Difference between revisions of "DigitalOcean"

From LIMSWiki
Jump to navigationJump to search
m (Space)
(Updated for 2023.)
 
(3 intermediate revisions by the same user not shown)
Line 21: Line 21:
| products        = [[Infrastructure as a service|IaaS]], [[Platform as a service|PaaS]], [[Database as a service|DBaaS]], [[Software as a service|SaaS]]
| products        = [[Infrastructure as a service|IaaS]], [[Platform as a service|PaaS]], [[Database as a service|DBaaS]], [[Software as a service|SaaS]]
| services        =  
| services        =  
| revenue          = $87.5 million (2020, Q4)<ref name="WilhelmOloRais21">{{cite web |url=https://techcrunch.com/2021/03/15/olo-raises-ipo-range-as-digitalocean-sees-possible-5b-debut-valuation/ |title=Olo raises IPO range as DigitalOcean sees possible $5B debut valuation |author=Wilhelm, A. |work=Tech Crunch - Extra Crunch |date=15 March 2021 |accessdate=25 April 2021}}</ref>
| revenue          = $165.1 million (2023, Q1)<ref name="DOQ1_23">{{cite web |url=https://investors.digitalocean.com/news/news-details/2023/DigitalOcean-Announces-First-Quarter-2023-Financial-Results/default.aspx |title=DigitalOcean Announces First Quarter 2023 Financial Results |publisher=DigitalOcean |date=09 May 2023 |accessdate=02 August 2023}}</ref>
| operating_income =  
| operating_income =  
| net_income      =  
| net_income      =  
Line 37: Line 37:
}}
}}


'''DigitalOcean''' is an American [[cloud computing]] company that provides public and private cloud solutions to enterprises, organizations, governments, and individuals. AWS has 13 data centers located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, and India.<ref name="DORegional21">{{cite web |url=https://docs.digitalocean.com/products/platform/availability-matrix/ |title=Regional Availability Matrix |publisher=DigitalOcean |date=01 April 2021 |accessdate=25 April 2021}}</ref> The company provides more than 30 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, container management, developer support, and managed services.<ref name="DOProds">{{cite web |url=https://www.digitalocean.com/products/ |title=Products |publisher=DigitalOcean |accessdate=25 April 2021}}</ref><ref name="DOSolutions">{{cite web |url=https://www.digitalocean.com/business/ |title=Solutions |publisher=DigitalOcean |accessdate=25 April 2021}}</ref>
'''DigitalOcean''' is an American [[cloud computing]] company that provides public and private cloud solutions to enterprises, organizations, governments, and individuals. DigitalOcean has 14 data centers located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, India, and Australia.<ref name="DORegional21">{{cite web |url=https://docs.digitalocean.com/products/platform/availability-matrix/ |title=Regional Availability Matrix |publisher=DigitalOcean |date=07 July 2023 |accessdate=02 August 2023}}</ref> The company provides more than 30 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, container management, developer support, and managed services.<ref name="DOProds">{{cite web |url=https://www.digitalocean.com/products |title=Products |publisher=DigitalOcean |accessdate=02 August 2023}}</ref><ref name="DOSolutions">{{cite web |url=https://www.digitalocean.com/business |title=Solutions |publisher=DigitalOcean |accessdate=02 August 2023}}</ref>


==Provider research==
==Provider research==
This section uses public information to provide some answers to the 18 questions posed in Chapter 5 of the wiki-based guide ''[[LII:Choosing and Implementing a Cloud-based Service for your Laboratory|Choosing and Implementing a Cloud-based Service for your Laboratory]]''. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide ''[[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory|Choosing and Implementing a Cloud-based Service for Your Laboratory]]''. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.




1. '''What experience do you have working with laboratory customers in our specific industry?'''
1. '''What experience do you have working with laboratory customers in our specific industry?'''


