platformsh · Kemi-Elizabeth · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 19, 2025
diff --git a/sites/platform/src/administration/organizations.md b/sites/platform/src/administration/organizations.md
@@ -61,7 +61,22 @@ title=Using the Console
 
 {{< /codetabs >}}
 
-## Create a new organization
+## Create a Fixed organization
+
+**This option is available only to {{% vendor/name %}} customers under current contracts.** 
+
+For all other customers, all new organization types are Flex organizations, which you can create yourself by using the Console or CLI as described in [Create a Flex organization](#create-flex-organization) below.
+
+To create a Fixed organization, please open a [support ticket](/learn/overview/get-support.md), and indicate the following information in your ticket:
+
+- Indicate that you are requesting the creation of a Fixed organization.
+- **Category:** Access  
+- **Priority:** Low / Normal (as required)  
+- **Description:** Make sure to include the **organization name** you would like.
+
+Our Support team will verify your eligibility for a Fixed organization. Once approved, a Fixed organization will be created on your behalf. Support will notify you when the organization is ready, and your ticket will be closed.
+
+## Create a Flex organization {#create-flex-organization}
 
 You can create new organizations with different payment methods and billing addresses
 and organize your projects as you want.
@@ -168,8 +183,6 @@ Ideal for workloads that evolve over time or have dynamic resource requirements.
 
 {{< /note >}}
 
-### What can you do?
-When creating a new organization, users will be able to select the organization type from a drop-down option based on their preference. Once the organization is created, users can manage their organizations like they do today.
 
 ### Feature differences
 
@@ -248,6 +261,7 @@ When creating a new organization, users will be able to select the organization
 | PCI DSS Level 1-compatible | Yes | Yes |
 | HIPAA | Enterprise and Elite only in specific regions | Coming soon |
 
+
 ### Fixed and Flex FAQs
 
 #### What happens to my URL?

diff --git a/sites/upsun/src/add-services/elasticsearch.md b/sites/upsun/src/add-services/elasticsearch.md
@@ -13,18 +13,21 @@ See the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsea
 
 ## Supported versions
 
-{{% note title="Premium Service" theme="info" %}}
-Elasticsearch versions 7.11 or later are no longer included in any {{< vendor/name >}} plan.
-You need to add it separately at an additional cost.
-To add Elasticsearch, [contact Sales]({{< vendor/urlraw "sales" >}}).
-{{% /note %}}
 
 You can select the major and minor version.
 
 Patch versions are applied periodically for bug fixes and the like. When you deploy your app, you always get the latest available patches.
 
 {{< image-versions image="elasticsearch" status="supported" environment="grid" >}}
 
+### Enterprise edition
+
+{{% note title="Premium Service" theme="info" %}}
+Elasticsearch versions 7.11 or later are no longer included in any {{< vendor/name >}} plan.
+You need to add it separately at an additional cost.
+To add Elasticsearch, [contact Sales]({{< vendor/urlraw "sales" >}}).
+{{% /note %}}
+
 ## Deprecated versions
 
 The following versions are still available in your projects for free,

diff --git a/sites/upsun/src/add-services/mongodb.md b/sites/upsun/src/add-services/mongodb.md
@@ -21,6 +21,14 @@ When you deploy your app, you always get the latest available patches.
 
 {{< image-versions image="mongodb-enterprise" status="deprecated" environment="grid" >}}
 
+### Enterprise edition
+
+{{% note title="Premium Service" theme="info" %}}
+MongoDB Enterprise isn’t included in any {{< vendor/name >}} plan.
+You need to add it separately at an additional cost.
+To add MongoDB Enterprise, [contact Sales](https://upsun.com/contact-us/).
+{{% /note %}}
+
 ### Legacy edition
 
