Trust at the core: Elevating enterprise security and compliance with Contentful

As digital landscapes evolve in the age of AI, security and compliance continue to rise in importance for enterprises as new and more sophisticated threats emerge.

At Contentful, we know building and sustaining trustworthy products is critical to our customers’ success. We are continuously and carefully refining our products to support our enterprise customers’ growing concerns and interest in advanced cybersecurity threat mitigation and prevention.

We are committed to securing all customer digital experiences. Through continuous discovery and delivery, we are also building solutions to solve the specific needs of enterprise customers. Our advanced security and compliance features are designed for scale and complex enterprise ecosystems.

This post introduces our latest enterprise-grade security solutions that are specifically designed to safeguard the sophisticated operations of larger enterprises with reliability and user-friendliness.

Security threats and risks on the rise

Minimizing the attack surface reduces vulnerabilities, threats, and risks, enhancing risk prevention, detection, response, and recovery. In 2023, the global average cost of a data breach reached $4.45M, a 15% increase over three years (IBM). This cost again increased by 10% to $4.88M in 2024 (IBM). With a 16% rise in application security attack surfaces, organizations faced 29,000 new vulnerabilities to defend against (Pragmatic Engineer).

Recent releases mitigate security risks

Achieving SOC 2 Type 1 Compliance

Contentful was already compliant with ISO 27001 and PCI DSS. Achieving SOC 2 Type 1 compliance further validates that Contentful has implemented strong security controls designed to protect customer data. But this is just the beginning, we are now actively working toward SOC 2 Type 2 compliance, which we anticipate achieving later this year.

At Contentful, compliance is more than just checking a box — it reflects our commitment to security best practices and maintaining customer trust. By achieving SOC 2 compliance, we provide our customers with the assurances that we continuously meet high standards for security, confidentiality, and availability.

For more details on how Contentful secures customer data, visit our security page. Here, you’ll find information about how we keep our platform reliable, how we protect customer data, how we secure our business and our code, and other security measures taken by Contentful. Customers can also review the Security Addendum for additional information pertaining to our services. 

Audit logs

Customers get better insight into how their platform is used for compliance, troubleshooting, and policy enforcement. With audit logs, organizations meet regulatory requirements and maintain strong governance.

Previously, customers had to rely on webhooks to capture and store audit events. Now, we offer audit logs as a native product functionality that eliminates the need to build and maintain a custom solution.

Admins can now receive audit event logs to see what happened on the platform, who did it, and when. Audit logs are securely transferred to your own Amazon S3 bucket or Azure Blob storage, from where you can import them into your preferred analysis and reporting tool. Read our Developer Documentation and the Changelog post.

Improved token management capabilities

We launched a suite of improvements around our Content Management API (CMA) token management capabilities, designed to empower token issuers and organization admins.

Issuers of tokens can now set expiration dates on their tokens and manage them more effectively. They have access to much more information about the tokens on the web app, which allows them to better manage them. Bulk revocation of tokens allows users to clean up their old and unused tokens with ease, keeping only the relevant tokens alive and in use.

For administrators, we now provide a detailed list of tokens within their organization, including ownership details, creation and expiration dates, and last-used dates. This visibility allows for quick action if a token is compromised, reducing the risk of security breaches. Check out our Changelog post.

Designated security contacts

To enhance our customers’ organizational readiness and ensure timely communication in the event of a potential security incident, administrators can now add their dedicated points of contact to receive security-related notifications from Contentful. While we will continue to notify organization owners, this feature allows customers to designate the most appropriate individuals to receive critical security updates. See the Changelog post.

Webhook request verification

This feature adds another layer of security to the communication between Contentful’s webhooks and customer applications. Request verification ensures that webhook requests are legitimate and not spoofed to protect sensitive information.

In the past, Contentful provided customers with secure webhooks, but has now given more control to customers to validate their secure webhooks connections. This works similarly to the existing app request verification feature.

Customers sign and validate webhook requests with a secret key. We use Hash-based Message Authentication Code (HMAC), which is the most popular webhook authentication and message security method.

Contentful also offers examples for how to compute and verify the request verification signatures in 11 programming languages. See an example for Node.js and examples for 10 other languages. Check out the Developer Documentation and the Changelog post.

Looking ahead

These security enhancements — from audit logs to improved token management, designated security contacts, and webhook request verification — reinforce our commitment to protecting your digital experiences with enterprise-grade solutions.

We are continuously innovating to stay ahead of emerging risks, ensuring enterprises can operate with confidence and resilience. In parallel, we remain focused on aligning with key industry standards and compliance frameworks to provide assurance through recognized certifications and attestations.

Stay tuned for more updates on upcoming security and compliance capabilities.

Call for customers: Join our research panel

We’d love your input on our discovery topics. Join the Contentful research panel to take part in our internal product development and research projects. Our Product team invites customers and partners to take part in new research initiatives that are relevant to their experiences. Fill out our short survey to join the panel and start the process.

Take a tour

Chat with our team

We'll show you how our composable content platform can enhance 1:1 customer connections and drive growth for your business.

Subscribe for updates

Build better digital experiences with Contentful updates direct to your inbox.