The only publicly available information linking DigitalOcean with a [[laboratory]] is the fact that DigitalOcean's CFO Steve Senneff used to work as a senior financial analyst at Abbott Laboratories.<ref name="CBLDigital17">{{cite web |url=https://newyork.citybizlist.com/article/435862/digitalocean-appoints-steve-senneff-as-cfo |title=DigitalOcean Appoints Steve Senneff as CFO |work=CityBizList |date=15 August 2017 |accessdate=13 April 2021}}</ref> You'll have to have a discussion with a DigitalOcean representative to determine what, if any, experience the provider has working with laboratories.
The only publicly available information linking DigitalOcean with a [[laboratory]] is the fact that DigitalOcean's CFO Steve Senneff used to work as a senior financial analyst at Abbott Laboratories.<ref name="CBLDigital17">{{cite web |url=https://newyork.citybuzz.co/article/435862/digitalocean-appoints-steve-senneff-as-cfo |title=DigitalOcean Appoints Steve Senneff as CFO |work=CityBizList |date=15 August 2017 |accessdate=02 August 2023}}</ref> You'll have to have a discussion with a DigitalOcean representative to determine what, if any, experience the provider has working with laboratories.




2. '''Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?'''
2. '''Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?'''


It will ultimately be up to your organization to get an answer tailored to your systems and business processes. DigitalOcean doesn't say a whole lot about integrations on the front- or backend. The company does have a [https://www.digitalocean.com/products/tools-and-integrations/ page about integration tools], which you can use to "interact with your infrastructure the way you want to."<ref name="DOAutomate">{{cite web |url=https://www.digitalocean.com/products/tools-and-integrations/ |title=Automate your infrastructure |publisher=DigitalOcean |accessdate=14 April 2021}}</ref> This includes their command-line interface doctl for managing Droplets and other resources, as well as an API.<ref name="DOAutomate" />
It will ultimately be up to your organization to get an answer tailored to your systems and business processes. DigitalOcean doesn't say a whole lot about integrations on the front- or backend. The company does have a [https://www.digitalocean.com/products/tools-and-integrations page about integration tools], which you can use to "interact with your infrastructure the way you want to."<ref name="DOAutomate">{{cite web |url=https://www.digitalocean.com/products/tools-and-integrations |title=Automate your infrastructure |publisher=DigitalOcean |accessdate=02 August 2023}}</ref> This includes their command-line interface doctl for managing Droplets and other resources, as well as an API.<ref name="DOAutomate" />




3. '''What is the average total historical downtime for the service(s) we're interested in?'''
3. '''What is the average total historical downtime for the service(s) we're interested in?'''


Some public information is made available about historic outages and downtime. DigitalOcean has a [https://status.digitalocean.com/ systems status page] with status history. You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. The company also claims to have improved its network monitoring strategy for "every single Droplet that runs" on their infrastructure.<ref name="MigliaccioAGlimpse21">{{cite web |url=https://www.digitalocean.com/blog/a-glimpse-into-network-availability/ |title=A glimpse into network availability |author=Migliaccio, A. |work=DigitalOcean Blog |date=11 February 2021 |accessdate=14 April 2021}}</ref> A follow-up on this question with a DigitalOcean representative may reveal more historical downtime history for the services you are interested in.
Some public information is made available about historic outages and downtime. DigitalOcean has a [https://status.digitalocean.com/ systems status page] with status history. You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. The company also claims to have improved its network monitoring strategy for "every single Droplet that runs" on their infrastructure.<ref name="MigliaccioAGlimpse21">{{cite web |url=https://www.digitalocean.com/blog/a-glimpse-into-network-availability/ |title=A glimpse into network availability |author=Migliaccio, A. |work=DigitalOcean Blog |date=11 February 2021 |accessdate=02 August 2023}}</ref> A follow-up on this question with a DigitalOcean representative may reveal more historical downtime history for the services you are interested in.




Line 65: Line 65:
5. '''Where are your servers located, and how is data securely transferred to and from those servers?'''
5. '''Where are your servers located, and how is data securely transferred to and from those servers?'''


