Enterprise-Grade Website Security
Website Security & Features
Pantheon's unique infrastructure and security capabilities give our customers the peace of mind they need to deliver awesome online experiences.
Pantheon is built on a container-based cloud architecture . Unlike deployment of clusters or virtual private servers, containers allow lightweight partitioning of an operating system into isolated spaces where applications can safely run.
Automated, One-Click Core Updates
Update Drupal and WordPress core with a single click. Pantheon’s built-in dev, test, and live environments allow developers to push updates to production safely and quickly.
Denial of Service Protection
Pantheon’s Global CDN provides industry-leading DDoS protections. By filtering ongoing attacks and isolating traffic streams for each site and environment, Pantheon provides dedicated resources in times of need and prevents impact between customer websites.
Drupal and WordPress core—as well as module and plugin code—are write-protected in Test and Live environments. This feature guards against unauthorized updates that can result in compromise.
Automated Site Monitoring
Pantheon runs over a million checks a day to proactively monitor network, server, and application resources. Our status page shows a transparent, aggregated report of current and historical uptime across all Pantheon sites.
Keep your site and your visitors secure with fully managed, and dedicated HTTPS certificates. We obtain and manage high-grade encryption with TLS 1.3 for all of your sites and deploy it worldwide with Pantheon's Global CDN.
Pantheon supports SAML integration, enabling additional security features like multi-factor authentication and single sign-on. Customers who enforce SAML authentication can also enforce settings like minimum password strengths or authentication audit logs.
Pantheon’s change management feature allows site owners to manage organization-wide settings and selectively grant or deny developer access to deploy to production. Role-based access lets team members work on what they need to without introducing risk to other sites or infrastructure components.
Automated Backup and Retention
Automated/manual backups store customer data, sent compressed to cloud storage. Data encrypted in transit/at-rest using 256-bit AES cipher modes. Private keys, backup data on separate servers. Users test restore via dashboard, to existing/new site on Pantheon or elsewhere.
Compliance & Information Security
Pantheon is regularly reviewed by third parties to verify platform security, privacy, and compliance—and we are constantly working to widen this coverage. Learn more about Pantheon’s conformity with the following information security policies and certifications:
SOC 2 Type 2
SOC 2 compliance provides third party assurance to our customers about the adequacy of Pantheon’s information security system. Our SOC 2 Type 2 compliance covers the Security and Availability Trust Services Criteria.
The General Data Protection Regulation (GDPR) is a data privacy law that defines a framework for how companies use and protect personal information about European Union citizens. Pantheon complies with all applicable data privacy laws including GDPR.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. While customers are responsible for designing their application correctly to meet FERPA standards, Pantheon's security policies and infrastructure allow customers to be FERPA compliant.
Our stack is secure by design—engineered and maintained using rigorous security best practices.
Pantheon ensures process and memory-level isolation using control groups for memory, disk, CPU. Valhalla's encrypted distributed file system employs client-server authentication. Customer files are secured by Linux permissions, while system and customer logs remain isolated.
Pantheon maintains full redundancy for core components: API, edge routing, DNS, and file storage. Automated tools aid recovery. Services tolerate process/server failure. Multi-datacenter presence facilitates restoration. Redundant upstream providers enhance reliability.
Pantheon relies on trusted repos, validates packages, and audits changes on Linux servers. User software runs in isolated containers, preventing direct execution of uploaded files. ClamAV antivirus with updated databases is provided for customer use.
Pantheon’s primary data centers are managed by Google and feature a layered security model. This includes safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors & biometrics, and laser beam intrusion detection.
Employee Administrative Access
Pantheon grants access according to least privilege. Employees can interact with servers via a secure API without actual server access—when they do need it, SSH-key based authentication is used and activity is recorded in a central log.
Patches and Updates
Pantheon updates container hosts with latest kernel, OS, packages. Seamless migration to new instances, zero downtime. CMS updates and patches are internally tested and deployed via one-click workflow for customers.
Customer Content Durability
Pantheon uses on-disk storage with hardware RAID, multiple disks. Automated backups offer further protection. Backups, over 99.99% durable, encrypted, stored in multiple datacenters, ensure availability.
Network Security / Intrusion Prevention
Pantheon uses x.509-based authentication, encryption for network security. Edge routers tunnel traffic, prevent bypass. Host intrusion prevention for user-pw services, server layer stops unauthorized access. Centralized security logs retained for a year.
Need additional security measures?
How Secure Is Your Data in Drupal? (And 5 Essential Security Tips)
Reading estimate: 4 minutes
Maintain 99.99% uptime and minimize loss in the event of a total data center failure.
Managed Updates for WordPress and Drupal
Seamlessly update your WordPress or Drupal website with features like regular detection, visual regression testing, and supervised deployment