Vercel alternatives after the April 2026 security incident: what to evaluate

Key takeaway: The April 2026 Vercel incident is a reasonable prompt to revisit four structural properties of your platform: where the audit trail for infrastructure lives, whether preview environments include the data layer, how compliance scope is composed across the whole application, and how portable the deployment is across clouds. These are the questions worth answering whether you stay on Vercel or move.

1. Where does the audit trail for infrastructure change live?

Vercel configures infrastructure primarily through the dashboard: routes, rewrites, function settings, region selection, environment variables, and marketplace integrations. The record of who changed what and when is kept in Vercel's own logs, accessed through Vercel's admin surface.

On Upsun, infrastructure is defined in a .upsun/config.yaml file in the customer's own Git repository. Routes, service definitions, workers, cron jobs, firewall rules, service relationships, and resource allocations are declared in code. Every change is a commit, reviewed through the customer's pull-request process, visible in the customer's git log.

What that changes, in the context of a supply-chain incident: the audit trail for infrastructure change is visible from inside the customer's own systems, not only from inside the vendor's.

Environment variables work similarly on both platforms: values set via CLI or Console, with an opt-in sensitive flag that hides them from UI and CLI output. The difference is one layer up, in the infrastructure that consumes those secrets, not in the secrets themselves.

2. Do preview environments include the data layer?

Vercel's Preview Deployments give every branch a URL and a build. For changes that live in the frontend, that's enough to ship confidently. Backing services (databases, queues, object stores) typically come from Vercel Marketplace partners such as Neon, Supabase, or Upstash, configured per project, pointing at shared staging data or per-branch data via the partner's branching features.

Upsun's environment cloning provisions a byte-for-byte replica of production on every Git branch: code, services, and data. Reviewers look at the application running against a complete, isolated copy of production's actual state, typically in around a minute. Sanitization hooks defined in YAML strip PII on clone, so reviewers work with realistic-shaped data without touching sensitive records.

What that changes, in the context of verifying an application during or after an incident: engineers can inspect the shape of production state in an isolated environment, run credential rotations or integration changes against that state, and verify the result before touching live.

3. What is in scope for the platform's compliance certifications?

Vercel is SOC 2 Type 2 certified and offers HIPAA Business Associate Agreements on Pro and Enterprise plans. The scope covers the part of the stack Vercel operates.

For full-stack applications on Vercel, stateful services (databases, queues, object storage) are typically provided by marketplace partners. Those partners carry their own certifications, their own scope statements, and their own BAAs. A customer's compliance posture for the whole application is composed across Vercel's scope plus each marketplace partner's, joined at the seams the customer built.

Upsun's SOC 2 Type 2, ISO 27001, with PCI DSS and HIPAA options cover the entire platform: compute, databases, queues, object storage, workers, crons, and the pipelines that deploy them. The compliance scope statement and the application architecture diagram are the same document.

For teams in healthcare, financial services, government, or any B2B context where compliance is part of the procurement conversation, a single-platform scope is materially simpler to defend than a composed one.

4. How portable is the deployment across clouds?

Vercel runs on Vercel-operated global infrastructure. Region selection within that infrastructure is available per function and deployment. Cloud selection is not a question the platform answers.

Upsun's .upsun/config.yaml is the same file whether the project runs on AWS, Azure, Google Cloud, or OVH, across dozens of regions. You pick the hyperscaler when you create the project, and the configuration does not change when you change the hyperscaler. Upsun is also available on the AWS, Azure, Google, and IBM marketplaces, so teams with committed-use agreements on any of those clouds can apply them against their Upsun usage.

Your application runs in Upsun-operated environments on the hyperscaler you choose. The portability is in the configuration, not in where the infrastructure is physically operated. What that changes is the cost of revisiting the cloud decision: it's a project setting instead of a quarter-long engineering project.

Should you move off Vercel?

Not necessarily. No single incident decides whether a platform is right for an application. What's worth doing is asking the four questions above about your current platform and any alternative you're evaluating, and making sure the answers match what your business actually needs.

For a frontend-heavy application with a small backend surface and no regulated compliance scope, Vercel is a good fit, and a migration is probably not the right use of the quarter. For a full-stack application with data-heavy previews, multi-vendor compliance friction, or cloud-choice requirements, the answers on a full-stack platform like Upsun are structurally different in ways that tend to matter at procurement time.

What moving looks like, if you do

For most Next.js applications, migration is primarily writing a .upsun/config.yaml that describes the frontend runtime, backend services, databases, and other components, plus moving environment variables and DNS. Because every Git branch on Upsun gets a byte-for-byte preview environment, engineers can run the migrated application against production-shape data before cutting over. Upsun's application services team supports migrations on a hands-on basis when that's the right path.

Frequently asked questions

Is Upsun more secure than Vercel?

Both platforms hold SOC 2 Type 2 certifications and run production applications for serious teams. The differences worth comparing are structural. Where the infrastructure audit trail lives: on Upsun, in the customer's own Git repository; on Vercel, in the platform's admin surface and logs. How compliance scope is composed: Upsun's certifications cover the whole platform including databases, queues, and workers, while Vercel's cover the Vercel-managed layer with marketplace partners carrying certifications for stateful services. What options are available: SOC 2 Type 2, ISO 27001, with PCI DSS and HIPAA options on Upsun; SOC 2 Type 2 with HIPAA BAAs on Pro and Enterprise plans on Vercel.

Does Upsun support Next.js?

Yes. Next.js is a first-class runtime on Upsun. You define the application and any backing services it depends on in .upsun/config.yaml. Deployment is Git-driven, environment variables are managed through CLI or Console with an opt-in sensitive flag (the same model Vercel offers), and every branch gets a byte-for-byte preview environment.

How are secrets handled?

Environment variables on both Upsun and Vercel are set via CLI or the web console, not stored in version control. Upsun's YAML configuration file is explicitly called out in the documentation as a poor fit for secret values, because it's committed to Git. Variables can be flagged as sensitive, which hides their values from the UI and CLI output on both platforms. The structural difference between the two platforms is not in how secrets are stored but in the infrastructure that surrounds them: on Upsun, that infrastructure is declared in Git and reviewable alongside application code.

How long does a migration take?

For most applications, the work is primarily a configuration exercise: describing the existing stack in .upsun/config.yaml, moving environment variables, cutting DNS. Because preview environments on Upsun include the data layer, the migrated application can be validated against production-shape data before cutover. Upsun's application services team supports migrations hands-on when that's useful.

Further reading

• Upsun platform overview
• Upsun compliance guidance
• Upsun preview environments
• Vercel April 2026 security incident bulletin
• Vercel security and compliance
• Vercel HIPAA BAAs for Pro teams
• Vercel Preview Deployments