage every six hours. Additionally redundancy of the stored data is ensured by making copies of the existing data in undisclosed locations. You are free to download all your content to back it up offsite by fetching data via the Contentful Delivery API.

Find out more about Amazon’s S3 security policy at:

• AWS S3 Security
• AWS Security Center

Data transfer & delivery

Contentful uses a secure channel using 256-bit SSL (Secure Socket Layers) encryption, the standard for secure Internet connections for all the traffic between desktop clients, mobile devices and our servers as well as all the content delivered to end-users. The Content Delivery API is also available on non secure channel for applications that don't require secure content transmission.

3. Payment data

Contentful uses Wirecard’s infrastructure to process credit card payments, which means that no credit card information or related personal information is stored on our servers. Wirecard enforces stringent PCI (Payment Card Industry) compliance criteria to ensure that any data stored and/or processed on its servers is handled in a secure way.

In addition to privacy and safety measures, Wirecard employs an extensive range of checks designed to minimize payment fraud and unauthorized access. These checks include 3D-Secure authorization, credit card background checks, flagging suspicious transactions for manual verification, and real-time monitoring of payment transactions with automated anti-fraud algorithms.

More about Wirecard security measures:

• Wirecard Fraud Prevention

4.Passwords

All user passwords are stored in the database in an encrypted form. Contentful uses salts and the bcrypt library to increase the complexity of encryption technique and thus way minimize the risk that passwords will be cracked.

While Contentful’s team puts a lot of effort into securing your login credentials, it is important to remember that poorly chosen passwords, even when properly encrypted, are vulnerable to common cracking techniques employed by professional attackers. For this reason, we urge our users to follow security guidelines for choosing a password outlined below:

Generic passwords based on popular words, common names, birth dates or favorite brands are easy to guess or harvest from online profiles. Combining several not connected words with addtional random characters makes your password stronger and more difficult to guess.

Use a unique password per site. By recycling identical passwords for multiple websites you subject your accounts to be compromised as a result of a security breach on one of the websites. The use of tools or services like KeepassX and 1Password is strongly encouraged.

Use creative spelling. A common technique to hacking passwords is using dictionaries to generate random passwords. For this reason "unc*nvent^onal spe!!ing" and upPeRc@siNg as well as use of non-obvious numb5rs and §ymbols will make your passwords harder to crack.

5. Privacy

For information on our privacy guidelines, please view our privacy policy.

6. Bug reporting

We encourage responsible reporting of security vulnerabilities and software bugs. In the case that you found a vulnerability, please report it to [email protected] and abstain from publicly announcing it before it is fixed. Please note that we discourage attempts to gain illegitimate access to another user's account or data, compromise the reliability and/or integrity of our services, and use of automated tools to find vulnerabilities.

Our community plays an important role in helping us stay bug-free and secure.