Security statement
When customers decide to utilize Webflow to build, launch, host and optimize beautiful websites all on their own they can be assured that Webflow takes security seriously.
Webflow is proud to be SOC 2 Type II certified by an independent third-party auditor ensuring customers that our security controls have been attested and validated. We are constantly looking for ways to not only improve security for our product, but also with how we conduct business on a daily basis.
Being a widely distributed team brings its own set of challenges, which is why we ensure that every employee understands the role they play in securing Webflow. We also use a variety of tools to help us enforce compliance with our internal security policies. To learn more about our security program please view our security whitepaper and visit our security profile to obtain additional security documentation such as our latest SOC 2 Type II report.
For Enterprise customers, please reach out to your Account Executive to obtain more information about our Security Program, or to submit a custom security questionnaire for our team to complete. Please note that our security team is only able to complete security questionnaires for Enterprise customers at this time.
Security FAQs
Webflow is committed to providing you with the information you need to meet your data security obligations. Below you'll find resources related to our security practices and answers to frequently asked questions.
What personal data does Webflow process?
Who at Webflow can access Personal Data?
How long does Webflow retain Customer Data?
Is Webflow PCI compliant?
Is Webflow HIPAA compliant?
Where does Webflow process Customer Data?
Is Webflow customer data encrypted?
Does Webflow offer a Data Processing Agreement (DPA)?
Does Webflow allow customers to perform penetration testing and vulnerability scans?
Does Webflow have a status page in regards to uptime?
Responsible security bug disclosure
If you believe you have discovered a vulnerability within Webflow's application, please submit a report to us by emailing security-bug-reports@webflow.com.
Please note at this time Webflow does not participate in a public bug bounty program, nor do we provide monetary rewards for publicly reported findings.
If you believe your account has been compromised, or you are seeing suspicious activity on your account please report it using our support contact form.
Security updates
Crowdstrike Outage - No Impact to Webflow
Webflow is not impacted by the outages affecting Windows due to the Crowdstrike Platform. We remain committed to providing you with uninterrupted service and appreciate your continued trust in Webflow.
Advisory: polyfill supply chain attack vulnerability - No Impact to Webflow, vendor monitoring ongoing
Webflow Security team investigated and found that Webflow app and its services were not impacted by `polyfill.io` supply chain attacks. Webflow does not use `polyfill.js` as a direct or transitive dependency.
Webflow being a site builder allows custom code to be added to customer sites but does not monitor them, except for abuse behavior. If your site custom code has references to `polyfill.io` or `cdn.polyfill.io`, we recommend that you immediately remove or replace them using the secure Cloudflare version https://cdnjs.cloudflare.com/polyfill/.
We are still working with our sub-processors to check if they were impacted. We will continue to monitor the situation and provide updates as necessary.
Potential Snowflake Incident - No Impact to Webflow, vendor monitoring ongoing
Our Snowflake instance was not impacted by the recent spike in malicious Snowflake activity, and we were able to confirm this with Snowflake directly as well as through an internal audit using their published IoCs. Like many companies, however, we have a number of vendors who are also Snowflake customers, and are surveying them presently to determine if any were impacted by the breach.
We will continue to monitor the situation and provide updates as necessary.