Almost EVERYONE who tried headless systems said they saw benefits. Download the state of CMS now!

O’Reilly Report: Decoupled Applications and Composable Web Architectures - Download Now

Empower your teams & get a 582% ROI: See Storyblok's CMS in action

Skip to main content

Trust Center

As an ISO 27001 certified CMS, Storyblok is one of the most secure, enterprise-grade CMS available on the market. Storyblok is continuously tested and monitored through ISO 27001 certified security protocols. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing.

Our data privacy and protection protocols go well beyond compliance. For us data privacy is not just a checklist. It is one of our driving principles. Our desire to safeguard and protect this principle encompasses every aspect of our company - from software development to employee operations.

ISO 27001 certified

Storyblok is ISO 27001 certified. This recognizes that all our products, operations, support processes and data storage protocols meet the highest international security standards.The conformance to ISO 27001 is certified by TÜV Rheinland and annually re-evaluated.

AWS

Storyblok services are hosted on Amazon AWS. Amazon AWS provides data center security in compliance with different industry certifications (such as SOC 1, SOC 2, PCI DSS Level 1, or FedRAMP).

Change management

Storyblok applies a systematic approach to managing change so that updates to customer-impacting services are thoroughly reviewed, tested, approved, and well-communicated. The Storyblok change management process is designed to maintain the integrity of our service.

Regular penetration tests

We conduct regular vulnerability and penetration tests both by the Storyblok security team and by leading third party security providers.

Web Application Firewall (WAF)

Our AWS environment is safeguarded by a WAF (web application firewall). This WAF safeguards web applications and APIs from common threats, web exploits and bots that compromise availability, jeopardize security and consume excessive resources.

The API first advantage

With Storyblok, the backend is separated from user interfaces and subsequently significantly reduces exposure to attacks that plague most traditional CMS systems.

Threat detection

Through AWS Guard Duty’s AI-based intrusion detection, our system continuously monitors for unauthorized activity, use of compromised credentials, unusual data access, API calls from malicious IP addresses and much more.

Section titled How we ensure service reliability How we ensure service reliability

Guaranteed Service Levels

We offer Service Level Agreements for all our customers. The service level agreement for enterprise accounts is a Yearly Uptime Percentage of at least ninety-nine point nine (99.9) percent. For further information contact our sales team.

Contingency planning

We maintain an active emergency plan for our production environment including a recovery plan with alert mechanisms reaching the CEO, CTO, the ISM, and the head of development. Our emergency plans are regularly tested and reviewed by senior engineers and external security specialists.

CDN

Storyblok uses a CDN that securely delivers data with low latency and at high transfer speeds.

Scaling

We employ automatic scaling during high demand periods that seamlessly scales capacity during service peaks. If that doesn’t resolve any negative impact, an alert chain is triggered to alert the appropriate employees.

Monitoring and reporting

We continuously monitor performance to ensure consistently fast response times and service availability. As such, our minimum uptime reports in at 99.9 across all service levels.

Access Rights

Employees who need to have access to our production systems are required to use certificate based authentication and two-factor authentication. Access to systems is only provided on a need to know basis. We revoke access immediately when an employee leaves the organization. Access rights are regularly checked by the internal owner of the system.

GDPR

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Storyblok is fully GDPR compliant and follows privacy regulations around the world.

Data Encryption

All data is encrypted both in transit and at rest using state of the art key lengths and algorithms. Minimum cryptographic requirements include:

  • TLS 1.2 or TLS 1.3 (transport encryption)
  • AES-128, AES-192, AES-256 (symmetric encryption)
  • RSA with min. 2000 Bit (asymmetric encryption)
  • SHA-256, SHA-512/56, SHA-384, SHA-512, SHA3-256, SHA3-384, SHA3-512 (hash algorithm)
  • Diffie-Hellman, EC Diffie-Hellman (asymmetric key exchange methods)
  • The following cryptographic algorithms are no longer permitted (among others): Triple-DES (3DES), MD5, SHA-1, RSA with PKCS1v1.5 padding, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
  • Additionally, we follow all requirements for data encryption in the BSI Technical Guidelines (e.g.: TR-02102-1, TS-02102-2, ...).