 Previous non-Enterprise versions are available in your projects (and are listed below),

diff --git a/sites/upsun/src/domains/cdn/managed-fastly.md b/sites/upsun/src/domains/cdn/managed-fastly.md
@@ -0,0 +1,142 @@
+---
+title: "Managed Fastly CDN"
+sidebarTitle: "Managed Fastly CDN"
+weight: 2
+description: Bring your content closer to users with a Fastly CDN fully managed by {{% vendor/name %}}.
+keywords:
+  - mTLS
+---
+
+Instead of starting your own Fastly subscription and [managing your CDN yourself](/domains/cdn/fastly.md),
+you can take advantage of a Fastly CDN provided by {{% vendor/name %}}.
+These CDNs are exclusively set up and managed by {{% vendor/name %}}.
+
+To modify any settings for a managed Fastly CDN, open a [support ticket](/learn/overview/get-support.md).
+To add a managed Fastly CDN to your project, [contact sales](https://upsun.com/contact-us/).
+
+{{< note theme="Info" >}}
+{{% vendor/name %}} does not write nor debug any custom VCL on Managed Fastly CDN services.
+{{< /note >}}
+
+{{< note theme="note" title="Monitor CDN metrics">}}
+
+You can access a summary of your monthly traffic usage under the "Traffic this month" section at the Project level inside [Console](https://console.upsun.com/). This will help you monitor your monthly bandwidth and requests consumption. 
+
+In this summary, you will find specific details about:
+
+- **Origin Bandwidth:** Data transferred from origin servers (in TB).
+
+- **Origin Requests:** Requests served by origin servers (in millions of requests).
+
+- **CDN Bandwidth & CDN Requests:** Shown if you have Fastly CDN enabled.
+
+This data is updated daily and will reflect your traffic usage throughout the billing period. 
+
+{{< /note >}}
+
+{{< note theme="info" title="Set up traffic alerts">}}
+
+You can also set up consumption alerts for your resource usage. Click the Alert button in the "Traffic this month" block within [Console](https://console.upsun.com/) to configure usage thresholds. For more information, head to the [Pricing docs page](/administration/pricing.html#monthly-traffic-alerts).
+
+{{< /note >}}
+
+## How Managed Fastly works
+
+{{% vendor/name %}}’s Managed Fastly CDN routes incoming traffic through the Fastly edge network before requests reach your application. This enables global caching, edge logic (VCL), performance optimisation, and optional security features.
+
+The Fastly CDN must be provisioned and managed by {{% vendor/name %}}. Features such as the {{% vendor/name %}} Web Application Firewall (WAF), edge rate limiting, and image optimization depend on this managed integration and cannot be used with a customer-managed Fastly account.
+
+Once enabled, Fastly operates as the first point of contact for all HTTP requests, allowing requests to be cached, filtered, transformed, or blocked entirely at the edge.
+
+{{< note theme="info" title="Feature dependencies">}}
+
+- The {{% vendor/name %}} WAF requires the {{% vendor/name %}} Managed Fastly CDN.
+- Customers cannot attach the WAF to an existing third-party Fastly service.
+- Advanced Fastly features such as virtual patching and per-project logging require a configurable Fastly workspace.
+
+{{< /note >}}
+
+### Domain control validation
+
+When you request for a new domain to be added to your Fastly service,
+{{% vendor/name %}} [support](/learn/overview/get-support.md) provides you with a [`CNAME` record](/domains/steps/dns.md) for [domain control validation](/domains/troubleshoot.md#ownership-verification).
+To add this `CNAME` record to your domain settings,
+see how to [configure your DNS provider](/domains/steps/_index.md#2-configure-your-dns-provider).
+
+### Transport Layer Security (TLS) certificates
+
+By default, two [TLS certificates](/glossary/_index.md#transport-layer-security-tls) are included: an apex and a wildcard one.
+This allows for encryption of all traffic between your users and your app.
+
+If you use a Fastly CDN provided by {{% vendor/name %}},
+you can provide your own third-party TLS certificates for an additional fee.
+
+To do so, if you don't have one,
+set up a [mount](/create-apps/image-properties/mounts.md) that isn't accessible to the web.
+Use an environment with access limited to {{% vendor/name %}} support and trusted users.
+[Transfer](/development/file-transfer.md) each certificate, its unencrypted private key,
+and the intermediate certificate to the mount.
+To notify {{% vendor/name %}} that a certificate is to be added to your CDN configuration,
+open a [support ticket](/learn/overview/get-support.md).
+
+If you need an Extended Validation TLS certificate,
+you can get it from any TLS provider.
+To add it to your CDN configuration, open a [support ticket](/learn/overview/get-support.md).
+
+Note that when you add your own third-party TLS certificates,
+you are responsible for renewing them in due time.
