Security

Mapbox is critical infrastructure for our customers. We go to great lengths to protect the security of your account, your data, and your users. Learn how to report a security concern.

Account security

We serve our website exclusively via HTTPS, and serve all our APIs over HTTPS by default. We offer two-factor authentication for logins to help you protect your account, and we let you create multiple customizable access tokens for granular control over access to your account resources.

Physical security

Our infrastructure runs inside data centers designed and operated by Amazon Web Services (AWS). AWS data centers feature state of the art environmental security controls to safeguard against fires, power loss, and adverse weather conditions. Physical access to these facilities is highly restricted and they are monitored by professional security personnel. Our offices are equipped with access control, intrusion detection, and video surveillance systems.

Software security

Our systems run the latest stable versions of Ubuntu or Amazon Linux and our applications run on the latest stable version of Node.js. We monitor documented threats from public security research databases (such as the Common Vulnerabilities and Exposures catalog), and we run automated vulnerability scanners, including retire.js and nsp, at regular intervals and before each deploy. Our developers receive training for secure software development, including Open Web Application Security Project guidelines. All major code changes are subject to a multi-point code review with specific attention paid to security.

DDoS mitigation

Maps and location can be politically charged subjects. We maintain firewalls on our edge servers and origin load balancers to protect against bandwidth and protocol-based attacks, and we use intelligent web application firewalls and elastic scaling of our compute capacity to mitigate attacks at the application layer, including complex and evolving attacks.

Data security

All customer data is stored with at least dual redundancy and we've designed our storage solution for 99.999999999% long term durability. Mapbox Enterprise accounts come with built-in AES256 encryption-at-rest. We store and secure Mobile Telemetry in a dedicated pipeline.

Private maps

From raster imagery from a drone to GPS traces from a fleet of vehicles, data uploaded by Premium and Enterprise users can be secured with private maps. New maps are private by default and existing maps can be made private with a single click. Access tokens provide a powerful way to control permissions: in our management interface, users can create, revoke, and monitor the usage of resources based on tokens.

Employee access

Mapbox team access is controlled by a carefully managed and audited security policy. Employees must revalidate their credentials every 12 hours using two-factor authentication. All team members sign non-disclosure agreements to protect your data. All employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks.

Logging

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage. We implement measures to detect and prevent log tampering or interruptions.

Payment processing

We process payments with Stripe, which has been audited by a Payment Card Industry Standard-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of PCI DSS certification available. Payment information is transmitted directly to Stripe via HTTPS for secure storage and is never transmitted to or stored on Mapbox servers.

Regular audits

We conduct regular internal security audits and work with external auditors to review our hardware, software, and physical security configurations. Our security vulnerability program rewards users and security researchers who find issues with our software and web services. If we discover a vulnerability, we follow a formal incident response framework to ensure rapid mitigation and transparent customer communication.

Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.