From LIMSWiki
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Industry Cloud computing, Web services, Internet
Founder(s) Moisey Uretsky
Ben Uretsky
Jeff Carr
Alec Hartman
Mitch Wainer
Headquarters New York City, New York, United States
Area served Worldwide
Key people Yancey Spruill (CEO)
Products IaaS, PaaS, DBaaS, SaaS
Revenue $87.5 million (2020, Q4)[1]

DigitalOcean is an American cloud computing company that provides public and private cloud solutions to enterprises, organizations, governments, and individuals. AWS has 13 data centers located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, and India.[2] The company provides more than 30 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, container management, developer support, and managed services.[3][4]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.

1. What experience do you have working with laboratory customers in our specific industry?

The only publicly available information linking DigitalOcean with a laboratory is the fact that DigitalOcean's CFO Steve Senneff used to work as a senior financial analyst at Abbott Laboratories.[5] You'll have to have a discussion with a DigitalOcean representative to determine what, if any, experience the provider has working with laboratories.

2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

It will ultimately be up to your organization to get an answer tailored to your systems and business processes. DigitalOcean doesn't say a whole lot about integrations on the front- or backend. The company does have a page about integration tools, which you can use to "interact with your infrastructure the way you want to."[6] This includes their command-line interface doctl for managing Droplets and other resources, as well as an API.[6]

3. What is the average total historical downtime for the service(s) we're interested in?

Some public information is made available about historic outages and downtime. DigitalOcean has a systems status page with status history. You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. The company also claims to have improved its network monitoring strategy for "every single Droplet that runs" on their infrastructure.[7] A follow-up on this question with a DigitalOcean representative may reveal more historical downtime history for the services you are interested in.

4. Do we receive comprehensive downtime support in the case of downtime?

DigitalOcean does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with DigitalOcean what downtime support they provide based on the services your organization are interested in.

5. Where are your servers located, and how is data securely transferred to and from those servers?

DigitalOcean describes its datacenter regions in its online documentation. As of this writing, they are located in the U.S., Netherlands, Singapore, United Kingdom, Germany, Canada, and India. DigitalOcean uses its Spaces Content Delivery Network, which "minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs" of requested content.[8] However, DigitalOcean is light on details in regards to secure data transfers. On their security FAQ, they say the following: "Tight role-based access, two-factor authentication, secure network zones, bastion hosts, and secrets management underpin our approach to securing our management layer. Vulnerability and patch management as well as security observability tools help us keep on top of the ever-shifting risk in our infrastructure. We’re also currently on the path toward a broader 'zero-trust' model for access to resources within our environment."[9] The company also discusses data transfers under the scope of Privacy Shield and Standard Contractual Clauses on its trust center. DigitalOcean doesn't appear to discuss data localization on its site.

6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

DigitalOcean is not fully public with their physical access protocols. In a 2019 query, a potential customer asked about physical security, and they were told to review the legal literature for the company. The current data processing agreement has a "security," section, but even there details are limited. It recommends reading Annex B of the agreement, but Annex B is only "Available upon request."[10] You'll have to discuss this topic in full with a DigitalOcean representative.

7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all DigitalOcean machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data. (Note that DigitalOcean may not be compliant with HIPAA; see #14.)

8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

DigitalOcean's public policy on physical separation vs. logical separation of data is unclear. This is a discussion to have with a representative.

DigitalOcean talks a little bit about tenant isolation in the context of a virtual private cloud (VPC), mentioning VPC networks, SSH keys, cloud firewalls, and service auditing. These are recommended protections for you, the cloud user. However, it's best to discuss DigitalOcean's approach to tenant isolation in full with a representative.

9. Do you have documented data security policies?

DigitalOcean documents its security practices in several places:

Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with a DigitalOcean representative to obtain them.

10. How do you test your platform's security?

DigitalOcean doesn't appear to make this information public. They do state: "DigitalOcean shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm DigitalOcean's compliance with this DPA, provided that Customer shall not exercise this right more than once per year."[10] You will have to discuss this with a representative. DigitalOcean also appears to have a bug bounty program, managed by HackerOne.[11]

11. What are your policies for security audits, intrusion detection, and intrusion reporting?

In its Data Processing Agreement, DigitalOcean addresses security audits. In particular, if you, the customer, do not find DigitalOcean's documentation and audit reports sufficient, the customer can execute an audit of DigitalOcean's systems but at the customer's expense.[10] Read the Data Processing Agreement for more.

