Skip to main content
ButterCMS takes security and compliance seriously. The platform is hosted on Heroku and AWS infrastructure adhering to industry-leading compliance standards, with automatic daily backups and continuous 24/7 monitoring.

Our security commitment

ButterCMS prioritizes security and compliance by hosting on secure AWS data centers, implementing data encryption, conducting daily backups, adhering to industry standards, monitoring infrastructure 24/7, and offering professional support for security-related concerns.
ButterCMS Security Principles:
  • Security by Design - Security is built into every layer of our platform
  • Defense in Depth - Multiple overlapping security controls
  • Continuous Monitoring - 24/7 infrastructure monitoring and threat detection
  • Data Protection - Industry-standard encryption at rest and in transit
  • Compliance First - Adherence to leading security frameworks and standards

Security architecture

ButterCMS handles all aspects of security for you. Data is encrypted at rest (AES-256) and in transit (TLS 1.2), hosted in ISO 27001-certified data centers. See Infrastructure & Hosting for network controls, WAF configuration, and DDoS protection details.

Security layers

LayerProtection
ApplicationWeb Application Firewall (WAF), rate limiting, input validation
TransportTLS 1.2+ encryption, HTTP Strict Transport Security (HSTS)
AuthenticationSSO, MFA, role-based access control
DataAES-256 encryption at rest, encrypted backups
InfrastructureAWS security groups, VPC isolation, 24/7 monitoring
PhysicalISO 27001 certified data centers, physical access controls

Session security

ButterCMS implements secure session handling:
FeatureDescription
Session timeoutAutomatic logout after inactivity
Secure cookiesHttpOnly, Secure, and SameSite flags applied
Session invalidationLogging out terminates the session immediately
Concurrent sessionsMultiple devices are supported

Secure access practices

  • Log out when using shared or public computers
  • Do not check “Remember Me” on shared devices
  • Review active sessions periodically
  • Report any suspicious activity immediately

Brute force protection

ButterCMS protects against brute force attacks:
ProtectionDescription
Login rate limitingLimits login attempts per time period
Progressive delaysIncreasing wait times after failed attempts
Account lockoutTemporary lockout after repeated failures
IP blockingSuspicious IPs may be temporarily blocked
If you’re locked out due to too many failed attempts, wait a few minutes before trying again, or use the password reset option.

Key security features

Encryption

AES-256 encryption at rest and TLS 1.2 in transit protect your data

Access Control

Role-based permissions and SSO integration for enterprise teams

Monitoring

24/7 infrastructure monitoring with automated threat detection

Backups

Automatic daily backups ensure data redundancy and recovery

Fully managed security

ButterCMS is a closed-source, fully-hosted platform. This means you don’t have to worry about maintaining servers, applying security patches, or managing infrastructure. Our team handles all security operations, including:
  • Applying security updates and patches
  • Monitoring for vulnerabilities
  • Managing SSL certificates
  • Conducting security assessments
  • Responding to security incidents
Why Fully Managed Security Matters:Unlike self-hosted solutions where you’re responsible for security patches, server hardening, and incident response, ButterCMS handles all security operations for you. This means your team can focus on building great products while we focus on keeping your data secure.

Security for enterprise

For enterprise applications, ButterCMS offers advanced security controls, including:
  • Advanced security controls - Enhanced security features for enterprise requirements
  • Dedicated support - Enterprise support with a dedicated customer success manager
  • Compliance support - Help meeting enterprise compliance requirements

Enterprise security features

FeatureDescription
Single Sign-On (SSO)SAML 2.0 integration with Azure AD, Okta, Google, OneLogin
Custom RolesDefine granular permissions for your team
Audit LogsTrack all user activity and content changes
Access LogsMonitor API access patterns
Dedicated SupportPriority access to security expertise

Contact Enterprise Sales

Learn about enterprise security features and get a custom security assessment

Reporting security issues

Responsible disclosure

If you discover a potential security vulnerability in ButterCMS, we encourage responsible disclosure. Please contact our security team: We take all security reports seriously and will respond promptly to investigate and address any legitimate concerns.
Please Do Not:
  • Publicly disclose vulnerabilities before we’ve had a chance to address them
  • Access or modify other users’ data
  • Perform tests that could degrade service for other users

Security resources

Infrastructure & Hosting

Learn about our hosting environment and infrastructure security

Data Protection

Understand how your data is encrypted and protected

Access & Authentication

Explore authentication options including SSO and MFA

Compliance Certifications

View our compliance certifications and standards