Our Visual Editing feature is live! 🎉 Learn more
Directus Logo
  • Use Cases and Features
    • Headless CMS
      Manage and deliver content with ease
    • Backend-as-a-Service
      Build and ship applications faster
    • Headless Commerce
      A single source of truth for products
    • 100+ More Use Cases
      Build anything (or everything)
    • Instant APIs
      Connect a database, get REST + GraphQL APIs
    • Granular Policy-Based Auth
      Provide secure, autonomous data access
    • Visual Automation Builder
      Automate content and data workflows with ease
    • 50+ More Features
      Get everything you need out-of-the-box
    Project Showcase
    Built With Directus

    Built With Directus

    See what everyone's been building with Directus

  • Learn More
    • Blog
      Read our latest articles and guides
    • Case Studies
      Case studies and success stories
    • Community
      Join our 13k member Discord community.
    • Agency Directory
      Browse our list of agency partners
    • About Us
      Learn more about Directus and the team
    • Wall of Love
      See what others are saying about us
    • Contact
      Have a general inquiry or question for us?
    • Support
      Reach out to Directus support
    Watch Directus TV
    Directus TV
    Video

    Directus TV

    Go down the rabbit hole with hours of original video content from our team.

  • Developers
  • Enterprise
  • Pricing
Chat With UsGet Started Free
GitHub logo30,287
Security and Compliance

We are committed to security.

Security and compliance hold paramount importance for Directus, as they shape the very foundation of your interaction with our product. Directus is dedicated to safeguarding your application data, mitigating system vulnerabilities, and guaranteeing uninterrupted access.

Contact us with questions

Infrastructure and Network Security

Information Security

Directus uses NIST Access Control principles, envelope encryption for all data at rest, and TLS 1.3+ for all traffic in-transit.

Access Control

Directus cloud hosting providers are SOC 2 Type II, ISO 27001 and GDPR compliant.

Resilience & Scalability

Directus deploys, manages and monitors cloud services using production containerization with fleet management, load balancing, vertical & horizontal scaling, and backups.

Accountability

In addition to our cloud metrics, logging, and alerting, Directus Activity Log tracks all user actions within the Data Studio and APIs.

Compliance & Security

Directus is committed to providing the highest level of integrity as it relates to the accountability organizations are held to in respect to the collection, processing and retention of information of an individual. Directus prioritizes security at every stage of our development and business process lifecycle.

The Directus Chief Information Security Officer(CISO) directs all Engineering, Cloud and Internal security efforts that are supported and applied by the executives, managers and teams across the organization.

Information Security & Access Control

Directus has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain.

Directus maintains strict policies and procedures for information security, access, encryption, retention and recovery. All sensitive information classified by Directus as PROTECTED or RESTRICTED including, but not limited to PII, PHI, and passwords, must be encrypted while at-rest or is transmitted outside of our company. Directus Core user authentications rely on argon2 encrypted passwords/tokens, and unguessable user IDs for access management.

Clients are wholly responsible for ensuring their project data models and design encrypt any fields considered personal, private or confidential. The Directus core platform doesn't collect, store, or distribute any personally identifiable or any other private data.

Directus Cloud Infrastructure

Directus requires that all cloud hosting providers used for our Service Offerings are at least SOC 2 Type II, ISO 27001 and GDPR compliant.

Directus Cloud on AWS

Directus selected AWS as a cloud infrastructure provider based on security and reliability. Our team has undergone AWS Well-Architected Framework reviews with AWS engineering and continues to evolve our security and resilience procedures and guidelines to ensure a secure and performant cloud service.

The AWS physical & logical services used to power the Directus Cloud Services inherit all standards and compliance supported including SOC 2 Type II, ISO 27001, GDPR, etc.

Cloud Security

Directus Cloud Engineering team uses CISO approved individual accounts with Identity Access & Management permissions to ensure access to the various services happens exclusively on a "need-to-know" basis.

All access to customer deployments is restricted and requires individual user accounts to access for logging and auditing purposes. All system and security logs are monitored by our team. All connection into private data sources requires a VPN connection from the personnel into the cloud, to ensure data access is strictly on a need-to-know basis.

Logging & Accountability

All Directus cloud services are monitored using metrics, logging and alerting. Metrics and logs are kept within the infrastructure. Minimal error logs with no PII are shared with third-party software that we ALSO host on this same cloud infrastructure.

Resilience & Scalability

Directus has been designed and built as a cloud native, highly scalable platform. Deployments may be scaled up both vertically and horizontally to meet the usage requirements of the solution. Directus Cloud offerings are managed, monitored and deployed using production containerization with fleet management, load balancing, vertical & horizontal scaling, backups, etc.

Data Encryption

All data(database & file assets) is envelope encrypted at rest and managed within private subnets, with the only ingress using TLS 1.3+ transport and tightly controlled through CDN, Firewall and Load Balancer rules.

Backups & Recovery

Directus Cloud performs automatic daily backups that are stored envelope encrypted. Directus doesn't rely on anything besides the database for its operation, therefore recovery is done by restoring the database and deploying the projects Directus nodes.

Project Security

Directus' own role-based access control (RBAC) system is fully based on allow-listing data to specific data points. Everything is private by default, with public access being fully configurable based on a flexible filter-rules-based system.

The Directus Cloud Dashboard allows you to manage and monitor your projects including team members, invoices, metrics, uptime, notifications, logs, etc.

Roles & Permissions

All data within the platform is private by default. The Public role may be configured to expose data without authentication. Directus roles define private data access permissions, and are the primary organizational structure for Users within the platform.  Roles are managed based on permissions with specific collection + item + field level CRUD operations supported.

Each User is assigned a single Role which determines their Permissions within the App and API. Roles also include options for configuring platform access, Two-Factor Auth, Module Navigation, and Collection Navigation. You can create an unlimited number of roles, so organize your users in whatever way feels most appropriate.

Logging & Accountability

Directus Activity Log provides a collective timeline of all actions taken within the project. These detailed records allow for auditing user activity and enforcing accountability.

Field Hashing

Directus uses Argon2's hashing function for three purposes: 1) hashing user passwords/tokens, 2) generating hashes for the Hash field type in collections, and 3) the generate a hash API endpoint.  All HASH_* environment variable parameters are passed to the argon2.hash function. See the node-argon2 library options page for reference.

SSO

Directus' SSO (oauth2, openid, ldap, saml) integrations provide powerful alternative ways to authenticate into your project. The Directus core authentication may be disabled in favor of using only your organizations SSO provider(s).

OpenID is an authentication protocol built on OAuth 2.0, and should be preferred over standard OAuth 2.0 where possible. OpenID offers better user verification and consistent profile information, allowing for more complete user registrations.

LDAP allows Active Directory users to authenticate and use Directus without having to be manually configured. User information and roles will be assigned from Active Directory.

You may configure multiple providers for handling authentication in Directus. This allows for different options when logging in.

  • Directus LogoDirectus Logo

    A composable backend to build your Headless CMS, BaaS, and more. 

  • Solutions
    • Headless CMS
    • Backend-as-a-Service
    • Product Information
    • 100+ Things to Build
  • Resources
    • Documentation
    • Guides
    • Community
    • Release Notes
  • Support
    • Issue Tracker
    • Feature Requests
    • Community Chat
    • Cloud Dashboard
  • Organization
    • About
    • Careers
    • Brand Assets
    • Contact
©2025 Monospace Inc
  • Cloud Policies
  • License
  • Terms
  • Privacy