From 9a88ab114c0d178703f6d8cc422ddc51aea0fb4e Mon Sep 17 00:00:00 2001
From: Brad Bell <brad@pixelandtonic.com>
Date: Fri, 19 Dec 2025 17:03:45 -0800
Subject: [PATCH 1/4] cloud security

---
 docs/.vuepress/sets/craft-cloud.js |  1 +
 docs/cloud/security.md             | 88 ++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)
 create mode 100644 docs/cloud/security.md

diff --git a/docs/.vuepress/sets/craft-cloud.js b/docs/.vuepress/sets/craft-cloud.js
index f3a37e3c4..c2a08fcd5 100644
--- a/docs/.vuepress/sets/craft-cloud.js
+++ b/docs/.vuepress/sets/craft-cloud.js
@@ -78,6 +78,7 @@ module.exports = {
         children: [
           "faq",
           "troubleshooting",
+          "security",
         ],
       },
     ],
diff --git a/docs/cloud/security.md b/docs/cloud/security.md
new file mode 100644
index 000000000..3682808c1
--- /dev/null
+++ b/docs/cloud/security.md
@@ -0,0 +1,88 @@
+# Security
+
+Craft Cloud is designed as a fully managed, secure cloud PaaS hosting platform optimized for Craft CMS applications.
+
+This document outlines the security principles, controls, and practices that govern ****Craft Cloud to protect customer applications, data, and infrastructure against unauthorized access and vulnerabilities.
+
+## Shared Responsibility Model
+
+Security in Craft Cloud environments follows the industry standard cloud shared responsibility model:
+
+- Craft Cloud’s responsibilities:
+    - Underlying infrastructure
+    - Network security
+    - Platform configuration
+    - Service availability and stability
+
+- Customer’s Responsibilities:
+    - Keep Craft CMS, plugins, and dependencies up to date, including the Craft Cloud extension
+    - Manage application credentials securely
+    - Implement secure coding practices to prevent common vulnerabilities
+    - Review application logs
+
+## Infrastructure & Platform Security
+
+### Physical and Cloud Provider Controls
+
+Craft Cloud’s infrastructure runs on industry-leading cloud providers that implement robust controls.  These companies use fully SOC-2 compliant access procedures.
+
+You can read more about their compliance and security policies here:
+
+- AWS: https://aws.amazon.com/compliance/
+- Cloudflare: https://www.cloudflare.com/trust-hub/compliance-resources/
+
+### Network Security and Segregation
+
+Craft Cloud leverages:
+
+- Enterprise-grade firewalls and DDoS protection
+- Encrypted network connections for internal traffic
+- Isolation of customer environments to prevent unauthorized lateral movement
+
+Every Craft Cloud project includes firewall and global CDN protections by default.
+
+Since portions of Craft Cloud are multi-tenant, it utilizes some shared infrastructure across projects. To ensure that different projects cannot communicate with each other, it maintains strict network segregation between components.
+
+### Ephemeral Filesystems
+
+All Craft Cloud projects run on a read-only, ephemeral file system, which offers some inherent security benefits. If a site is compromised, redeploying will remove any scripts or payloads left behind and reset the code to a known good state prior to the compromise.
+
+## Data Protection
+
+- Databases and backups are fully encrypted, with encryption provided by the underlying storage service providers.
+
+### Backups and Recovery
+
+- Daily automated database backups are performed for all customer projects
+- Customers can trigger optional manual backups
+- Backups are retained for 30 days.
+
+## Identity and Access Management
+
+### Platform Access Controls
+
+Craft Cloud enforces role-based access controls via Craft Console Organizations. Customers are highly encouraged to create their Craft Cloud projects within a Craft Console Organization to take advantage of these role-based access controls.
+
+### Two-Factor Authentication (2FA)
+
+Customers are highly encouraged to enable two-factor authentication (2FA) for their Craft Console accounts, as well as for their Craft installations hosted on Craft Cloud.
+
+### Staff Access
+
+Craft Cloud staff have secure access to client projects, but will only access that data for the purposes of debugging and supporting the customer.
+
+## Incident Response and Monitoring
+
+Craft Cloud incorporates monitoring for:
+
+- Unauthorized access attempts
+- Anomalous platform activity
+- Infrastructure alerts
+
+Customers are notified of incidents via [https://status.craftcms.com](https://status.craftcms.com/) where they can subscribe to any incidents and updates.
+
+## Reporting a Vulnerability
+
+Please report any security vulnerabilities to [support@craft.cloud](mailto:support@craft.cloud).
+
+You can read our policy on reporting vulnerabilities here: [https://github.com/craftcms/cms/security/policy](https://github.com/craftcms/cms/security/policy).