DigitalOcean describes its [https://docs.digitalocean.com/products/platform/availability-matrix/ datacenter regions] in its online documentation. As of this writing, they are located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, and India. DigitalOcean uses its Spaces Content Delivery Network, which "minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs" of requested content.<ref name="DOHowToEnable21">{{cite web |url=https://docs.digitalocean.com/products/spaces/how-to/enable-cdn/ |title=How to Enable the Spaces CDN |work=DigitalOcean Documentation |date=01 March 2021 |accessdate=14 April 2021}}</ref> However, DigitalOcean is light on details in regards to secure data transfers. On their security FAQ, they say the following: "Tight role-based access, two-factor authentication, secure network zones, bastion hosts, and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader 'zero-trust' model for access to resources within our environment."<ref name="DOTrustFAQ">{{cite web |url=https://www.digitalocean.com/trust/faq/ |title=Frequently Asked Questions |work=DigitalOcean Trust Platform |publisher=DigitalOcean |accessdate=14 April 2021}}</ref> The company also discusses data transfers under the scope of Privacy Shield and Standard Contractual Clauses [https://www.digitalocean.com/trust/resources/ on its trust center]. DigitalOcean doesn't appear to discuss data localization on its site.
DigitalOcean describes its [https://docs.digitalocean.com/products/platform/availability-matrix/ datacenter regions] in its online documentation. As of this writing, they are located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, India, and Australia. DigitalOcean uses its Spaces Content Delivery Network, which "minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs" of requested content.<ref name="DOHowToEnable21">{{cite web |url=https://docs.digitalocean.com/products/spaces/how-to/enable-cdn/ |title=How to Enable the Spaces CDN |work=DigitalOcean Documentation |date=07 June 2023 |accessdate=02 August 2023}}</ref> However, DigitalOcean is light on details in regards to secure data transfers. On their security FAQ, they say the following: "Tight role-based access, two-factor authentication, secure network zones, bastion hosts, and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader 'zero-trust' model for access to resources within our environment."<ref name="DOTrustFAQ">{{cite web |url=https://www.digitalocean.com/trust/faq/ |title=Frequently Asked Questions |work=DigitalOcean Trust Platform |publisher=DigitalOcean |accessdate=02 August 2023}}</ref> The company also discusses data transfers under the scope of Privacy Shield and Standard Contractual Clauses [https://www.digitalocean.com/trust/resources on its trust center]. DigitalOcean doesn't appear to discuss data localization on its site.




6. '''Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?'''
6. '''Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?'''


DigitalOcean is not fully public with their physical access protocols. In a 2019 query, a potential customer [https://www.digitalocean.com/community/questions/datacenter-security-details asked about physical security], and they were told to review the legal literature for the company. The current [https://www.digitalocean.com/legal/data-processing-agreement/ data processing agreement] has a "security," section, but even there details are limited. It recommends reading Annex B of the agreement, but Annex B is only "Available upon request."<ref name="DODataProcessing20">{{cite web |url=https://www.digitalocean.com/legal/data-processing-agreement/ |title=Data Processing Agreement |publisher=DigitalOcean |date=31 July 2020 |accessdate=14 April 2021}}</ref> You'll have to discuss this topic in full with a DigitalOcean representative.
DigitalOcean is not fully public with their physical access protocols. In a 2019 query, a potential customer [https://www.digitalocean.com/community/questions/datacenter-security-details asked about physical security], and they were told to review the legal literature for the company. The current [https://www.digitalocean.com/legal/data-processing-agreement data processing agreement] says the following about physical access to systems<ref name="DODataProcessing20">{{cite web |url=https://www.digitalocean.com/legal/data-processing-agreement |title=Data Processing Agreement |publisher=DigitalOcean |date=31 July 2020 |accessdate=02 August 2023}}</ref>:
 
<blockquote>DigitalOcean data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates.
 
CCTV is used to monitor physical access to data centers and the information systems. Cameras are positioned to monitor perimeter doors, facility entrances and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.</blockquote>
 
As for credentials, certifications, and training, nothing is said. Discuss this with a DigitalOcean representative.




7. '''Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?'''
7. '''Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?'''


Not all [https://docs.digitalocean.com/products/platform/availability-matrix/ DigitalOcean machines] have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data. (Note that DigitalOcean may not be compliant with [[HIPAA]]; see #14.)
Not all [https://docs.digitalocean.com/products/platform/availability-matrix/ DigitalOcean machines] have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data. (Note that as of August 2023, DigitalOcean is reportedly not compliant with [[HIPAA]]; see #14.)




