🔒 Enterprise & Security
Security features, WAF, compliance, enterprise capabilities, and pricing model — the knowledge that closes enterprise deals.
Security — WAF, DDoS, Access Control
🛡️ Managed WAF
Protects against OWASP Top 10 (SQL injection, XSS, CSRF), bot attacks, DDoS. Up to 1,000 custom firewall rules (Enterprise).
🌊 DDoS Mitigation
Edge network absorbs volumetric DDoS automatically. Static assets and edge-cached responses serve without touching Functions — dramatically reduces attack surface.
🤖 Bot Management
Identify and block automated threats. BotID provides granular bot classification and control.
🔐 Deployment Protection
Password protection for previews, Vercel Authentication (team only), Trusted IP restriction (Enterprise).
🚫 IP Blocking
Up to 1,000 IP blocking rules. Block by individual IP, CIDR ranges, or geographic regions.
⏱️ Rate Limiting
Configure rate limits per path, IP, or custom criteria. Prevent abuse without blocking legitimate users.
Environment Variable Security
| Variable Type | Scope | Security Note |
|---|---|---|
| NEXT_PUBLIC_* | Browser (build-time) | Exposed in client bundle — never put secrets here |
| No prefix | Server-only (runtime) | Safe for secrets — only accessible in Server Components, API Routes, Middleware |
| Per-environment | Production / Preview / Dev | Set different values per environment in Vercel dashboard |
Compliance
Annual audit of security, availability, and confidentiality controls.
EU data residency supported — deploy functions in EU regions.
With Business Associate Agreement (BAA) on Enterprise plan.
Considerations for payment processing workloads.
Identity provider integration (Okta, Azure AD, Google Workspace) with Directory Sync.
Enterprise Features
📊 99.99% SLA
Guaranteed uptime vs Pro (best-effort). Key for regulated industries and enterprise procurement.
🔑 SAML SSO + SCIM
SAML 2.0 for IdP integration (Okta, Azure AD, Google Workspace). SCIM for automated user provisioning/deprovisioning. Directory Sync for group management.
🌍 Multi-Region Compute
Deploy functions to multiple regions simultaneously. Traffic routed to nearest healthy region. With Fluid Compute, AZ and region failover is automatic.
📝 Audit Logs
Every dashboard action logged: deployments, env var changes, team member additions, security events. Stream to SIEM tools.
🛡️ Custom WAF Rules
Up to 1,000 custom rules: block by country, rate limit by IP per path, block user agents, require headers for API routes.
📤 Log Drains
Stream all logs to: Datadog, New Relic, Axiom, Azure Monitor, Splunk, Elastic.
🏰 Secure Compute
Isolated compute with private backend connectivity. Functions run in dedicated infrastructure for sensitive workloads.
🔒 Deployment Protection
Trusted IPs restricting access. Password-protected previews. Vercel Authentication for team-only access.
Pricing Model — In Depth
Hobby
Free
Personal, non-commercial only
- 60s function max
- 100GB bandwidth/mo
- 1M Edge Requests/mo
- Commercial use prohibited
Pro
$20/user/mo
Professional developers, commercial projects
- $20 monthly usage credit
- 1TB bandwidth/mo
- 300s functions (Fluid)
- Spend management
Enterprise
Custom (~$20-25k/yr min)
Teams needing SSO, SLA, WAF, compliance
- 99.99% SLA
- SAML SSO + SCIM
- Managed WAF
- Multi-region compute
⚠️ What Triggers Cost Growth
Every CDN request counts — even static assets. High-traffic sites with many assets accumulate quickly.
CPU-intensive tasks (image processing, computation) accumulate fast. I/O-bound workloads are cheap with Fluid.
Large assets (images, video) through Vercel CDN. Guide customers to CDN-optimised media services (Cloudinary, Mux).
Each ISR revalidation invokes a function. Short revalidation windows on high-traffic sites = significant invocations.
Long LLM responses stream 10–60s. With Fluid, you pay only CPU. Without Fluid, cost per AI request is high.