DigitalOcean Law Enforcement Data Request: Police & Government Guide
How police, prosecutors and cybercrime investigators can obtain subscriber records, server content and logs from DigitalOcean, covering abuse reports, preservation, subpoenas, court orders, search warrants, emergency disclosure and the request portal.
This guide offers general, practical guidance for law enforcement officers, prosecutors and cybercrime investigators who need data from DigitalOcean, a US-based cloud hosting provider. It is not legal advice. Every request described here assumes you are acting under proper legal authority in your jurisdiction, and that you will follow the laws and procedures that govern compelled disclosure where you operate. DigitalOcean publishes its own Law Enforcement Guidelines and operates a Trust Platform; this article summarises that public material and explains how to put it to work, but the provider's current published terms always control.
- Unlike a reverse proxy or CDN, DigitalOcean is frequently the actual host, so it can hold real server content, droplet snapshots and storage data, not just metadata.
- Formal legal process is submitted through DigitalOcean's Law Enforcement Request Portal on Kodex; abuse complaints go separately to [email protected].
- Disclosure is tiered under US law: a subpoena yields subscriber and billing data, an ECPA court order yields logs, and a search warrant is required for content.
- DigitalOcean offers preservation for up to 90 days, renewable once, and provides customer notice (typically a 7-day objection window) unless legally barred.
- It is US-based, so foreign authorities generally need an MLAT, a US court order, or a qualifying cross-border order to compel content.
What DigitalOcean holds
DigitalOcean sells infrastructure-as-a-service: Droplets (virtual machines), Spaces (object storage), App Platform, managed databases and snapshots. Because it actually runs the underlying servers, the data it can hold goes well beyond what a front-end proxy can offer. The realistic categories are:
- Account and registration data: the customer's first and last name, email address, phone number, physical address and the date/time-stamped IP address from which the account or resource was created.
- Billing and payment data: transaction records tied to processors such as PayPal or Stripe, which can be a strong link to a real identity.
- Server content and snapshots: the contents of a customer's Droplet, object storage and backups or snapshots. This is content data and carries the highest legal threshold.
- Access and authentication logs: security and access logs that can reveal a user's activity and movements over a period of time, plus account or resource settings.
- IP assignments: which customer was assigned a given IP address at a specific date, time and time zone.
Abuse reports vs legal process
There are two distinct channels, and choosing the right one matters.
- Abuse reports go to [email protected] (or the web form at digitalocean.com/company/contact). Use this to report phishing, malware command-and-control, fraud sites, botnet nodes or other Acceptable Use Policy violations hosted on DigitalOcean. Include the IP address, URLs, timestamps with time zone, and supporting logs. This route can get a malicious site or Droplet taken down, but it will not hand you subscriber data.
- Legal process is how you obtain customer records, logs or content. It must be submitted through DigitalOcean's Law Enforcement Request Portal, hosted on Kodex, where you create a verified law enforcement account.
Many abusive operations sit on cheap cloud VMs precisely because they are quick to spin up and discard, which makes DigitalOcean a common target for both takedown and data. Filing an abuse report and serving legal process are not mutually exclusive; investigators often do both.
Legal process and thresholds
DigitalOcean is governed by the US Electronic Communications Privacy Act (ECPA / Stored Communications Act), which sets a tiered structure: the more sensitive the data, the higher the legal standard. Except in emergencies, DigitalOcean discloses protected information only on valid process.
