Governance, Security, and Backups

How are backups performed? What is the backup frequency?

Structural information (metadata) is backuped daily via a snapshot for all plans starting from Standard. The content databases support point-in-time recovery (PiTR). Point-in-time recovery allows to restore a database into a state it was in any point of time.

Data can also be exported with the GraphCMS Import/Export feature and backed-up manually at any time.

Enterprise plans can also have nightly and offsite backups.

Offsite backups

Nightly copies of your content can be sent to your own Amazon S3 buckets. Available in the GraphCMS enterprise plans.

What are the possible API permission levels?

You can set the access rights to your API to either Read, Write, Open, or Protected.

Are audit logs available in GraphCMS?

Internal Audit logs allow you to monitor any content schema changes. Advanced audit logs are coming up soon.

What Service Level Agreements do you offer?

GraphCMS offers enterprise-grade service level agreements for availability and support. We offer service uptime guarantees of up to 99.9% uptime. Our support response time can be as low as one hour for critical issues. Reach out to our sales team for details.

What infrastructure options does GraphCMS provide?

Your project will either be hosted on a shared server, or you will be provided with your own dedicated server infrastructure within one of the data-centres we work with.

Data limiting via token filters

Token filters allow you to limit the data your API returns. Currently, you can limit selected fields by:

Status (Published, Draft, Archived). In the next version, you will be able to filter down by types like

String. For instance, for returning all fields and data where ​ author ​ is “Sheldon”. When you use that

token you will only get fields that have ​ author ​ “Sheldon” and not be able to access other fields.

What are System Tokens?

System tokens can have different grants meant for internal tools e.g. for scripts periodically dumping data into GraphCMS, for connecting a legacy CMS, or for a one-time import/export of large amounts data.

Do you provide a reversibility plan for user's data?

Using a headless CMS means having a content exit strategy in place at all times. As any content can be fetched via the API in a JSON format, you can pull out your data at any time. There is no vendor lock-in with GraphCMS. GraphCMS also provides several content backup options.

Is it possible to connect GraphCMS to an organization's single sign-on (SSO) provider?

Yes, our user authentication system auth0 is able to handle this. Auth0 supports the main industry standards such as SAML, WS-Fed, and OAuth 2.0 (OpenID Connect is based on OAuth 2.0), so you can hook any third-party application that you need.

For AWS Cognito (which can be used to restrict access in a user’s AWS site pages), can this be used to restrict access to specific GraphCMS collections?

This can be used to restrict access to specific content delivered from GraphCMS. It is a simple “binary” wall. The auth provider (cognito or something else) would create a read token or a proxy with read-capabilities for your authorized users.

How are my GraphCMS API endpoints secured?

All endpoints of your projects have an SSL certificate.

How can I restrict the access to my content?

You can set your endpoint permissions scope from Public to Protected, Read-only or Write-only (Mutations) in your Project Settings. Using a permanent auth token – also generated in your Settings – allows you to only authorize a specific client to access your Project.