+Failure to do so may result in outages and compromised security for your site.
+
+### Retrieve your Fastly API token
+
+The API token for your managed Fastly CDN is stored in the `FASTLY_API_TOKEN` or the `FASTLY_KEY` environment variables.
+
+This variable is usually set in the `/master/settings/variables` folder of your project,
+and you can access it [from a shell](/development/variables/use-variables.md#access-variables-in-a-shell)
+or directly [in your app](/development/variables/use-variables.md#access-variables-in-your-app).
+
+
+## Dynamic ACL and rate limiting
+
+For details about updating an access control list (ACL) and applying rate limiting, check out the [Working with {{% vendor/name %}} rate-limiting implementation](https://support.platform.sh/hc/en-us/articles/29528777071890-Upsun-Fastly-Rate-Limiting-How-it-works-how-to-tune-it) article in the Upsun Community.
+
+## Edge-level rate limiting
+
+{{% vendor/name %}} provides edge-level rate limiting through Fastly, allowing you to control how many requests a single IP address or network can make within a given time window.
+
+Rate limiting is applied at the edge, before requests reach your application, helping to reduce load and mitigate abusive traffic patterns.
+
+### What Edge-level rate limiting can do
+
+- Protect sensitive endpoints such as `/login`, `/admin`, or checkout paths
+- Limit request floods from a single IP or IP range
+- Reduce application load during traffic spikes
+- Enable {{% vendor/company_name %}} Support to better handle attacks or high-traffic events by throttling traffic at the edge
+
+Edge-level rate limiting is available as a standalone add-on (without the WAF).
+<!-- VERIFY: Is the first bullet below only for Fixed? If so, confirm the sentence above is correct (it's written to include only the info in the 2nd bullet). If both bullets apply to Flex, delete the sentence above and uncomment this content, which is copied from Fixed.
+Edge-level rate limiting is:
+- Included with all {{% vendor/company_name %}} Fastly Next-Gen WAF tiers 
+- Available as a standalone add-on (without the WAF)
+-->
+
+### Configuration and defaults
+
+There are no default rate-limiting rules applied automatically. Rate limiting is configured during onboarding, or by request via {{% vendor/name %}} [Support](/learn/overview/get-support.md).
+
+Rules can be scoped by:
+
+- Request path
+- Request type
+- IP address or network
+- Custom thresholds and actions (block, allow, log)
+
+### Limitations
+
+Edge-level rate limiting is a rule-based control mechanism, not an automated bot-detection system. It does not:
+
+- Identify bots automatically
+- Present CAPTCHA or JavaScript challenges
+- Provide AI-driven mitigation
+
+For advanced bot and scraper protection, {{% vendor/name %}} offers separate third-party integrations.
diff --git a/sites/upsun/src/security/fasty-waf.md b/sites/upsun/src/security/fasty-waf.md
@@ -0,0 +1,142 @@
+---
+title: Fastly WAF
+description: "Find out about the offers you can choose from to subscribe to the Fastly Next-Gen Web Application Firewall (WAF) through {{% vendor/name %}}."
+weight: 2
+banner:
+    type: tiered-feature
+---
+
+On top of the [{{% vendor/name %}} Web Application Firewall (WAF)](/security/web-application-firewall/waf.md),
+you can subscribe to the Fastly Next-Gen Web Application Firewall (Next-Gen WAF) to further protect your app from security threats.
+
+## Available offers
+
+If you want to subscribe to the Fastly Next-Gen WAF through {{% vendor/name %}},
+you can choose from two offers:
+
+- If you subscribe to the **Basic** offer, your WAF is fully managed by {{% vendor/name %}}.
+- If you subscribe to the **Basic configurable** offer, your WAF is fully managed by {{% vendor/name %}} too, but with additional flexibility and visibility provided.
+
+To view a list of all the features included in each offer, see the following table.
+
+{{< note theme="info" >}}
+
+Links to the official [Fastly Next-Gen WAF documentation](https://docs.fastly.com/products/fastly-next-gen-waf) are provided for reference only.
+The offers described on this page have been designed specifically for {{% vendor/name %}} customers.
+Included features may present limitations compared to those advertised by Fastly to their direct customers.
+
+{{< /note >}}
+
+| Capability                                                                                                                                          | Basic offer     | Basic configurable offer          |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|-----------------------------------|
+| Available modes                                                                                                                                     | Block mode only | Block, not blocking, off modes    |
