> ## Documentation Index
> Fetch the complete documentation index at: https://buttercms.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance certifications

> A comprehensive list of compliance certifications and security standards that ButterCMS adheres to, including ISO 27001, SOC 2, and more.

The platform and your data are hosted on Heroku and AWS infrastructure, which adhere to industry-leading standards, including ISO 27001, SOC 1, SOC 2/SSAE, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).

## Certifications overview

ButterCMS uses SOC2 Type 2 and SOC3-compliant AWS data centers to deliver high scalability, availability, and performance levels while maintaining strict security and compliance standards.

<Info>
  ButterCMS leverages AWS's extensive compliance certifications. As a customer, you benefit from AWS's investments in security and compliance across their global infrastructure.
</Info>

### Compliance standards summary

| Standard            | Status               | Description                             |
| ------------------- | -------------------- | --------------------------------------- |
| **ISO 27001**       | Certified            | Information security management         |
| **SOC 1**           | Compliant            | Financial reporting controls            |
| **SOC 2 Type 2**    | Compliant            | Security, availability, confidentiality |
| **SOC 3**           | Compliant            | Public trust report                     |
| **PCI DSS Level 1** | Compliant            | Payment card data security              |
| **FISMA Moderate**  | Compliant            | US federal security standards           |
| **SOX**             | Compliant            | Financial compliance (Sarbanes-Oxley)   |
| **GDPR**            | Compliant            | EU data protection regulation           |
| **HIPAA**           | Infrastructure ready | Healthcare data (via AWS)               |

## ISO 27001

The data centers where content is stored are ISO 27001 certified, a standard recognized globally.

### What is ISO 27001?

ISO 27001 is the international standard for information security management systems (ISMS). It provides a framework for:

* **Risk Assessment** - Identifying and managing security risks
* **Security Controls** - Implementing appropriate safeguards
* **Continuous Improvement** - Ongoing security enhancement
* **Third-Party Assurance** - Independent verification of security practices

### ISO 27001 coverage

| Area                        | What It Covers                          |
| --------------------------- | --------------------------------------- |
| **Access Control**          | User authentication, authorization      |
| **Cryptography**            | Encryption, key management              |
| **Physical Security**       | Data center access controls             |
| **Operations Security**     | Logging, monitoring, malware protection |
| **Communications Security** | Network security, data transfer         |
| **Incident Management**     | Security incident response              |
| **Business Continuity**     | Disaster recovery, backup               |
| **Compliance**              | Legal and regulatory requirements       |

## SOC 2 Type 2

### What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing procedure that ensures service providers securely manage data. Type 2 reports cover an extended period (typically 6-12 months) to verify controls operate effectively over time.

### Trust services criteria

SOC 2 evaluates five trust service criteria:

| Criteria                 | Description                            | ButterCMS Status |
| ------------------------ | -------------------------------------- | ---------------- |
| **Security**             | Protection against unauthorized access | Compliant        |
| **Availability**         | System accessibility as agreed         | Compliant        |
| **Processing Integrity** | Complete and accurate data processing  | Compliant        |
| **Confidentiality**      | Protection of confidential information | Compliant        |
| **Privacy**              | Personal information handling          | Compliant        |

### Why SOC 2 matters

* **Independent Verification** - Third-party auditors verify security controls
* **Continuous Compliance** - Type 2 covers ongoing operations, not just a point in time
* **Industry Standard** - Widely recognized for SaaS and cloud services
* **Customer Assurance** - Demonstrates commitment to security

<Tip>
  Enterprise customers can request SOC 2 reports for due diligence and compliance documentation.
</Tip>

## PCI DSS

### What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that companies that process, store, or transmit credit card information maintain a secure environment.

### PCI compliance at ButterCMS

| Aspect                 | Details                                   |
| ---------------------- | ----------------------------------------- |
| **Level**              | PCI DSS Level 1 (via AWS)                 |
| **Scope**              | Infrastructure and data centers           |
| **Payment Processing** | Handled by Stripe (PCI Level 1 certified) |
| **Credit Card Data**   | Never stored in ButterCMS                 |

<Info>
  ButterCMS does not store credit card information. All payment processing is handled by Stripe, a PCI Level 1 certified payment processor.
</Info>

## GDPR compliance

### What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that governs how personal data is collected, processed, and stored.