Line 89: Line 95:
DigitalOcean documents its security practices in several places:
DigitalOcean documents its security practices in several places:


* [https://docs.digitalocean.com/products/accounts/security/ DigitalOcean account security documentation]
* [https://docs.digitalocean.com/products/teams/how-to/#security DigitalOcean account security documentation]
* [https://www.digitalocean.com/legal/data-processing-agreement/ DigitalOcean Data Processing Agreement]
* [https://www.digitalocean.com/legal/data-processing-agreement DigitalOcean Data Processing Agreement]
* [https://www.digitalocean.com/trust/ DigitalOcean trust center]
* [https://www.digitalocean.com/trust/ DigitalOcean trust center]


Line 98: Line 104:
10. '''How do you test your platform's security?'''
10. '''How do you test your platform's security?'''


DigitalOcean doesn't appear to make this information public. They do state: "DigitalOcean shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm DigitalOcean's compliance with this DPA, provided that Customer shall not exercise this right more than once per year."<ref name="DODataProcessing20" /> You will have to discuss this with a representative. DigitalOcean also appears to have a bug bounty program, managed by HackerOne.<ref name="HackerOneDO">{{cite web |url=https://hackerone.com/digitalocean?type=team |title=DigitalOcean Vulnerability Disclosure Program |publisher=HackerOne |date=March 2020 |accessdate=14 April 2021}}</ref>
DigitalOcean doesn't appear to make this information public. They do state: "DigitalOcean shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm DigitalOcean's compliance with this DPA, provided that Customer shall not exercise this right more than once per year."<ref name="DODataProcessing20" /> You will have to discuss this with a representative. DigitalOcean also appears to have a bug bounty program, managed by HackerOne.<ref name="HackerOneDO">{{cite web |url=https://hackerone.com/digitalocean?type=team |title=DigitalOcean Vulnerability Disclosure Program |publisher=HackerOne |date=March 2020 |accessdate=02 August 2023}}</ref>




11. '''What are your policies for security audits, intrusion detection, and intrusion reporting?'''
11. '''What are your policies for security audits, intrusion detection, and intrusion reporting?'''


In its [https://www.digitalocean.com/legal/data-processing-agreement/ Data Processing Agreement], DigitalOcean addresses security audits. In particular, if you, the customer, do not find DigitalOcean's documentation and audit reports sufficient, the customer can execute an audit of DigitalOcean's systems but at the customer's expense.<ref name="DODataProcessing20" /> Read the Data Processing Agreement for more.
In its [https://www.digitalocean.com/legal/data-processing-agreement Data Processing Agreement], DigitalOcean addresses security audits. In particular, if you, the customer, do not find DigitalOcean's documentation and audit reports sufficient, the customer can execute an audit of DigitalOcean's systems but at the customer's expense.<ref name="DODataProcessing20" /> Read the Data Processing Agreement for more.




12. '''What data logging information is kept and acted upon in relation to our data?'''
12. '''What data logging information is kept and acted upon in relation to our data?'''


DigitalOcean's data logging tool for customers is Monitoring, a tool powered by DigitalOcean's own open-source agent. It is described as allowing the customer to simplify "your toolset to collect system-level metrics all in one place," including the ability to "view graphs, track performance, and set up alerts instantly within your control panel."<ref name="DOMonitoring">{{cite web |url=https://www.digitalocean.com/products/monitoring/ |title=Seamless infrastructure monitoring |publisher=DigitalOcean |accessdate=14 April 2021}}</ref> However, DigitalOcean doesn't appear to make it publicly clear if they use these tools for their own data logging, let alone what they do with data logs related to your data. Be sure a DigitalOcean representative is clear about what logging information they collect and use as it relates to your data.
DigitalOcean's data logging tool for customers is Monitoring, a tool powered by DigitalOcean's own open-source agent. It is described as allowing the customer to simplify "your toolset to collect system-level metrics all in one place," including the ability to "view graphs, track performance, and set up alerts instantly within your control panel."<ref name="DOMonitoring">{{cite web |url=https://www.digitalocean.com/products/monitoring |title=Seamless infrastructure monitoring |publisher=DigitalOcean |accessdate=02 August 2023}}</ref> However, DigitalOcean doesn't appear to make it publicly clear if they use these tools for their own data logging, let alone what they do with data logs related to your data. Be sure a DigitalOcean representative is clear about what logging information they collect and use as it relates to your data.