Backups & Recovery

Based on our service architecture, only the database needs backing up to ensure the continuity of the service. All other services can be redeployed from configuration scripts. The database is backed up using the following schedule:

  • S3 backup: Users can create daily backups to an S3 bucket under their own control.
  • Read Replica (continuous/incremental): In case of a database failure to the main region, a hot-standby replica is available to take over the service immediately.
  • Transaction Log: restore to any point in time within the last 14 days using the Transaction Log which is routinely tested and regularly backed-up

Information Security Management

When information security incidents occur, a structured process is defined that governs responsibilities and associated activities, including information obligations. An information security incident is documented in detail and, depending on the criticality, escalated to the CEO of the company. An information security incident (IS-incident) differs from a regular incident in that unauthorized persons attempt to access, change, destroy or pass on information - irregardless of whether this attempt was successful, internal or external. Examples include; a lost device (like laptops), a hacker in the productive environment, or a non-closable vulnerability. Each IS incident is documented and reported to management. The impact of the IS incident has to be classified:

  • Huge impact (for Storyblok, partners, or customers)
  • Medium impact
  • No impact (if this was detected while analyzing)

For an IS incident with at least medium impact, the CEO is informed immediately. All other IS incidents below the 'medium' threshold are reported at the conclusion of the investigation.

OWASP

Storyblok follows the Open Web Application Security Project OWASP.

Peer Reviewed

We conduct dedicated security code reviews, continuous security training, and security testing.

Automated Testing

Our code undergoes automated vulnerability testing, scans, anomaly detection, and automated dependency updates.

Quality Assurance (QA)

Storyblok’s quality assurance follows secure software development best practices, which include formal design reviews by the Storyblok team, threat modeling, and completion of risk assessments. Testers simulate real attack scenarios that can be potentially executed by a malicious external or internal user of the application. The objective of these tests is to test the application in an operational environment.

The final stage of evaluation is executed in an environment that is a very close replica of the actual application that is being deployed into production. After passing the tests in QA, testers document the result of their tests and potential security issues. Storyblok’s developers review the documents and approve them if no further security issues have been found.

Authentication

Storyblok mandates the use of password manager, 2FA, SSO where available for all employees. No employee has direct access to the product environment - which is kept on a need to know basis.

Company wide security protocols

Company-wide protocols including strict access control, centralized endpoint management, mandatory security checks and regular security awareness training.

SaaS Support & Services

Storyblok aims to provide the best level of support for our customers at all times. For our SaaS (Software as a Service) offering we use commercially reasonable efforts to meet SLAs. For our Enterprise offering increased resources are available which are reflected in a higher level of guaranteed availability. The best way to contact support is through our live chat widget available on most of our web pages. Through this channel we provide assistance within competitive response times based on level of urgency and required support.

Service Levels

Service & Support

Storyblok SaaS operational state

Storyblok services are hosted on Amazon AWS. Amazon AWS provides data center security in compliance with different industry certifications. This enables Storyblok to deliver outstanding availability and performance while protecting the security of your data.

Uptime Storyblok

Compliance

The European Union’s GDPR (General Data Protection Regulation) was established in response to an evolving technology landscape where data is transferred in a global infrastructure. Storyblok respects your right to privacy. See the links below to find out more about which information is collected when using the service and how your rights are protected.

GDPR & Privacy Policy

Data Processing Agreement

Terms and Conditions

Terms and Conditions Enterprise Customers - Americas

Governance

Storyblok, a company with international employees, customers and partners, adheres to a strong value system. Our Code of Conduct exemplifies these values and helps guide our daily interactions within the company and with all of our extended network. We hold ourselves to the highest standards, and our success can be attributed to our unflagging commitment to our well-crafted guiding principles.

Storyblok encourages every and all stakeholders to speak up in case of any behaviour against the law, regulations, our code of conduct, or internal policies. Our anti-bribery policy reflects our stern commitment to the strict prevention of bribery and other forms of corruption.

Code of Conduct

Whistleblowing Policy

Anti-bribery Policy