We are committed to maintaining the highest standards of security and compliance. Our comprehensive security program protects your data and gives you confidence when using our products and services.
Serverless, Inc. undergoes regular third-party audits to validate our security controls and ensure we meet industry standards.
Our SOC 2 Type I report is available, demonstrating that our security controls are properly designed and implemented to meet the security trust service criteria and protect against unauthorized access.
Request report via Trust Center →We are currently within the SOC 2 Type II audit observation period, validating the operating effectiveness of our controls over time. The final report is expected by May 2026.
Track progress via Trust Center →Serverless, Inc. maintains a comprehensive security program built on industry best practices and continuous improvement.
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
Role-based access control with least-privilege principles and regular access reviews.
Comprehensive logging and real-time monitoring of all system activities and security events.
Documented incident response procedures with defined escalation paths and communication protocols.
Hosted on AWS with defense-in-depth architecture, network segmentation, and regular patching.
Rigorous vendor security assessments and ongoing monitoring of third-party service providers.
Our security policies are reviewed annually and align with SOC 2 trust service criteria.
For organizations with strict security requirements, the Serverless Framework CLI can operate as a fully on-premise tool with minimal external connectivity.
The Serverless Framework CLI is source available, allowing your security team to review the complete codebase. Inspect exactly what runs in your environment and verify our security practices firsthand.
View source on GitHub →The Serverless Framework CLI is locally installed software that, by default, does not interact with Serverless, Inc. servers except for limited network requests for license compliance. The optional Serverless Framework Dashboard provides additional features like Observability and Secrets Management, but it is not required.
Many enterprises rely exclusively on the Serverless Framework CLI for mission-critical workloads. As a locally executed tool, the CLI offers full control and customization, aligning well with strict corporate security and compliance requirements.
If your organization wants to use only the CLI and not the Dashboard, License Keys are the solution. Using License Keys disables Dashboard access by default, ensuring the CLI operates solely as an on-premise product.
License Keys validate and track subscription usage only; no access control or permissions.
Eliminates all Dashboard requests except License Key validation and telemetry.
Keys don't expire, avoiding service disruption while still allowing rotation as a best practice.
Create and distribute as many keys as needed, by company, team, app, or developer.
When not used with the Dashboard, the CLI makes the following network requests to Serverless, Inc. backend services:
Checks for the latest version of the CLI.
https://install.serverless.com/versions.jsonDownloads updates when required.
https://install.serverless.com/archives/*Validates the License Key during initialization.
https://core.serverless.com/api/bffSends minimal usage data for license compliance.
https://core.serverless.com/api/events/*The CLI collects minimal telemetry to measure usage for subscription billing. This data uniquely identifies each Service Instance (a deployed serverless.yml in a specific Stage and Region):
| Data Property | Description |
|---|---|
| License Key | Used to attribute usage to the correct organization & subscription. |
| Service Name | The "service" value in the serverless.yml configuration file. |
| Region Name | The AWS region where the application is being deployed. |
| Stage Name | The environment (e.g., "production", "development", "testing"). |
| AWS Account ID | The unique identifier of the AWS account for deployment. |
| AWS CloudFormation Stack ID | The unique identifier of the CloudFormation Stack managed by the CLI. |
We appreciate the security research community and encourage responsible disclosure of any vulnerabilities you discover.
For security vulnerabilities in the source-available Serverless Framework CLI, please report them through GitHub Security Advisories for coordinated disclosure.
Report via GitHub AdvisoryFor security issues related to the Serverless Framework Dashboard, APIs, or any Serverless, Inc. hosted services, please contact our security team directly.
Email security@serverless.comOur security team is available to assist with inquiries, security questionnaires, or compliance documentation requests.