> ## Documentation Index
> Fetch the complete documentation index at: https://buttercms.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security overview

> A high-level overview of ButterCMS's security posture, practices, and commitment to protecting your content and data.

ButterCMS takes security and compliance seriously. The platform is hosted on Heroku and AWS infrastructure adhering to [industry-leading compliance standards](./compliance-certifications), with automatic daily backups and continuous 24/7 monitoring.

## Our security commitment

ButterCMS prioritizes security and compliance by hosting on secure AWS data centers, implementing data encryption, conducting daily backups, adhering to industry standards, monitoring infrastructure 24/7, and offering professional support for security-related concerns.

<Info>
  **ButterCMS Security Principles:**

  * **Security by Design** - Security is built into every layer of our platform
  * **Defense in Depth** - Multiple overlapping security controls
  * **Continuous Monitoring** - 24/7 infrastructure monitoring and threat detection
  * **Data Protection** - Industry-standard encryption at rest and in transit
  * **Compliance First** - Adherence to leading security frameworks and standards
</Info>

## Security architecture

ButterCMS handles all aspects of security for you. Data is encrypted at rest (AES-256) and in transit (TLS 1.2), hosted in ISO 27001-certified data centers. See [Infrastructure & Hosting](./infrastructure-hosting) for network controls, WAF configuration, and DDoS protection details.

### Security layers

| Layer              | Protection                                                      |
| ------------------ | --------------------------------------------------------------- |
| **Application**    | Web Application Firewall (WAF), rate limiting, input validation |
| **Transport**      | TLS 1.2+ encryption, HTTP Strict Transport Security (HSTS)      |
| **Authentication** | SSO, MFA, role-based access control                             |
| **Data**           | AES-256 encryption at rest, encrypted backups                   |
| **Infrastructure** | AWS security groups, VPC isolation, 24/7 monitoring             |
| **Physical**       | ISO 27001 certified data centers, physical access controls      |

## Session security

ButterCMS implements secure session handling:

| Feature                  | Description                                    |
| ------------------------ | ---------------------------------------------- |
| **Session timeout**      | Automatic logout after inactivity              |
| **Secure cookies**       | HttpOnly, Secure, and SameSite flags applied   |
| **Session invalidation** | Logging out terminates the session immediately |
| **Concurrent sessions**  | Multiple devices are supported                 |

### Secure access practices

* Log out when using shared or public computers
* Do not check "Remember Me" on shared devices
* Review active sessions periodically
* Report any suspicious activity immediately

## Brute force protection

ButterCMS protects against brute force attacks:

| Protection              | Description                                 |
| ----------------------- | ------------------------------------------- |
| **Login rate limiting** | Limits login attempts per time period       |
| **Progressive delays**  | Increasing wait times after failed attempts |
| **Account lockout**     | Temporary lockout after repeated failures   |
| **IP blocking**         | Suspicious IPs may be temporarily blocked   |

<Info>
  If you're locked out due to too many failed attempts, wait a few minutes before trying again, or use the password reset option.
</Info>

## Key security features

<CardGroup cols={2}>
  <Card title="Encryption" icon="lock">
    AES-256 encryption at rest and TLS 1.2 in transit protect your data
  </Card>

  <Card title="Access Control" icon="user-shield">
    Role-based permissions and SSO integration for enterprise teams
  </Card>

  <Card title="Monitoring" icon="eye">
    24/7 infrastructure monitoring with automated threat detection
  </Card>

  <Card title="Backups" icon="cloud-arrow-up">
    Automatic daily backups ensure data redundancy and recovery
  </Card>
</CardGroup>

## Fully managed security

ButterCMS is a closed-source, fully-hosted platform. This means you don't have to worry about maintaining servers, applying security patches, or managing infrastructure. Our team handles all security operations, including:

* Applying security updates and patches
* Monitoring for vulnerabilities
* Managing SSL certificates
* Conducting security assessments
* Responding to security incidents

<Tip>
  **Why Fully Managed Security Matters:**

  Unlike self-hosted solutions where you're responsible for security patches, server hardening, and incident response, ButterCMS handles all security operations for you. This means your team can focus on building great products while we focus on keeping your data secure.
</Tip>

## Security for enterprise

For enterprise applications, ButterCMS offers advanced security controls, including:

* **Advanced security controls** - Enhanced security features for enterprise requirements
* **Dedicated support** - Enterprise support with a dedicated customer success manager
* **Compliance support** - Help meeting enterprise compliance requirements

### Enterprise security features

| Feature                  | Description                                                |
| ------------------------ | ---------------------------------------------------------- |
| **Single Sign-On (SSO)** | SAML 2.0 integration with Azure AD, Okta, Google, OneLogin |
| **Custom Roles**         | Define granular permissions for your team                  |
| **Audit Logs**           | Track all user activity and content changes                |
| **Access Logs**          | Monitor API access patterns                                |
| **Dedicated Support**    | Priority access to security expertise                      |

<Card title="Contact Enterprise Sales" icon="building" href="https://buttercms.com/sales/">
  Learn about enterprise security features and get a custom security assessment
</Card>

## Reporting security issues

### Responsible disclosure

If you discover a potential security vulnerability in ButterCMS, we encourage responsible disclosure. Please contact our security team:

* **Email**: [security@buttercms.com](mailto:security@buttercms.com)
* **Support**: Use the in-app chat or email [support@buttercms.com](mailto:support@buttercms.com)

We take all security reports seriously and will respond promptly to investigate and address any legitimate concerns.

<Warning>
  **Please Do Not:**

  * Publicly disclose vulnerabilities before we've had a chance to address them
  * Access or modify other users' data
  * Perform tests that could degrade service for other users
</Warning>

## Security resources

<CardGroup cols={2}>
  <Card title="Infrastructure & Hosting" icon="server" href="./infrastructure-hosting">
    Learn about our hosting environment and infrastructure security
  </Card>

  <Card title="Data Protection" icon="database" href="./data-protection-encryption">
    Understand how your data is encrypted and protected
  </Card>

  <Card title="Access & Authentication" icon="key" href="../../create-content/authentication/authentication-overview">
    Explore authentication options including SSO and MFA
  </Card>

  <Card title="Compliance Certifications" icon="certificate" href="./compliance-certifications">
    View our compliance certifications and standards
  </Card>
</CardGroup>