| Data type / request | What it yields | Typical legal threshold |
|---|---|---|
| Preservation request | Freezes existing account and/or content data offline so it is not lost; no disclosure | Official law enforcement request (no court order needed to preserve) |
| Subpoena | Basic subscriber and registration data: name, email, phone, address, creation IP with timestamp, payment/transaction info | Valid subpoena |
| ECPA court order | Access and security logs, account/resource settings, activity over time (non-content records) | 18 U.S.C. 2703(d) court order |
| Search warrant | Content: Droplet/VM contents, object storage, snapshots, customer-support communications | Search warrant on probable cause |
| Emergency disclosure | Information needed to prevent imminent death or serious physical harm | Emergency request via the LE portal |
Preservation vs production
A preservation request asks DigitalOcean to copy and securely store subscriber and/or content data in anticipation of future legal process. It is not a demand to produce anything. On a valid preservation request, DigitalOcean preserves the available account information in an offline file for up to 90 days, and will extend it for one additional 90-day period on a renewed request. Use preservation as your first move the moment you identify a relevant IP or account, then build and serve the appropriate subpoena, order or warrant to actually obtain the data.
Emergency disclosure
When there is an imminent threat of death or serious physical harm to an identifiable victim, DigitalOcean may disclose user information without a subpoena or warrant. These emergency requests are made through the Law Enforcement Request Portal and should clearly explain the nature of the emergency, the specific harm, why the data is needed without delay, and the narrow information sought. Emergency disclosure is for genuine exigencies, not a shortcut around routine process.
Foreign law enforcement and MLAT
DigitalOcean is a US company, so US law applies to compelled disclosure. Authorities outside the United States generally cannot directly compel content. The recognised routes are a US court order, a request made through an applicable mutual legal assistance treaty (MLAT), or an order from a foreign government that qualifies under a cross-border framework such as 18 U.S.C. 2523 (for example a CLOUD Act executive agreement). MLAT can be slow, so foreign investigators should send a preservation request early to keep the data alive while the formal channel runs. Some non-content basic-subscriber requests may be handled more readily, but content almost always requires the formal US-recognised path.
The practical workflow
- Attribute the target. Establish the IP address of the abusive Droplet, site or storage endpoint and confirm via WHOIS / RDAP that the IP falls within DigitalOcean's range. Record the date, time and time zone of the activity.
- Preserve immediately. Submit a preservation request through the Kodex Law Enforcement Request Portal so server content, snapshots and logs are not destroyed before your process lands.
- File an abuse report if takedown is needed. For live harm, send the IP, URLs, timestamps and logs to [email protected] in parallel.
- Match the legal instrument to the data. Subpoena for subscriber/billing, 2703(d) order for logs, search warrant for content. Keep each request narrow and tied to the preserved IP and date range.
- Serve via the portal. Submit through your verified Kodex account, the channel DigitalOcean uses to receive and respond to legal process.
- Plan for customer notice. Assume the customer will be told unless you obtain a non-disclosure order; build that into your timeline (see FAQ).
- Corroborate. Treat returned account and payment data as a lead and confirm identity independently before acting on it.
Frequently asked questions
Will DigitalOcean tell the customer about my request? Yes, by default. DigitalOcean notifies affected account owners by emailing their verified address and provides a copy of the legal process, and in most cases the user is given 7 calendar days to file an objection with the court. To prevent notice, you need a court-issued non-disclosure or sealing order served with your request.
Can DigitalOcean really give me the contents of a server? Yes, where it holds them. Because DigitalOcean hosts the actual VMs and storage, a valid search warrant can compel the contents of a customer's Droplet, snapshots and object storage. This is a key difference from a proxy or CDN, which typically holds only metadata and logs.
What if the customer used another provider behind DigitalOcean, or vice versa? Follow the infrastructure. If a site uses a CDN in front of a DigitalOcean Droplet, you may need the CDN to reveal the origin IP, then serve DigitalOcean for the host data. Conversely, attribution may chain onward to a payment processor or a separately operated service.
How long does DigitalOcean keep logs? DigitalOcean does not publish a fixed universal retention period for all data, and logs can roll over. Do not assume data will still exist; send a preservation request as soon as you have an IP and date range.
Related guides
- Cloud evidence: getting data from AWS, Azure and Google Cloud
- Cloudflare law enforcement data request: police and government guide
- IP and domain attribution: turning an address into a suspect
For the full directory of platform law-enforcement request portals, see our LERS portal hub.