If you compare Webflow with other systems, it quickly becomes clear why ambitious start-ups rely on Webflow. One of the most important features is the security of Webflow websites, which clearly surpasses that of other solutions.

In this article, we'll show you what Webflow as a company does for its own security and which factors also make it the best solution for your website.

‍

Webflow: Internal Security

First, let's look at how Webflow as a company provides internal security and how that affects your website.

Employee IDs and two-factor authentication: ISO 27001

On the one hand, Webflow ensures that all its employees have unique identifiers and use two-factor authentication to log into the internal infrastructure. This significantly minimizes the risk of an attacker taking over these identifiers to access the Webflow servers. In addition, all employee devices are encrypted and the physical servers are monitored and protected.

Thanks to all of these internal security measures, Webflow is certified according to ISO 27001, an international standard that shows the efforts a company is making to ensure the protection of its data and that of its customers.

In this way, Webflow ensures that your data is also stored securely and cannot be read by potential attackers.

Regular audits to update security practices: SOC 2

The SOC 2 standard, “Service Organization Control 2,” developed by AICPA (American Institute of Certified Public Accountants), requires companies to use thorough web security practices and to update them regularly.

To confirm its SOC 2 compliance, Webflow had to pass a full security audit, which verified the reliability of its protection systems. This audit covers 5 key criteria:

• surety: The systems used and the information collected on the Webflow websites must be protected from unauthorised access.
• availability: The Webflow systems must be available for continuous use.
• Integrity of processing: Webflow systems must work promptly and correctly.
• confidentiality: Information classified as confidential should be protected.
• shelter: Information is collected, stored when used, and safely disposed of.

Since December 2020, Webflow has been SOC 2 Type 1 certified and is currently undergoing the audit to become SOC 2 Type 2.

Webflow is therefore constantly working to guarantee its customers the highest level of security for their own websites.

‍

Security of websites built with Webflow

As a company, Webflow itself therefore ensures that internal processes handle user data as securely as possible. But what about your Webflow website itself?

Webflow Hosting: AWS

The websites created on Webflow are generally hosted by AWS (Amazon Web Services). This cloud solution from Amazon is one of the most used website hosts worldwide.

To protect its infrastructure, AWS employs hundreds of people who are exclusively concerned with finding and combating potential security vulnerabilities. This makes AWS particularly robust against cyber attacks.

Securing login details

Let's now look at the vulnerabilities at the level of identifying the administrators of a website: First, it is of course up to you to choose strong passwords, change them regularly and, above all, ensure that these login details are stored securely within your company.

However, Webflow helps you protect your access by offering you two-factor authentication: If someone tries to log in with your login details, he or she must also provide, for example, a code that is sent via SMS to a number you have provided.

This ensures that it is you who logs into your Webflow editor. Webflow thus offers additional security if your login details fall into the wrong hands.

SSL encryption

If your target audience is now browsing your website, their browsing must be safe and the data they enter on your site must not be accessed by third parties.

To prevent this, Webflow protects all pages on your website with Secure Sockets Layer (SSL) encryption. This protocol protects the data that is transferred between the user's browser and the server that hosts the website.

In short, this means that no one can see or change the data that is sent to the server or the data that the browser receives. Most websites use this protocol to secure their data.

You can tell whether it is activated simply by looking at the URL: If it starts with https instead of http, the data that runs through this website is secure!

No third-party plugins

One of the biggest issues with CMS like WordPress is the use of third-party plugins that allow you to add extensions to your website, such as contact forms, payment modules, or security elements.

Most of these extensions come from third-party providers with their own security responsibilities. This sounds practical for now, because no work has to be put into these complex expansions yourself. The problem, however, is that they are usually not regularly maintained and so vulnerabilities often occur when it comes to security and timeliness.

With Webflow, everything is developed natively with the tool and when it comes to integrations, Webflow only works with large companies such as Mailchimp or Stripe. These companies have a transparent and reliable security and privacy policy, which greatly minimizes the risk of your Webflow website being hacked.

Secure payment system

When you're developing a Webflow e-commerce site, the security of numbers is one of the most important factors. Until now, Webflow has chosen a unique partner for online payments: Stripe. All transactions and payment-specific data are fully managed by this specialized tool, which is certified as a Level 1 Service Provider.

Stripe uses the latest security protocols, such as TLS and HTTPS, to protect data and verifies that all of its users are PCI compliant (global security standards for payment account data).

To get advice on individual security aspects of Webflow, you can also use a Webflow agency contact.

‍

Webflow and the GDPR — what needs to be considered in Germany

Finally, the question remains as to how Webflow is compatible with the GDPR. With headlines such as “Webflow — How to secure? “or “Webflow jurisprudence,” there are a few theories circulating on the Internet that suggest that Webflow is causing difficulties in doing so.

What sounds complicated in theory is easy to break down in practice. For German websites that are created with Webflow, there are therefore a few things to consider.

Webflow Hosting

Since Webflow is hosted via AWS, as explained above, Amazon Web Services uses both North American and European servers to transfer data.

Since it cannot be ensured that the data on your website runs exclusively on European servers, it can happen that it is transmitted via foreign servers — even if only for organizational reasons, without this data being able to be viewed.

This is currently a grey area in Germany under data protection law — just like all US tool providers, such as Mailchimp, Google Analytics and Co.

Webflow has now announced that customers with Enterprise Plan will be able to rely on GDPR-compliant hosting in the future.

Webflow forms

This is similar for forms on a Webflow website: It is highly likely that all entered data will initially be routed via a non-European server. With contact forms, the data entered by users is stored in the backend of Webflow so that you can access it later.

Webflow GDPR solution

The currently most sensible solution to these conflicts is via the privacy policy on your website. Here, the cases described above must be presented in detail so that you are legally protected. For this purpose, it is recommended that with a legal advisor the Data Processing Addendum from Webflow and, with Webflow, a Data processing order and link to your own privacy policy.

You are welcome to get advice from an expert again to formulate the privacy policy individually and correctly.

If in doubt, Webflow's customer service is also available: At security@webflow.com Webflow's support team is available to answer any questions or concerns you may have.

‍