From 3e8f361d64a90705dd91ff7b8d32e165634c89f8 Mon Sep 17 00:00:00 2001
From: Brad Bell <brad@pixelandtonic.com>
Date: Fri, 19 Dec 2025 17:18:38 -0800
Subject: [PATCH 2/4] oops

---
 docs/cloud/security.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/cloud/security.md b/docs/cloud/security.md
index 3682808c1..99ea842c2 100644
--- a/docs/cloud/security.md
+++ b/docs/cloud/security.md
@@ -14,6 +14,7 @@ Security in Craft Cloud environments follows the industry standard cloud shared
     - Platform configuration
     - Service availability and stability
 
+
 - Customer’s Responsibilities:
     - Keep Craft CMS, plugins, and dependencies up to date, including the Craft Cloud extension
     - Manage application credentials securely
@@ -28,8 +29,8 @@ Craft Cloud’s infrastructure runs on industry-leading cloud providers that imp
 
 You can read more about their compliance and security policies here:
 
-- AWS: https://aws.amazon.com/compliance/
-- Cloudflare: https://www.cloudflare.com/trust-hub/compliance-resources/
+- AWS: [https://aws.amazon.com/compliance/](https://aws.amazon.com/compliance/)
+- Cloudflare: [https://www.cloudflare.com/trust-hub/compliance-resources/](https://www.cloudflare.com/trust-hub/compliance-resources/)
 
 ### Network Security and Segregation
 

From 5292849aaedea8c24cac3f31fe786244144fe7ac Mon Sep 17 00:00:00 2001
From: Brad Bell <brad@pixelandtonic.com>
Date: Fri, 19 Dec 2025 17:39:34 -0800
Subject: [PATCH 3/4] formatting

---
 docs/cloud/security.md | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/docs/cloud/security.md b/docs/cloud/security.md
index 99ea842c2..ca94a52c8 100644
--- a/docs/cloud/security.md
+++ b/docs/cloud/security.md
@@ -9,17 +9,16 @@ This document outlines the security principles, controls, and practices that gov
 Security in Craft Cloud environments follows the industry standard cloud shared responsibility model:
 
 - Craft Cloud’s responsibilities:
-    - Underlying infrastructure
-    - Network security
-    - Platform configuration
-    - Service availability and stability
-
+  - Underlying infrastructure
+  - Network security
+  - Platform configuration
+  - Service availability and stability
 
 - Customer’s Responsibilities:
-    - Keep Craft CMS, plugins, and dependencies up to date, including the Craft Cloud extension
-    - Manage application credentials securely
-    - Implement secure coding practices to prevent common vulnerabilities
-    - Review application logs
+  - Keep Craft CMS, plugins, and dependencies up to date, including the Craft Cloud extension
+  - Manage application credentials securely
+  - Implement secure coding practices to prevent common vulnerabilities
+  - Review application logs
 
 ## Infrastructure & Platform Security
 

From 323b64509a889b75625a43883373cb7f7fe9dcc7 Mon Sep 17 00:00:00 2001
From: Tim Kelty <tim@craftcms.com>
Date: Mon, 22 Dec 2025 14:14:10 -0500
Subject: [PATCH 4/4] Update security.md

---
 docs/cloud/security.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/cloud/security.md b/docs/cloud/security.md
index ca94a52c8..c05f418c0 100644
--- a/docs/cloud/security.md
+++ b/docs/cloud/security.md
@@ -8,13 +8,15 @@ This document outlines the security principles, controls, and practices that gov
 
 Security in Craft Cloud environments follows the industry standard cloud shared responsibility model:
 
-- Craft Cloud’s responsibilities:
+### Craft Cloud’s responsibilities:
+  
   - Underlying infrastructure
   - Network security
   - Platform configuration
   - Service availability and stability
 
-- Customer’s Responsibilities:
+### Customer’s Responsibilities:
+
   - Keep Craft CMS, plugins, and dependencies up to date, including the Craft Cloud extension
   - Manage application credentials securely
   - Implement secure coding practices to prevent common vulnerabilities