The platform and your data are hosted on Heroku and AWS infrastructure, which adhere to industry-leading standards, including ISO 27001, SOC 1, SOC 2/SSAE, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).
Certifications overview ButterCMS uses SOC2 Type 2 and SOC3-compliant AWS data centers to deliver high scalability, availability, and performance levels while maintaining strict security and compliance standards.
ButterCMS leverages AWS’s extensive compliance certifications. As a customer, you benefit from AWS’s investments in security and compliance across their global infrastructure.
Compliance standards summary Standard Status Description ISO 27001 Certified Information security management SOC 1 Compliant Financial reporting controls SOC 2 Type 2 Compliant Security, availability, confidentiality SOC 3 Compliant Public trust report PCI DSS Level 1 Compliant Payment card data security FISMA Moderate Compliant US federal security standards SOX Compliant Financial compliance (Sarbanes-Oxley) GDPR Compliant EU data protection regulation HIPAA Infrastructure ready Healthcare data (via AWS)
ISO 27001 The data centers where content is stored are ISO 27001 certified, a standard recognized globally.
What is ISO 27001? ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for:
Risk Assessment - Identifying and managing security risksSecurity Controls - Implementing appropriate safeguardsContinuous Improvement - Ongoing security enhancementThird-Party Assurance - Independent verification of security practices
ISO 27001 coverage Area What It Covers Access Control User authentication, authorization Cryptography Encryption, key management Physical Security Data center access controls Operations Security Logging, monitoring, malware protection Communications Security Network security, data transfer Incident Management Security incident response Business Continuity Disaster recovery, backup Compliance Legal and regulatory requirements
SOC 2 Type 2 What is SOC 2? SOC 2 (Service Organization Control 2) is an auditing procedure that ensures service providers securely manage data. Type 2 reports cover an extended period (typically 6-12 months) to verify controls operate effectively over time.
Trust services criteria SOC 2 evaluates five trust service criteria:
Criteria Description ButterCMS Status Security Protection against unauthorized access Compliant Availability System accessibility as agreed Compliant Processing Integrity Complete and accurate data processing Compliant Confidentiality Protection of confidential information Compliant Privacy Personal information handling Compliant
Why SOC 2 matters
Independent Verification - Third-party auditors verify security controlsContinuous Compliance - Type 2 covers ongoing operations, not just a point in timeIndustry Standard - Widely recognized for SaaS and cloud servicesCustomer Assurance - Demonstrates commitment to security
Enterprise customers can request SOC 2 reports for due diligence and compliance documentation.
PCI DSS What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment.
PCI compliance at ButterCMS Aspect Details Level PCI DSS Level 1 (via AWS) Scope Infrastructure and data centers Payment Processing Handled by Stripe (PCI Level 1 certified) Credit Card Data Never stored in ButterCMS
ButterCMS does not store credit card information. All payment processing is handled by Stripe, a PCI Level 1 certified payment processor.
GDPR compliance What is GDPR? The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that governs how personal data is collected, processed, and stored.
ButterCMS GDPR compliance Requirement How ButterCMS Complies Lawful Basis Clear terms of service and privacy policy Data Minimization We collect only necessary data Right to Access Export your data at any time Right to Erasure Delete your account and data on request Data Portability Export data in standard formats Security Encryption, access controls, monitoring Breach Notification Procedures for timely notification
Data processing agreement (DPA) Enterprise customers can request a Data Processing Agreement that covers:
Nature and purpose of processing
Types of personal data processed
Duration of processing
Obligations of both parties
Sub-processor information
Data transfer mechanisms
Request DPA Contact support to request a Data Processing Agreement
FISMA What is FISMA? FISMA (Federal Information Security Management Act) is a United States law that requires federal agencies and their contractors to develop, document, and implement information security programs.
FISMA Moderate ButterCMS infrastructure (via AWS) meets FISMA Moderate requirements:
Risk Assessment - Regular security assessmentsSecurity Planning - Documented security proceduresSecurity Training - Personnel awareness programsIncident Response - Defined response proceduresContingency Planning - Business continuity measuresPhysical Protection - Data center security
FISMA compliance is relevant for organizations working with US federal government data or contracts.
SOX compliance What is SOX? The Sarbanes-Oxley Act (SOX) is a US law that establishes requirements for financial record keeping and reporting for public companies.
SOX relevance While SOX primarily applies to publicly traded companies, ButterCMS’s infrastructure supports SOX compliance through:
Access Controls - Role-based access to sensitive dataAudit Trails - Logging of content changesData Integrity - Protection against unauthorized modificationBackup & Recovery - Data protection and availability
HIPAA What is HIPAA? HIPAA (Health Insurance Portability and Accountability Act) establishes standards for protecting sensitive patient health information.
HIPAA and ButterCMS Aspect Status AWS Infrastructure HIPAA eligible services available ButterCMS Platform Not HIPAA certified by default Healthcare Use Possible with proper configuration
Important: If you need to store Protected Health Information (PHI), contact ButterCMS to discuss HIPAA compliance requirements and a Business Associate Agreement (BAA).
Additional certifications AWS certifications (infrastructure) ButterCMS benefits from AWS’s extensive certifications:
Certification Description CSA STAR Cloud Security Alliance certification FedRAMP Federal Risk and Authorization Management IRAP Australian government security MTCS Singapore Multi-Tier Cloud Security C5 German Cloud Computing Compliance ENS High Spanish National Security Framework K-ISMS Korean Information Security Management
Industry-specific compliance ButterCMS can support various industry-specific requirements:
Industry Relevant Standards Finance SOC 2, PCI DSS, SOX Healthcare HIPAA (with BAA) Government FISMA, FedRAMP (via AWS) E-commerce PCI DSS International GDPR, regional standards
Security assessments Regular security practices ButterCMS maintains security through:
penetration testing
vulnerability scanning
security audits
code reviews
dependency updates