Line 118: Line 124:
14. '''For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?'''
14. '''For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?'''


DigitalOcean's approach to HIPAA compliance and a business associate agreement is extremely confusing. Unfortunately, the company does not directly come out and say what its stance is on HIPAA. Numerous community questions<ref name="NusbaumHowCan16">{{cite web |url=https://www.digitalocean.com/community/questions/how-can-i-achieve-hipaa-compliance-on-a-digitalocean-hosted-solution |title=How can I achieve HIPAA compliance on a DigitalOcean hosted solution? |author=Nusbaum |work=DigitalOcean Community |publisher=DigitalOcean |date=15 September 2016 |accessdate=14 April 2021}}</ref> and even some external discussion boards<ref name="EvansFully19">{{cite web |url=https://news.ycombinator.com/item?id=19162989 |title=Fully managed PostgreSQL databases |author=Evans, C. |work=Hacker News |date=14 February 2019 |accessdate=14 April 2021}}</ref> give conflicting information about this topic. Judging from publicly available information, it doesn't appear they are HIPAA/HITECH compliant but they may be working towards that. This is conversation for a knowledgeable representative.
{{As of|August 2023}}, DigitalOcean states that "DigitalOcean is not HIPAA compliant, therefore, healthcare organizations should consider an alternative."<ref name="DOManagedDB">{{cite web |url=https://www.digitalocean.com/security/shared-responsibility-model-managed-databases |title=Managed Databases |publisher=DigitalOcean |accessdate=02 August 2023}}</ref>




Line 133: Line 139:
17. '''Can we use your interface to extract our data when we want, and in what format will it be?'''
17. '''Can we use your interface to extract our data when we want, and in what format will it be?'''


DigitalOcean has a page dedicated to [https://www.digitalocean.com/legal/data-portability/ data portability]. On it, they give tutorials and documents to assist you with moving content and data from Droplets, Block Storage volumes, and Spaces. It doesn't address format, which may be an important question for a DigitalOcean representative.
DigitalOcean has a page dedicated to [https://www.digitalocean.com/legal/data-portability data portability]. On it, they give tutorials and documents to assist you with moving content and data from Droplets, Block Storage volumes, and Spaces. It doesn't address format, which may be an important question for a DigitalOcean representative.




Line 139: Line 145:


It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a DigitalOcean representative.
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a DigitalOcean representative.
==Managed security services==
DigitalOcean doesn't appear to provide managed security services for cloud customers.


==Additional information==
==Additional information==
Line 147: Line 157:
===External links===
===External links===
* [https://docs.digitalocean.com/products/platform/availability-matrix/ DigitalOcean architecture framework or description]
* [https://docs.digitalocean.com/products/platform/availability-matrix/ DigitalOcean architecture framework or description]
* [https://www.digitalocean.com/trust/faq/ DigitalOcean shared responsibility model]
* [https://www.digitalocean.com/trust/faq DigitalOcean shared responsibility model]
* [https://www.digitalocean.com/trust/ DigitalOcean trust center]
* [https://www.digitalocean.com/trust DigitalOcean trust center]


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Latest revision as of 17:31, 2 August 2023

DigitalOcean
Industry Cloud computing, Web services, Internet
Founder(s) Moisey Uretsky
Ben Uretsky
Jeff Carr
Alec Hartman
Mitch Wainer
Headquarters New York City, New York, United States
Area served Worldwide
Key people Yancey Spruill (CEO)
Products IaaS, PaaS, DBaaS, SaaS
Revenue $165.1 million (2023, Q1)[1]
Website digitalocean.com


DigitalOcean is an American cloud computing company that provides public and private cloud solutions to enterprises, organizations, governments, and individuals. DigitalOcean has 14 data centers located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, India, and Australia.[2] The company provides more than 30 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, container management, developer support, and managed services.[3][4]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.


