Compliance & Security

Directus is committed to providing the highest level of integrity as it relates to the accountability organizations are held to in respect to the collection, processing and retention of information of an individual. Directus prioritizes security at every stage of our development and business process lifecycle.

The Directus Chief Information Security Officer(CISO) directs all Engineering, Cloud and Internal security efforts that are supported and applied by the executives, managers and teams across the organization.

Information Security & Access Control

Directus has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain.

Directus maintains strict policies and procedures for information security, access, encryption, retention and recovery. All sensitive information classified by Directus as PROTECTED or RESTRICTED including, but not limited to PII, PHI, and passwords, must be encrypted while at-rest or is transmitted outside of our company. Directus Core user authentications rely on argon2 encrypted passwords/tokens, and unguessable user IDs for access management.

Clients are wholly responsible for ensuring their project data models and design encrypt any fields considered personal, private or confidential. The Directus core platform doesn't collect, store, or distribute any personally identifiable or any other private data.

Directus Cloud Infrastructure

Directus requires that all cloud hosting providers used for our Service Offerings are at least SOC 2 Type II, ISO 27001 and GDPR compliant.

Directus Cloud on AWS

Directus selected AWS as a cloud infrastructure provider based on security and reliability. Our team has undergone AWS Well-Architected Framework reviews with AWS engineering and continues to evolve our security and resilience procedures and guidelines to ensure a secure and performant cloud service.

The AWS physical & logical services used to power the Directus Cloud Services inherit all standards and compliance supported including SOC 2 Type II, ISO 27001, GDPR, etc.

Cloud Security

Directus Cloud Engineering team uses CISO approved individual accounts with Identity Access & Management permissions to ensure access to the various services happens exclusively on a "need-to-know" basis.

All access to customer deployments is restricted and requires individual user accounts to access for logging and auditing purposes. All system and security logs are monitored by our team. All connection into private data sources requires a VPN connection from the personnel into the cloud, to ensure data access is strictly on a need-to-know basis.

Logging & Accountability

All Directus cloud services are monitored using metrics, logging and alerting. Metrics and logs are kept within the infrastructure. Minimal error logs with no PII are shared with third-party software that we ALSO host on this same cloud infrastructure.

Resilience & Scalability

Directus has been designed and built as a cloud native, highly scalable platform. Deployments may be scaled up both vertically and horizontally to meet the usage requirements of the solution. Directus Cloud offerings are managed, monitored and deployed using production containerization with fleet management, load balancing, vertical & horizontal scaling, backups, etc.

Data Encryption

All data(database & file assets) is envelope encrypted at rest and managed within private subnets, with the only ingress using TLS 1.3+ transport and tightly controlled through CDN, Firewall and Load Balancer rules.

Backups & Recovery

Directus Cloud performs automatic daily backups that are stored envelope encrypted. Directus doesn't rely on anything besides the database for its operation, therefore recovery is done by restoring the database and deploying the projects Directus nodes.

Project Security

Directus' own role-based access control (RBAC) system is fully based on allow-listing data to specific data points. Everything is private by default, with public access being fully configurable based on a flexible filter-rules-based system.

The Directus Cloud Dashboard allows you to manage and monitor your projects including team members, invoices, metrics, uptime, notifications, logs, etc.

Roles & Permissions

All data within the platform is private by default. The Public role may be configured to expose data without authentication. Directus roles define private data access permissions, and are the primary organizational structure for Users within the platform.  Roles are managed based on permissions with specific collection + item + field level CRUD operations supported.

Each User is assigned a single Role which determines their Permissions within the App and API. Roles also include options for configuring platform access, Two-Factor Auth, Module Navigation, and Collection Navigation. You can create an unlimited number of roles, so organize your users in whatever way feels most appropriate.

Logging & Accountability

Directus Activity Log provides a collective timeline of all actions taken within the project. These detailed records allow for auditing user activity and enforcing accountability.

Field Hashing

Directus uses Argon2's hashing function for three purposes: 1) hashing user passwords/tokens, 2) generating hashes for the Hash field type in collections, and 3) the generate a hash API endpoint.  All HASH_* environment variable parameters are passed to the argon2.hash function. See the node-argon2 library options page for reference.

SSO

Directus' SSO (oauth2, openid, ldap, saml) integrations provide powerful alternative ways to authenticate into your project. The Directus core authentication may be disabled in favor of using only your organizations SSO provider(s).

OpenID is an authentication protocol built on OAuth 2.0, and should be preferred over standard OAuth 2.0 where possible. OpenID offers better user verification and consistent profile information, allowing for more complete user registrations.

LDAP allows Active Directory users to authenticate and use Directus without having to be manually configured. User information and roles will be assigned from Active Directory.

You may configure multiple providers for handling authentication in Directus. This allows for different options when logging in.