Network & Infrastructure Security
Frappe Cloud's infrastructure security is built on multiple layers β from DDoS mitigation at the edge to encrypted backups, firewall rules, and regular third-party vulnerability assessments. This page documents the controls in place for deployments running on Frappe Cloud.
| Control | Detail |
|---|---|
| DDoS Protection | AWS Shield Standard + OCI DDoS mitigation on Frappe Cloud infrastructure |
| VAPT | Available to enterprise clients upon request; requires signing an NDA before report access |
| Geo-blocking | Configurable at NGINX/application layer |
| Firewall | VPC security groups restrict inbound traffic; only ports 80/443 exposed publicly |
| Backup | Daily automated backups to S3; Frappe Cloud offers support-assisted restore |
| Patch Management | Frappe Cloud patches OS and framework dependencies; self-hosted deployments require manual update cadence |
Deployment-Specific Considerations
| Hosting Mode | Security Responsibility |
|---|---|
| Frappe Cloud (managed) | Frappe handles OS patches, firewall, DDoS, backups, SSL |
| Self-hosted VPS | Customer responsible for OS hardening, firewall rules, SSL renewal, patch management |
| On-premise | Full responsibility on customer IT team; Hybrowlabs can advise on hardening checklist |
For self-hosted deployments, Hybrowlabs recommends following the Frappe Bench hardening guide and scheduling regular OS and app-level updates via
bench update.