12. What data logging information is kept and acted upon in relation to our data?

DigitalOcean's data logging tool for customers is Monitoring, a tool powered by DigitalOcean's own open-source agent. It is described as allowing the customer to simplify "your toolset to collect system-level metrics all in one place," including the ability to "view graphs, track performance, and set up alerts instantly within your control panel."[12] However, DigitalOcean doesn't appear to make it publicly clear if they use these tools for their own data logging, let alone what they do with data logs related to your data. Be sure a DigitalOcean representative is clear about what logging information they collect and use as it relates to your data.

13. How thorough are those logs and can we audit them on-demand?

You can of course manage and view logs related to your own activities. However, it's unclear if you are able to audit internal DigitalOcean logs on-demand. This is a conversation to have with a representative.

14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

DigitalOcean's approach to HIPAA compliance and a business associate agreement is extremely confusing. Unfortunately, the company does not directly come out and say what its stance is on HIPAA. Numerous community questions[13] and even some external discussion boards[14] give conflicting information about this topic. Judging from publicly available information, it doesn't appear they are HIPAA/HITECH compliant but they may be working towards that. This is conversation for a knowledgeable representative.

15. What happens to our data should the contract expire or be terminated?

DigitalOcean only states: "Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent DigitalOcean is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data DigitalOcean shall securely isolate and protect from any further processing, except to the extent required by applicable law."[10] This statement doesn't provide sufficient clarity, and you should have a DigitalOcean representative address this question in full.

16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how DigitalOcean would handle your data should they go out of business, nor do they mention anything about catastrophic loss on their site. Consult with a DigitalOcean representative about this topic.

17. Can we use your interface to extract our data when we want, and in what format will it be?

DigitalOcean has a page dedicated to data portability. On it, they give tutorials and documents to assist you with moving content and data from Droplets, Block Storage volumes, and Spaces. It doesn't address format, which may be an important question for a DigitalOcean representative.

18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with a DigitalOcean representative.

Managed security services

DigitalOcean doesn't appear to provide managed security services for cloud customers.

Additional information

Documentation and other media

External links


  1. Wilhelm, A. (15 March 2021). "Olo raises IPO range as DigitalOcean sees possible $5B debut valuation". Tech Crunch - Extra Crunch. Retrieved 25 April 2021. 
  2. "Regional Availability Matrix". DigitalOcean. 1 April 2021. Retrieved 25 April 2021. 
  3. "Products". DigitalOcean. Retrieved 25 April 2021. 
  4. "Solutions". DigitalOcean. Retrieved 25 April 2021. 
  5. "DigitalOcean Appoints Steve Senneff as CFO". CityBizList. 15 August 2017. Retrieved 13 April 2021. 
  6. 6.0 6.1 "Automate your infrastructure". DigitalOcean. Retrieved 14 April 2021. 
  7. Migliaccio, A. (11 February 2021). "A glimpse into network availability". DigitalOcean Blog. Retrieved 14 April 2021. 
  8. "How to Enable the Spaces CDN". DigitalOcean Documentation. 1 March 2021. Retrieved 14 April 2021. 
  9. "Frequently Asked Questions". DigitalOcean Trust Platform. DigitalOcean. Retrieved 14 April 2021. 
  10. 10.0 10.1 10.2 10.3 "Data Processing Agreement". DigitalOcean. 31 July 2020. Retrieved 14 April 2021. 
  11. "DigitalOcean Vulnerability Disclosure Program". HackerOne. March 2020. Retrieved 14 April 2021. 
  12. "Seamless infrastructure monitoring". DigitalOcean. Retrieved 14 April 2021. 
  13. Nusbaum (15 September 2016). "How can I achieve HIPAA compliance on a DigitalOcean hosted solution?". DigitalOcean Community. DigitalOcean. Retrieved 14 April 2021. 
  14. Evans, C. (14 February 2019). "Fully managed PostgreSQL databases". Hacker News. Retrieved 14 April 2021.