As an ISO 27001 certified CMS, Storyblok is one of the most secure, enterprise-grade CMS available on the market. Storyblok is continuously tested and monitored through ISO 27001 certified security protocols. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing.
Our data privacy and protection protocols go well beyond compliance. For us data privacy is not just a checklist. It is one of our driving principles. Our desire to safeguard and protect this principle encompasses every aspect of our company - from software development to employee operations.
How we secure your content
ISO 27001 certified
Storyblok is ISO 27001 certified. This recognizes that all our products, operations, support processes and data storage protocols meet the highest international security standards.The conformance to ISO 27001 is certified by TÜV Rheinland and annually re-evaluated.
Storyblok services are hosted on Amazon AWS. Amazon AWS provides data center security in compliance with different industry certifications (such as SOC 1, SOC 2, PCI DSS Level 1, or FedRAMP).
Storyblok applies a systematic approach to managing change so that updates to customer-impacting services are thoroughly reviewed, tested, approved, and well-communicated. The Storyblok change management process is designed to maintain the integrity of our service.
Regular penetration tests
We conduct regular vulnerability and penetration tests both by the Storyblok security team and by leading third party security providers.
Web Application Firewall (WAF)
Our AWS environment is safeguarded by a WAF (web application firewall). This WAF safeguards web applications and APIs from common threats, web exploits and bots that compromise availability, jeopardize security and consume excessive resources.
The API first advantage
With Storyblok, the backend is separated from user interfaces and subsequently significantly reduces exposure to attacks that plague most traditional CMS systems.
Through AWS Guard Duty’s AI-based intrusion detection, our system continuously monitors for unauthorized activity, use of compromised credentials, unusual data access, API calls from malicious IP addresses and much more.
How we ensure service reliability
Guaranteed Service Levels
We offer Service Level Agreements for all our customers. The service level agreement for enterprise accounts is a Yearly Uptime Percentage of at least ninety-nine point nine (99.9) percent. For further information contact our sales team.
We maintain an active emergency plan for our production environment including a recovery plan with alert mechanisms reaching the CEO, CTO, the ISM, and the head of development. Our emergency plans are regularly tested and reviewed by senior engineers and external security specialists.
Storyblok uses a CDN that securely delivers data with low latency and at high transfer speeds.
We employ automatic scaling during high demand periods that seamlessly scales capacity during service peaks. If that doesn’t resolve any negative impact, an alert chain is triggered to alert the appropriate employees.
Monitoring and reporting
We continuously monitor performance to ensure consistently fast response times and service availability. As such, our minimum uptime reports in at 99.9 across all service levels.
How we protect your data
Employees who need to have access to our production systems are required to use certificate based authentication and two-factor authentication. Access to systems is only provided on a need to know basis. We revoke access immediately when an employee leaves the organization. Access rights are regularly checked by the internal owner of the system.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Storyblok is fully GDPR compliant and follows privacy regulations around the world.
All data is encrypted both in transit and at rest using state of the art key lengths and algorithms. Minimum cryptographic requirements include:
- TLS 1.2 or TLS 1.3 (transport encryption)
- AES-128, AES-192, AES-256 (symmetric encryption)
- RSA with min. 2000 Bit (asymmetric encryption)
- SHA-256, SHA-512/56, SHA-384, SHA-512, SHA3-256, SHA3-384, SHA3-512 (hash algorithm)
- Diffie-Hellman, EC Diffie-Hellman (asymmetric key exchange methods)
- The following cryptographic algorithms are no longer permitted (among others): Triple-DES (3DES), MD5, SHA-1, RSA with PKCS1v1.5 padding, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
- Additionally, we follow all requirements in the BSI Technical Guidelines (TR-02102-1 or TS-02102-2).
Backups & Recovery
Based on our service architecture, only the database needs backing up to ensure the continuity of the service. All other services can be redeployed from configuration scripts. The database is backed up using the following schedule:
- S3 backup: Users can create daily backups to an S3 bucket under their own control.
- Read Replica (continuous/incremental): In case of a database failure to the main region, a hot-standby replica is available to take over the service immediately.
- Transaction Log: restore to any point in time within the last 14 days using the Transaction Log which is routinely tested and regularly backed-up
Information Security Management
When information security incidents occur, a structured process is defined that governs responsibilities and associated activities, including information obligations. An information security incident is documented in detail and, depending on the criticality, escalated to the CEO of the company. An information security incident (IS-incident) differs from a regular incident in that unauthorized persons attempt to access, change, destroy or pass on information - irregardless of whether this attempt was successful, internal or external. Examples include; a lost device (like laptops), a hacker in the productive environment, or a non-closable vulnerability. Each IS incident is documented and reported to management. The impact of the IS incident has to be classified:
- Huge impact (for Storyblok, partners, or customers)
- Medium impact
- No impact (if this was detected while analyzing)
For an IS incident with at least medium impact, the CEO is informed immediately. All other IS incidents below the ‘medium’ threshold are reported at the conclusion of the investigation.
How we secure our code
Storyblok follows the Open Web Application Security Project OWASP.
We conduct dedicated security code reviews, continuous security training, and security testing.
Our code undergoes automated vulnerability testing, scans, anomaly detection, and automated dependency updates.
Quality Assurance (QA)
Storyblok’s quality assurance follows secure software development best practices, which include formal design reviews by the Storyblok team, threat modeling, and completion of risk assessments. Testers simulate real attack scenarios that can be potentially executed by a malicious external or internal user of the application. The objective of these tests is to test the application in an operational environment.
The final stage of evaluation is executed in an environment that is a very close replica of the actual application that is being deployed into production. After passing the tests in QA, testers document the result of their tests and potential security issues. Storyblok’s developers review the documents and approve them if no further security issues have been found.
How we operate
Storyblok mandates the use of password manager, 2FA, SSO where available for all employees. No employee has direct access to the product environment - which is kept on a need to know basis.
Company wide security protocols
Company-wide protocols including strict access control, centralized endpoint management, mandatory security checks and regular security awareness training.
SaaS Support & Services
Storyblok aims to provide the best level of support for our customers at all times. For our SaaS (Software as a Service) offering we use commercially reasonable efforts to meet SLAs. For our Enterprise offering increased resources are available which are reflected in a higher level of guaranteed availability. The best way to contact support is through our live chat widget available on most of our web pages. Through this channel we provide assistance within competitive response times based on level of urgency and required support.
Storyblok SaaS operational state
Storyblok services are hosted on Amazon AWS. Amazon AWS provides data center security in compliance with different industry certifications. This enables Storyblok to deliver outstanding availability and performance while protecting the security of your data.
The European Union’s GDPR (General Data Protection Regulation) was established in response to an evolving technology landscape where data is transferred in a global infrastructure. Storyblok respects your right to privacy. See the links below to find out more about which information is collected when using the service and how your rights are protected.
Code of Conduct
Storyblok, a company with international employees, customers and partners, adheres to a strong value system. Our Code of Conduct exemplifies these values and helps guide our daily interactions within the company and with all of our extended network. We hold ourselves to the highest standards, and our success can be attributed to our unflagging commitment to our well-crafted guiding principles.