Security
at Webflow

Security statement

When customers decide to utilize Webflow to build, launch, host and optimize beautiful websites all on their own they can be assured that Webflow takes security seriously.

Webflow is proud to be SOC 2 Type II certified by an independent third-party auditor ensuring customers that our security controls have been attested and validated. We are constantly looking for ways to not only improve security for our product, but also with how we conduct business on a daily basis.

Being a widely distributed team brings its own set of challenges, which is why we ensure that every employee understands the role they play in securing Webflow. We also use a variety of tools to help us enforce compliance with our internal security policies. To learn more about our security program please view our security whitepaper and visit our security profile to obtain additional security documentation such as our latest SOC 2 Type II report.

For Enterprise customers, please reach out to your Account Executive to obtain more information about our Security Program, or to submit a custom security questionnaire for our team to complete. Please note that our security team is only able to complete security questionnaires for Enterprise customers at this time.

Security FAQs

Webflow is committed to providing you with the information you need to meet your data security obligations. Below you'll find resources related to our security practices and answers to frequently asked questions.

• What personal data does Webflow process?

  Webflow processes personal data of two groups of individuals: (i) Customers and (ii) End Users. 

  (i) A “Customer” is an individual that accesses Webflow for the purposes of using our services. Customers include individuals who are owners, admins, members or guests of a workspace, Experts, Developers, and Marketplace and Template Creators. You can think of a Customer as someone who logs in to Webflow and utilizes our products. 

  (ii) End Users are individuals that access a site hosted by Webflow. Think of End Users as someone who visits your site.

  Webflow processes different categories of data for each type of individual. Please find the categories of personal data that Webflow processes for each group below. 

  Customers:
  Webflow processes the following categories of information for its Customers. Please note that not every category will apply to every type of Customer.

  • Registration data: full name, email address, and optional social media account information (e.g., if logging in through your Google account).
  • Profile data: biographical information, avatar, portfolio of work, skills, and/or freelance availability.
    Financial data: bank account information, payment card information, transaction history, and/or company billing information.
  • Transaction data: information about the transactions you make on our Platform, such as the names of your clients, the projects you complete, when projects are published, and/or timestamps of certain actions.
  • Online identifiers: geolocation/tracking details, browser fingerprint, OS, browser name and version, and/or IP addresses.
  • Interaction data: survey responses, forum or blog posts, authentication data, security questions, public social networking posts, user ID, click-stream data, and other data collected via cookies and similar technologies.

  End Users:

  • Online identifiers: User agents, browser fingerprint, OS, browser name and version, and/or IP addresses.
  • Personal data collected via form submissions: If a customer utilizes Webflow forms or our e-commerce offering, Webflow may process categories of personal data including and End User’s:
    • name;
    • email;
    • phone number;
    • address;
    • comments;
    • other contact information; and
    • any other personal data that an End User submits to Customer through a free form textbox.

  For additional information please refer to our privacy policy.

• Who at Webflow can access Personal Data?

  Personal Data for both Customers and End Users is only accessible by Webflow personnel whose roles require access to that Personal Data to perform their job duties. An example of this is our Support team.

• How long does Webflow retain Customer Data?

  Webflow retains Personal Data for Customers and End Users for the duration of a Customer’s use of Webflow. Upon the termination of the Agreement, Webflow will delete all Personal Information processed on behalf of Customer unless local laws, regulations, or other requirements applicable to Webflow prohibit the deletion of the Personal Information.

  Customers can request their data (including personal data, content they uploaded onto Webflow, and any other data) be deleted by contacting our support team. Webflow will delete the personal data unless local laws, regulations, or other requirements applicable to Webflow prohibit Webflow from deleting the personal data in question.

• Is Webflow PCI compliant?
  

  Our payment processor, Stripe is a certified Level 1 Service Provider. Webflow never has access to sensitive payment details.

• Is Webflow HIPAA compliant?
  

  Webflow is not HIPAA compliant.

• Where does Webflow process Customer Data?

  Webflow’s utilizes AWS as its hosting provider for our web application and Customer websites. Our AWS production servers are located in the USA.

  Webflow only offers AWS hosting in the USA region at the present time. Webflow does not offer hosting in any other AWS regions, currently.

  Webflow additionally utilizes subprocessors in the following locations to provide our services: https://webflow.com/legal/subprocessors.

• Is Webflow customer data encrypted?
  

  Yes, Data at rest is encrypted using AES256 bit, while Data in transit is encrypted over TLS 1.2 and 1.3.

• Does Webflow offer a Data Processing Agreement (DPA)?
  

  Of Course! Please visit our DPA page.

• Does Webflow allow customers to perform penetration testing and vulnerability scans?
  

  Webflow does not allow customers to run their own penetration test or vulnerability scans because this can cause a disproportionate load on our servers both individually and exponentially in the aggregate. Instead, the Webflow Security team runs annual penetration tests with external security firms and we make these reports available to customers. 

  You can find a copy of the Letter of Engagement from Webflow's latest penetration test along with a summary of results in Webflow's Security Profiles.

  Please note it is against Webflow's Terms of Service to probe, scan, or test the vulnerability of the Service or any Content, or any system or network connected to the Service.

• Does Webflow have a status page in regards to uptime?
  

  Yes! Please check out our status page.

Security updates