+| [Default attack signals](https://docs.fastly.com/signalsciences/using-signal-sciences/signals/using-system-signals/#attacks)                        | Yes             | Yes                               |
+| [Default anomaly signals](https://docs.fastly.com/signalsciences/using-signal-sciences/signals/using-system-signals/#anomalies)                     | Yes             | Yes                               |
+| [Virtual patching](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/working-with-templated-rules/#virtual-patching-rules) | No              | Yes, in block mode only           |
+| [Default dashboards](https://docs.fastly.com/signalsciences/using-signal-sciences/web-interface/about-the-site-overview-page/)                      | No              | During quarterly business reviews |
+| [Custom response codes](https://docs.fastly.com/signalsciences/using-signal-sciences/custom-response-codes/)                                        | No              | No                                |
+| [Custom signals](https://docs.fastly.com/signalsciences/using-signal-sciences/signals/working-with-custom-signals/)                                 | No              | No                                |
+| [Standard API & ATO signals](https://www.fastly.com/documentation/guides/next-gen-waf/using-ngwaf/rules/working-with-templated-rules/)              | No              | No                                |
+
+To subscribe to a Fastly Next-Gen WAF offer through {{% vendor/name %}},
+[contact Sales](https://upsun.com/contact-us/).
+
+## Next-Gen WAF Tier Comparison
+
+#### Basic 
+
+- Block-only mode
+- Default attack and anomaly signals enabled
+- No virtual patching
+- No default dashboards
+- No custom signals, response codes, or API/ATO signals
+
+This tier is best suited for baseline protection with minimal configuration requirements.
+
+#### Basic Configurable 
+
+- Block, not blocking, and off modes
+- Default attack and anomaly signals enabled
+- Virtual patching available in block mode
+- Default dashboards reviewed during quarterly business reviews
+- No custom signals, response codes, or API/ATO signals 
+
+This tier is best for customers needing custom rules, CVE protection, per-project visibility, or log integration.
+
+## How the Fastly Next-Gen WAF Works
+
+The Fastly Next-Gen WAF evaluates incoming requests using a combination of signals, conditions, actions, and thresholds.
+
+### Signals
+
+Signals classify and tag requests based on observed patterns, such as:
+
+- SQL injection attempts
+- Cross-site scripting payloads
+- Repeated 404 requests
+- Known attack signatures
+
+Signals are informational and are not inherently “good” or “bad”.
+
+### Conditions
+
+Conditions define where and when a rule applies. Examples include:
+
+- Specific URL paths
+- Request methods
+- Geographic origin
+- Presence of certain signals
+
+### Actions
+
+Actions define what happens when a rule matches (allow/log apply to the configurable offer):
+
+- Block the request
+- Allow the request
+- Log the request for analysis
+
+{{< note theme="info" >}}
+
+The Basic Next-Gen WAF offer operates in block-only mode.
+
+{{< /note >}}
+
+### Thresholds
+
+Thresholds define volume-based triggers. For example, block if more than `N` suspicious requests occur from the same IP within a defined time window to distinguish normal user behaviour from automated probing or attacks.
+
+### Virtual Patching
+
+Virtual patches are temporary WAF rules provided by Fastly to block known CVEs at the edge. They:
+
+- Protect against specific, identified vulnerabilities
+- Buy time while application dependencies are patched
+- Do not replace proper application updates
+
+{{< note theme="info" >}}
+
+Virtual patching is available only in the Basic Configurable Next-Gen WAF tier.
+
+{{< /note >}}
+
+## Scope and Limitations
+
+The Fastly Next-Gen WAF mitigates many common web-based attacks, including parts of the OWASP Top 10. However, it does not replace application-level security. The WAF does not automatically protect against:
+
+- Weak authentication or password policies
+- Insecure application design
+- Business-logic flaws
+- All bot or scraper traffic
+- All DDoS attack types
+
+Some attacks are mitigated at the CDN network layer, while others require identifiable patterns that can be enforced via WAF or rate-limiting rules.
+
+{{< note theme="info" title="No automatic challenges">}}
+
+{{% vendor/name %}}’s Fastly Next-Gen WAF does not provide automatic CAPTCHA or JavaScript challenges. Traffic is evaluated using rule-based signals, thresholds, and actions configured during onboarding or [via Support](/learn/overview/get-support.md).
+
+{{< /note >}}
+
+## Configuration and enablement
+
+Fastly Next-Gen WAF features are not self-service. Enablement and configuration occur during customer onboarding, or via a [Support request](/learn/overview/get-support.md) after purchase.