Learn more about Webflow for Enterprise

Security at Webflow


Information Security Program

At Webflow, we take security seriously. We map our security program to industry standards such as ISO 27001 and the CIS Critical Security Controls. We are constantly looking for ways to not only improve security for our product, but also with how we conduct business on a daily basis. 

Being a widely distributed team brings its own set of challenges, which is why we ensure that every employee understands the role they play in securing Webflow. We also use tools to help us enforce compliance with our internal security policies. 

While we believe that security is everyone’s responsibility, our program is led by the Senior Information Security Manager.


Webflow is SOC2, Type I certified as of December 2020. To access our report, please click to view our Security Profile. We anticipate completing the SOC2, Type II audit by the end of 2021.

Our payment processor, Stripe is a certified Level 1 Service Provider. Webflow never has access to raw payment details.

Webflow complies with GDPR regulations.


Terms of Service


CCPA Notice


Internal Security Measures

Identity and Access Management

Employees have unique logins for all business critical systems and two-factor authentication is enforced wherever possible. We conduct regular access audits and operate on the principle of least privilege.

Hardware Security

All employee laptops are managed, have encrypted hard drives and are monitored with endpoint detection and response software.

Physical Security

Webflow’s office is secured by key fob  access doors. Entrances and exits are observed and captured on a closed-circuit (CCTV) camera. The office is monitored and protected by an alarm system. 

Network Security

The internal network is restricted, segmented and password protected. 

Security Education

As part of our commitment to ensure that every member of our team understands the role they play when it comes to security, we provide ongoing security training throughout the year, including periodic phishing tests. Each new employee attends a Security 101 training session within the first month of hire to help them learn to identify threats such as social engineering and phishing. In addition, our Engineering team participates in Secure Code Training.


Webflow's Application Security

Webflow is primarily hosted in AWS, giving us access to the benefits they provide their customers such as physical security, redundancy, scalability and key management.

In addition to the benefits provided by AWS, our application has additional built in security features:

  • Two-factor authentication
  • SSO capabilities with G Suite
  • Single Sign-On (capabilities vary based on subscription tier)
  • Role based permissions
  • Free SSL certificate
  • Backups and versioning

Customer Data and Privacy

Webflow stores the following customer data in its cloud:

  • Names
  • Usernames and email addresses
  • Billing Email Address
  • Payment history and invoices (credit card data is stored and processed by Stripe)
  • Phone Number (optional)
  • Billing address
  • Company (optional)
  • Location (city, country) 
  • Job Title (optional)
  • Hirable (Is this persona available for hire? - also optional)
  • Personal Website (optional)
  • Employer (optional)
  • Referred By (optional person who referred user to use Webflow)

We use Amplitude and Google for product analytics. We track only enough data to segment users into product cohorts for internal optimization efforts.

We recommend customers who need to comply with HIPAA integrate a 3rd party form provider rather than using a Webflow form. For more information, please contact security@webflow.com


SSL Encryption is used throughout Webflow to protect PII and non-public data from unauthorized access. 

All communication between Webflow users and the Webflow-provided web application is encrypted-in-transit while using the application.

All databases and database backups are encrypted at rest.

Data Retention

Customers can request all of their data, or have it deleted by sending an email to: support@webflow.com as long as it is not subject to a legal hold or investigation. 

Once an account or project is deleted, all associated data (account settings, etc.) are removed from the system. This action is irreversible. 

Access to Data

Customer data is limited to only those with roles that require access to perform their job duties. An example of this is our Support team. 

3rd Party Sub-processors

At Webflow, we use 3rd party service providers to help with analytics, payments, sending transactional emails and for hosting our service. To provide optimal transparency to our customer’s we disclose all 3rd party services that may have access to your data by using our service.

Infrastructure Availability

Our backend infrastructure is hosted in AWS and is fully monitored to detect any downtime. 

Check out our status page for more information.

SLAs for Webflow Hosting and Webflow Application are available through the Webflow Master Sales Agreement.

Pentesting and Security Scans

Webflow conducts 3rd party pentests at least annually. In addition to regular pentesting, we also use scanning tools to monitor and detect vulnerabilities. It is against Webflow’s Terms of Service to probe, scan, or test the vulnerability of the Service or any Content, or any system or network connected to the Service

Responsible Disclosure

If you believe you have discovered a vulnerability within Webflow’s application, please submit a report to us by emailing security@webflow.com. Webflow does not participate in a bug bounty program at this time, nor do we provide monetary rewards for findings.

If you believe your account has been compromised or you are seeing suspicious activity on your account please report it to: security@webflow.com.


Best practices

  • Never, under any circumstances give another person credentials for your account.
  • Create a long and strong password (recommended 12 + characters including Upper and Lower case letter, numbers and special characters).
  • Ensure that you are utilizing Multi-Factor Authentication or Single Sign on
  • Claim ownership of your domain as quickly as possible. To do so, follow these steps.
  • Never share sensitive account details such as payment or username information with third parties
  • Make sure your Webflow profile is set to private / public according to your goals and only contains details you wish to be shared (if set to public).


If you have any additional questions regarding security at Webflow, please contact us at: security@webflow.com.