### ButterCMS GDPR compliance

| Requirement             | How ButterCMS Complies                    |
| ----------------------- | ----------------------------------------- |
| **Lawful Basis**        | Clear terms of service and privacy policy |
| **Data Minimization**   | We collect only necessary data            |
| **Right to Access**     | Export your data at any time              |
| **Right to Erasure**    | Delete your account and data on request   |
| **Data Portability**    | Export data in standard formats           |
| **Security**            | Encryption, access controls, monitoring   |
| **Breach Notification** | Procedures for timely notification        |

### Data processing agreement (DPA)

Enterprise customers can request a Data Processing Agreement that covers:

* Nature and purpose of processing
* Types of personal data processed
* Duration of processing
* Obligations of both parties
* Sub-processor information
* Data transfer mechanisms

<Card title="Request DPA" icon="file-contract" href="mailto:support@buttercms.com">
  Contact support to request a Data Processing Agreement
</Card>

## FISMA

### What is FISMA?

FISMA (Federal Information Security Management Act) is a United States law that requires federal agencies and their contractors to develop, document, and implement information security programs.

### FISMA Moderate

ButterCMS infrastructure (via AWS) meets FISMA Moderate requirements:

* **Risk Assessment** - Regular security assessments
* **Security Planning** - Documented security procedures
* **Security Training** - Personnel awareness programs
* **Incident Response** - Defined response procedures
* **Contingency Planning** - Business continuity measures
* **Physical Protection** - Data center security

<Info>
  FISMA compliance is relevant for organizations working with US federal government data or contracts.
</Info>

## SOX compliance

### What is SOX?

The Sarbanes-Oxley Act (SOX) is a US law that establishes requirements for financial record keeping and reporting for public companies.

### SOX relevance

While SOX primarily applies to publicly traded companies, ButterCMS's infrastructure supports SOX compliance through:

* **Access Controls** - Role-based access to sensitive data
* **Audit Trails** - Logging of content changes
* **Data Integrity** - Protection against unauthorized modification
* **Backup & Recovery** - Data protection and availability

## HIPAA

### What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) establishes standards for protecting sensitive patient health information.

### HIPAA and ButterCMS

| Aspect                 | Status                             |
| ---------------------- | ---------------------------------- |
| **AWS Infrastructure** | HIPAA eligible services available  |
| **ButterCMS Platform** | Not HIPAA certified by default     |
| **Healthcare Use**     | Possible with proper configuration |

<Warning>
  **Important:** If you need to store Protected Health Information (PHI), contact ButterCMS to discuss HIPAA compliance requirements and a Business Associate Agreement (BAA).
</Warning>

## Additional certifications

### AWS certifications (infrastructure)

ButterCMS benefits from AWS's extensive certifications:

| Certification | Description                               |
| ------------- | ----------------------------------------- |
| **CSA STAR**  | Cloud Security Alliance certification     |
| **FedRAMP**   | Federal Risk and Authorization Management |
| **IRAP**      | Australian government security            |
| **MTCS**      | Singapore Multi-Tier Cloud Security       |
| **C5**        | German Cloud Computing Compliance         |
| **ENS High**  | Spanish National Security Framework       |
| **K-ISMS**    | Korean Information Security Management    |

### Industry-specific compliance

ButterCMS can support various industry-specific requirements:

| Industry          | Relevant Standards       |
| ----------------- | ------------------------ |
| **Finance**       | SOC 2, PCI DSS, SOX      |
| **Healthcare**    | HIPAA (with BAA)         |
| **Government**    | FISMA, FedRAMP (via AWS) |
| **E-commerce**    | PCI DSS                  |
| **International** | GDPR, regional standards |

## Security assessments

### Regular security practices

ButterCMS maintains security through:

* penetration testing
* vulnerability scanning
* security audits
* code reviews
* dependency updates
