Cloud Storage Built for Data Security

Server-side encryption (SSE) protects your data by encrypting it before it is stored on disk to B2 Cloud Storage. Backblaze offers two options for SSE: Server-Side Encryption with Backblaze Managed Keys (SSE-B2) or Server-Side Encryption with Customer Managed Keys (SSE-C). Both options use an extensively tested and widely trusted block cipher with 256-bit Advanced Encryption Standard (AES-256) to encrypt the data at rest.

Object Lock uses a write once, read many (WORM) model to prevent files from being deleted during a customer-determined retention period, providing immutable ransomware protection to protect data from modification, manipulation, or deletion. Object Lock protection means no one can edit or delete your files. Object Lock Legal Hold offers the same immutability when the time horizon is unknown or timing flexibility is needed.

Backblaze supports automatic replication of data from one bucket to another per rules you set. This can help you achieve your data availability and/or redundancy requirements, with data safely stored to multiple regions in the event should you experience ransomware attacks, employee errors, or cyber attacks. Quickly set rules to automatically copy data across the country or around the world. This helps ensure that data is always available and up-to-date.

Backblaze B2 supports the standard CORS mechanism to allow customers to share the content of their buckets with web pages hosted outside of Backblaze B2. With CORS, before making a non-simple cross-origin request, a browser makes a "preflight" request to ask the server if it's okay to make the cross-origin request. By default, the Backblaze B2 servers will say "no" to preflight requests. Adding CORS rules to your bucket tells Backblaze B2 which preflight requests to approve.

Control and maintain usage and access monitoring to all accounts with fine-grained API key control. Flexible access control settings for account authentication/ verification prior to accessing data including single sign-on via G Workspace or Office 365 and two-factor verification for all users. All data in Backblaze cloud storage—buckets, objects, and related subresources—are private and can only be accessed after account authentication.

Backblaze B2 Bucket Access Logs provide detailed visibility into actions performed on objects within your storage buckets, helping you monitor access, detect unauthorized activity, and support compliance audits. Logs are stored in a designated B2 Cloud Storage bucket, allowing you to apply lifecycle rules and event notifications for automated management. With industry-standard formatting, logs integrate seamlessly with security monitoring tools, enabling proactive troubleshooting and security analysis​.

Backblaze, and our data centers, have received SOC 2 Type 2 certification by an independent third-party auditing firm which affirms that our cloud storage platform, policies, and procedures follow best practices in securing customer data and account information. Eligible customers and prospects can contact Backblaze Sales to request a copy of the SOC 2 Type 2 report.

Our purpose built architecture—based on the Backblaze Storage Pod—is designed from the ground up to keep your data safe and secure. Backblaze Vaults and Backblaze Reed-Solomon Encoding create a durable-by-design system so you can trust that your data is safe. Additionally, our architecture provides enterprise-grade security with 11 nines durability.

Our physical facilities have best-in-class security features—such as biometric security, photo-ID checks, staffed 24/7/365, and area locks—to keep your data safe. Our data centers have BAAs for covered entities (HIPAA) to assist with compliance compatibility. Additionally, our US East Region is HIPAA/HITECH compliant as well as third-party NIST 800-53 attested.

Data is encrypted on your computer—during transmission and while stored. Block unauthorized users from accessing your data by using a Personal Encryption Key (PEK) or use a 2048-bit public/private key to secure a symmetric AES-128 key. Data is transferred via HTTPS. Enhance your protection with two-factor verification via a TOTP (Time-based One Time Password).