Resilience and Security

We designed DistilledODN with security and resilience as a top priority from the outset. The system is engineered to be fast, robust, resilient and secure.

The FAQ section of the deck goes also contains some technical details and is designed to be shared with engineering and operations teams.


DistilledODN operates in 7 AWS regions, three in the US, two in the EU, then one in both Tokyo and Signapore.

DistilledODN is designed with multiple levels of resilience and failover in place. In each AWS region traffic is load balanced across an auto-scaling group of servers. At times of high load new servers are automatically provisioned to maintain a certain level of redundancy in platform capacity. Each server can fallback to being a transparent proxy in the event of an application error.

By default we configure the system to route around the ODN entirely in the unlikely case of catastrophic failure or complete outage of AWS across multiple availability zones and regions. This can happen almost instantly via Amazon’s Route53 service as well as at the CDN level for sustained outages. Under any of these circumstances your site stays up and available but without the ODN enhancements and tests.

Each of our 7 AWS regions have redundancy and can handle millions of request per minute. Currently, we handle billions of page views per month.


DistilledODN is a mission-critical platform, and demands a high level of security. We approach security both at a user level and at a systems level. In particular:

  • All user accounts are protected with 2-factor authentication via Authy
  • User permissions can grant different powers to different team members - such as restricting the ability to publish changes to the preview or live environments for certain users
  • Our systems are hosted on AWS and employ strict security policies and best practices taking advantage of AWS security features
  • If your site’s connection to us is secure (HTTPS), then all connections between servers and to the origin will be secured end-to-end using TLS
  • We do not store PII (Personally identifiable information) of your website visitors - simply passing information through to your servers
  • We are fully PCI compliant and can provide our Attestation of Compliance (AoC) upon request

We work with a third-party penetration testing company, Context. We can provide the most recent report on request.

Bug Bounty

Please note our bug bounty program applies only DistilledODN properties, not to other Distilled properties. is out of scope.

We encourage responsible disclosure of security vulnerabilities via our bug bounty program. You can contact us at to report a security vulnerability.

Responsible disclosure means:

  • Providing us a reasonable amount of time to fix the issue before disclosing publicly
  • Making a good faith effort not to cause harm to Distilled systems or user data
  • Not affecting Distilled customers’ access to ODN or their website uptime or performance in the process of discovery

In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they have followed these guidelines.


The minimum payout is $100 and Distilled branded swag for reporting a new security vulnerability which results in us making a code or configuration change. We will use our discretion to reward researchers appropriately - biasing towards higher rewards for reports that affect the integrity or uptime of our customers’ websites.

Please note that we are a small team, and so for lower priority issues it may take time for us to decide on a course of action and for us to get back to you about any bounty. Please be mindful of this -- emailing us frequently only adds to our workload and slows down the process.


All services comprising DistilledODN are eligible - including this website (but not other Distilled sites or sub-domains, such as, the management app, and the proxy service itself. Distilled services and properties not relating to DistilledODN are excluded.

You must present a working proof of concept, and a valid attack scenario to be eligible for any sort of reward.

The following would not meet the threshold for consideration:

  • Distributed Denial of Service (DDoS)
  • Email deliverability issues (SPF, DKIM, DMARC etc.)
  • Social engineering attacks against Distilled employees or contractors, or against our customers
  • Reports from automated tools or scans without accompanying demonstration of exploitability. is out of scope

Get a demo

If you're interested in a short demo, please fill in this form and one of the ODN team will ping you an email.

Alternatively, if you have any other questions, feel free to drop us a line at or check out our FAQ page and deck.