ButterCMS is a secure and compliant platform that provides security capabilities for businesses of all sizes. Your data is encrypted with AES-256 to safeguard your content. These security capabilities are crucial for protecting the integrity and confidentiality of your data.Documentation Index
Fetch the complete documentation index at: https://buttercms.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Encryption overview
Your data is encrypted at rest using AES-256, and in transit using TLS v1.2. This ensures that your content is protected whether it’s stored in our databases or being transferred to and from your applications.Encryption standards
| Type | Standard | Description |
|---|---|---|
| At Rest | AES-256 | Industry-standard encryption for stored data |
| In Transit | TLS 1.2+ | Secure communication protocol for data transfer |
| Backups | AES-256 | All backups are encrypted |
| API Keys | Hashed | API tokens are securely hashed in storage |
AES-256 (Advanced Encryption Standard with 256-bit key) is the same encryption standard used by governments and financial institutions worldwide. It would take billions of years to crack with current technology.
Encryption at rest
Content on ButterCMS is securely stored within ISO 27001-certified data centers. Data is safeguarded at rest through AES-256 encryption.What is encrypted at rest
All data stored in ButterCMS is encrypted:| Data Type | Encrypted | Notes |
|---|---|---|
| Content | Yes | Pages, blog posts, collections |
| Media Files | Yes | Images, videos, documents |
| User Data | Yes | Account information, profiles |
| API Tokens | Yes | Hashed with additional protection |
| Backups | Yes | Daily backups fully encrypted |
| Logs | Yes | Audit and access logs |
Database encryption
- Storage Encryption - All database storage volumes are encrypted
- Key Management - Encryption keys managed by AWS KMS
- Automatic Rotation - Keys are rotated according to security policies
- Access Controls - Encryption keys accessible only to authorized services
Encryption in transit
Content is protected by AES-256 encryption both at rest and in transit. This ensures your data is protected throughout its lifecycle.Transport layer security (TLS)
All data transferred to and from ButterCMS is protected by TLS:- TLS 1.2 Minimum - Older, insecure protocols are disabled
- Strong Cipher Suites - Only modern, secure ciphers are allowed
- Certificate Management - SSL certificates automatically managed and renewed
- HSTS Enabled - HTTP Strict Transport Security enforces HTTPS
HTTPS enforcement
Data backup & recovery
Redundancy is ensured with daily backups. Your data is automatically backed up daily, ensuring its safety and providing peace of mind.Backup schedule
| Backup Type | Frequency | Retention | Description |
|---|---|---|---|
| Full Backup | Daily | 30+ days | Complete database snapshot |
| Media Assets | Real-time | Indefinite | S3 native redundancy |
Backup features
Automatic
Backups run automatically with no action required from you
Encrypted
All backups are encrypted with AES-256
Redundant
Multiple copies stored across different regions
Recovery capabilities
If you need to recover data:- Version History - Restore content to previous versions from the dashboard
- Support-Assisted Recovery - Contact support for database-level recovery
- Enterprise Recovery - Custom recovery options for enterprise customers
Data isolation
Multi-tenant architecture
ButterCMS operates as a multi-tenant platform with strict data isolation:| Isolation Layer | Description |
|---|---|
| Logical Separation | Each customer’s data is logically separated |
| Access Controls | API tokens provide account-level access only |
| Query Isolation | Database queries are scoped to customer accounts |
| Network Isolation | Internal services communicate through private networks |
Customer data boundaries
- No Cross-Customer Access - Your data is never accessible to other customers
- API Token Scoping - Tokens only access your account’s data
- Audit Logging - All data access is logged and auditable
- Strict RBAC - Role-based access within your organization
Data retention
Content retention
Your content remains in ButterCMS as long as your account is active:| Data Type | Retention | Notes |
|---|---|---|
| Published Content | Indefinite | Until you delete it |
| Draft Content | Indefinite | Until published or deleted |
| Deleted Content | 30 days | Soft delete, recoverable |
| Version History | Based on plan | Varies by subscription |
| Media Assets | Indefinite | Until you delete them |
Data privacy
Data Processing
| Aspect | ButterCMS Approach |
|---|---|
| Data Location | Primarily US-based (Heroku + AWS) |
| Sub-processors | AWS, Heroku, Fastly, Stripe |
| Data Transfer | Standard Contractual Clauses |
| DPA Available | Yes, for enterprise customers |
Your responsibilities
While ButterCMS secures the platform, you’re responsible for:- Content you store (avoid storing sensitive PII in content fields)
- User access management within your organization
- Compliance with your own regulatory requirements
- Implementing appropriate privacy notices for your end users
API security
API token security
- Read vs Write Tokens - Separate tokens for read and write operations
- Token Rotation - Regenerate tokens if compromised
- Environment Separation - Different tokens for staging/production
- Secure Storage - Never expose tokens in client-side code
API usage limits
ButterCMS enforces monthly API usage limits to protect against abuse and ensure fair usage:- Free/Trial accounts are blocked if monthly API call limits are exceeded
- Paid accounts use usage-based billing for overages instead of blocking
- Enterprise accounts use custom terms
Security monitoring
Security is further fortified through vigilant threat detection, secure communication via HTTPS, and access control.Threat detection
- Anomaly Detection - Identify unusual access patterns
- Intrusion Detection - Monitor for unauthorized access attempts
- Log Analysis - Automated analysis of security events
- Real-time Alerts - Immediate notification of security events