'/%3e%3cpath%20class='cls-2'%20d='M49.15,149.69a18.38,18.38,0,1,0,25-7A18.37,18.37,0,0,0,49.15,149.69Z'%20transform='translate(-37.83%20-72.27)'/%3e%3cpath%20class='cls-2'%20d='M38.05,117.89a10.64,10.64,0,1,0,12.53-8.32A10.65,10.65,0,0,0,38.05,117.89Z'%20transform='translate(-37.83%20-72.27)'/%3e%3c/svg%3e)
At Varnish CDN, security isn't just a feature—it is the foundation of our "Sovereign Guarantee." We built our service to withstand the modern threat landscape while ensuring European data sovereignty. This document outlines the technical and organizational measures we take to protect your data and your traffic.
1. Certifications & Compliance
We are committed to maintaining the highest standards of information security.
- ISO 27001 Certified: Varnish Software is ISO 27001 certified. This means our information security management system (ISMS) has been independently audited and meets strict international standards for managing data security.
- GDPR: We have implemented policies, processes, and contractual safeguards designed to support GDPR-aligned data protection obligations when acting as a Controller or Processor, see Privacy Policy & Data Processing Agreement.
- NIS2: As a European digital infrastructure provider, we monitor and adapt to evolving EU cybersecurity regulations, including the NIS2 Directive, and incorporate relevant security principles into our operations where applicable.
2. Infrastructure & Sovereignty
We act as a Sovereign European Alternative to US-based hyperscalers. Our architecture is designed to minimize risk and maximize control.
- European-First Infrastructure: Our core traffic processing nodes (DataPacket) and our Control Plane (Scaleway) are hosted strictly within the European Union. We do not rely on US-owned cloud providers for our critical traffic path, shielding your end-users' data from the US CLOUD Act.
- Physical Security: We utilize Tier-3+ and Tier-4 data centers that maintain strict physical security controls, including 24/7 on-site security, biometric access, and video surveillance.
- Network Redundancy: Our network is built on a resilient architecture. If a node or path becomes unavailable, traffic is instantly rerouted to the nearest healthy Point of Presence (PoP) to ensure high availability.
3. Network & Application Security
We provide a multi-layered defense to protect your applications from attacks.
- DDoS Protection: We deploy "heavy-duty" unmetered DDoS protection across Layers 3, 4, and 7. Our network is designed to absorb and mitigate volumetric attacks before they reach your origin servers.
- Web Application Firewall (WAF): We utilize managed WAF rulesets provided by Atomicorp. Crucially, these rules are executed locally on our Varnish nodes. We inspect traffic at the edge without sending sensitive request data to third-party vendors.
- Bot Mitigation: We partner with DataDome (France) to provide advanced bot detection, blocking malicious scrapers and scalpers while allowing legitimate traffic.
- Encryption: All data in transit is encrypted using TLS 1.2 or 1.3. We support "Bring Your Own Certificate" or can manage SSL certificates for you.
4. Data Protection & Privacy
We design and operate our services in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), and apply privacy-by-design and privacy-by-default principles across our platform.
We strictly separate Traffic Data (your end-users) from Administrative Data (your account).
- Data Minimization: Traffic logs are retained only for 12 months for security auditing and troubleshooting, after which they are permanently deleted.
- Disaster Recovery Backups: We perform hourly snapshots of our entire Control Plane database with a 7-day retention period to ensure system-wide disaster recovery. All backups are strictly encrypted at rest. (Note: These snapshots are for system restoration; granular rollback for individual customer configurations is currently not supported.)
- Encryption at Rest: Sensitive data in our Control Plane (like your configuration and hashed passwords) is encrypted at rest.
- Sovereign Guarantee: We contractually guarantee that your traffic data will not be transferred to the US or other third countries without your explicit approval.
- Security breach notification: In the event of a confirmed data breach that impacts your data, we will notify you without undue delay, and in any event, within 72 hours of discovery. Our notification will include a description of the nature of the breach, the categories of data affected, and the measures we are taking to mitigate any adverse effects.
5. Corporate & Operational Security
Securing our product starts with securing our organization.
- Access Control (RBAC): We operate on a principle of Least Privilege. Access to production systems is restricted to authorized engineers.
- Internal Authentication: Employee access to internal tools and administrative systems is secured via Google Workspace SSO with Multi-Factor Authentication (MFA) enforced.
- Software Development: We follow secure coding practices. Our core technology is built on Varnish Cache, the battle-tested engine used by the world's largest websites.
- Vendor Risk Management: We review all sub-processors for security and GDPR compliance. We sign Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) where necessary.
6. Vulnerability Reporting
We value the work of the security research community. If you discover a vulnerability in Varnish CDN, please report it to us responsibly at security@varnish-software.com.