1. What experience do you have working with laboratory customers in our specific industry?

The only publicly available information linking DigitalOcean with a laboratory is the fact that DigitalOcean's CFO Steve Senneff used to work as a senior financial analyst at Abbott Laboratories.[5] You'll have to have a discussion with a DigitalOcean representative to determine what, if any, experience the provider has working with laboratories.


2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

It will ultimately be up to your organization to get an answer tailored to your systems and business processes. DigitalOcean doesn't say a whole lot about integrations on the front- or backend. The company does have a page about integration tools, which you can use to "interact with your infrastructure the way you want to."[6] This includes their command-line interface doctl for managing Droplets and other resources, as well as an API.[6]


3. What is the average total historical downtime for the service(s) we're interested in?

Some public information is made available about historic outages and downtime. DigitalOcean has a systems status page with status history. You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. The company also claims to have improved its network monitoring strategy for "every single Droplet that runs" on their infrastructure.[7] A follow-up on this question with a DigitalOcean representative may reveal more historical downtime history for the services you are interested in.


4. Do we receive comprehensive downtime support in the case of downtime?

DigitalOcean does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with DigitalOcean what downtime support they provide based on the services your organization are interested in.


5. Where are your servers located, and how is data securely transferred to and from those servers?

DigitalOcean describes its datacenter regions in its online documentation. As of this writing, they are located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, India, and Australia. DigitalOcean uses its Spaces Content Delivery Network, which "minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs" of requested content.[8] However, DigitalOcean is light on details in regards to secure data transfers. On their security FAQ, they say the following: "Tight role-based access, two-factor authentication, secure network zones, bastion hosts, and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader 'zero-trust' model for access to resources within our environment."[9] The company also discusses data transfers under the scope of Privacy Shield and Standard Contractual Clauses on its trust center. DigitalOcean doesn't appear to discuss data localization on its site.


6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

DigitalOcean is not fully public with their physical access protocols. In a 2019 query, a potential customer asked about physical security, and they were told to review the legal literature for the company. The current data processing agreement says the following about physical access to systems[10]:

DigitalOcean data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates. CCTV is used to monitor physical access to data centers and the information systems. Cameras are positioned to monitor perimeter doors, facility entrances and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.

As for credentials, certifications, and training, nothing is said. Discuss this with a DigitalOcean representative.


7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all DigitalOcean machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data. (Note that as of August 2023, DigitalOcean is reportedly not compliant with HIPAA; see #14.)


8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

DigitalOcean's public policy on physical separation vs. logical separation of data is unclear. This is a discussion to have with a representative.

DigitalOcean talks a little bit about tenant isolation in the context of a virtual private cloud (VPC), mentioning VPC networks, SSH keys, cloud firewalls, and service auditing. These are recommended protections for you, the cloud user. However, it's best to discuss DigitalOcean's approach to tenant isolation in full with a representative.


9. Do you have documented data security policies?

DigitalOcean documents its security practices in several places:

Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with a DigitalOcean representative to obtain them.


10. How do you test your platform's security?

DigitalOcean doesn't appear to make this information public. They do state: "DigitalOcean shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm DigitalOcean's compliance with this DPA, provided that Customer shall not exercise this right more than once per year."[10] You will have to discuss this with a representative. DigitalOcean also appears to have a bug bounty program, managed by HackerOne.[11]


11. What are your policies for security audits, intrusion detection, and intrusion reporting?

In its Data Processing Agreement, DigitalOcean addresses security audits. In particular, if you, the customer, do not find DigitalOcean's documentation and audit reports sufficient, the customer can execute an audit of DigitalOcean's systems but at the customer's expense.[10] Read the Data Processing Agreement for more.


12. What data logging information is kept and acted upon in relation to our data?

DigitalOcean's data logging tool for customers is Monitoring, a tool powered by DigitalOcean's own open-source agent. It is described as allowing the customer to simplify "your toolset to collect system-level metrics all in one place," including the ability to "view graphs, track performance, and set up alerts instantly within your control panel."[12] However, DigitalOcean doesn't appear to make it publicly clear if they use these tools for their own data logging, let alone what they do with data logs related to your data. Be sure a DigitalOcean representative is clear about what logging information they collect and use as it relates to your data.


13. How thorough are those logs and can we audit them on-demand?

You can of course manage and view logs related to your own activities. However, it's unclear if you are able to audit internal DigitalOcean logs on-demand. This is a conversation to have with a representative.


14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

As of August 2023, DigitalOcean states that "DigitalOcean is not HIPAA compliant, therefore, healthcare organizations should consider an alternative."[13]


15. What happens to our data should the contract expire or be terminated?

DigitalOcean only states: "Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent DigitalOcean is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data DigitalOcean shall securely isolate and protect from any further processing, except to the extent required by applicable law."[10] This statement doesn't provide sufficient clarity, and you should have a DigitalOcean representative address this question in full.


16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how DigitalOcean would handle your data should they go out of business, nor do they mention anything about catastrophic loss on their site. Consult with a DigitalOcean representative about this topic.


17. Can we use your interface to extract our data when we want, and in what format will it be?

DigitalOcean has a page dedicated to data portability. On it, they give tutorials and documents to assist you with moving content and data from Droplets, Block Storage volumes, and Spaces. It doesn't address format, which may be an important question for a DigitalOcean representative.


18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a DigitalOcean representative.

Managed security services

DigitalOcean doesn't appear to provide managed security services for cloud customers.


Additional information

Documentation and other media

External links

References

  1. "DigitalOcean Announces First Quarter 2023 Financial Results". DigitalOcean. 9 May 2023. https://investors.digitalocean.com/news/news-details/2023/DigitalOcean-Announces-First-Quarter-2023-Financial-Results/default.aspx. Retrieved 02 August 2023. 
  2. "Regional Availability Matrix". DigitalOcean. 7 July 2023. https://docs.digitalocean.com/products/platform/availability-matrix/. Retrieved 02 August 2023. 
  3. "Products". DigitalOcean. https://www.digitalocean.com/products. Retrieved 02 August 2023. 
  4. "Solutions". DigitalOcean. https://www.digitalocean.com/business. Retrieved 02 August 2023. 
  5. "DigitalOcean Appoints Steve Senneff as CFO". CityBizList. 15 August 2017. https://newyork.citybuzz.co/article/435862/digitalocean-appoints-steve-senneff-as-cfo. Retrieved 02 August 2023. 
  6. 6.0 6.1 "Automate your infrastructure". DigitalOcean. https://www.digitalocean.com/products/tools-and-integrations. Retrieved 02 August 2023. 
  7. Migliaccio, A. (11 February 2021). "A glimpse into network availability". DigitalOcean Blog. https://www.digitalocean.com/blog/a-glimpse-into-network-availability/. Retrieved 02 August 2023. 
  8. "How to Enable the Spaces CDN". DigitalOcean Documentation. 7 June 2023. https://docs.digitalocean.com/products/spaces/how-to/enable-cdn/. Retrieved 02 August 2023. 
  9. "Frequently Asked Questions". DigitalOcean Trust Platform. DigitalOcean. https://www.digitalocean.com/trust/faq/. Retrieved 02 August 2023. 
  10. 10.0 10.1 10.2 10.3 "Data Processing Agreement". DigitalOcean. 31 July 2020. https://www.digitalocean.com/legal/data-processing-agreement. Retrieved 02 August 2023. 
  11. "DigitalOcean Vulnerability Disclosure Program". HackerOne. March 2020. https://hackerone.com/digitalocean?type=team. Retrieved 02 August 2023. 
  12. "Seamless infrastructure monitoring". DigitalOcean. https://www.digitalocean.com/products/monitoring. Retrieved 02 August 2023. 
  13. "Managed Databases". DigitalOcean. https://www.digitalocean.com/security/shared-responsibility-model-managed-databases. Retrieved 02 August 2023.