Open, agile, and secure are our three core values. This document provides an overview of how Enonic works with security.
Report vulnerability issues to email@example.com.
Compliance & Certifications
Enonic is ISO 27001:2013 certified. Our information security policy is thus not only directed against malicious attacks, but also towards responsible data management.
We are annually audited by a certified external auditor, whom among other things verifies our compliance with the 114 InfoSec controls in the standard.
Finally, Enonic is also ISO 9001:2015 certified. This standard specifies requirements for a quality management system within an organisation.
A statement of applicability is available per request to customers.
As an extra level of assurance, Enonic has a Data Privacy Officer to oversee privacy matters and handle privacy requests.
How We Protect Your Data
When using Enonic Cloud, we deploy a number of measures to protect your data. We effectively manage areas such as: privileged access management, secrets management, network security, operational procedures, monitoring, and incident management.
Enonic treats data security with the highest degree of confidentiality and integrity, always aiming to protect your data against unauthorised access.
HTTPS is enabled by default to protect data in transit. We also perform regular OWASP penetration testing via external white hat agencies.
How We Keep Services Reliable
Enonic Cloud is built to satisfy enterprise level requirements in availability and scalability. We achieve resilience by the following means:
Global CDN and DDoS protection
Our CDN is delivered in cooperation with our trusted partner Cloudflare. The CDN ensures resilience by caching assets, effectively offloading the origin servers. With 100+ locations, smart routing and caching, the CDN can also reduce latency by as much as 64%.
The DDoS and security filters protect websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
Our modern platform architecture and cloud services can handle extreme traffic and massive data sets, without sacrificing performance.
We provide clustered instances with full data replication, in order to minimise downtime and to improve availability for your visitors, customers and employees.
Our cloud customers always get dedicated platform instances—effectively isolating and minimising the impact of security incidents. Enterprise customers may also opt for dedicated infrastructure.
Backup and disaster recovery
Our cloud supports continuous snapshotting and backups both onsite and offsite, giving you belts and buckles in protecting the integrity of your data.
How We Keep Our Software Secure
Our software is the foundation of both our open source and commercial software offerings, as well as our cloud services.
As an open source company, we take pride in our transparency culture. We do not rely on security through obscurity. Our code is thus open for scrutiny. Visit us on Github.
Process and automation
Our defined development process is based on agile principles. Peer code reviews, feature branching, test automation, static code analysis, retrospectives, and automated dependency updates are just parts of this.
Test and release
We use semantic versioning indicating major, feature, and fix releases for simplicity and ease of use. With approximately 6,000 automated unit and integration tests, we are able to change our code frequently and release new versions with high quality.
Our battle-hardened runtime is built on the Java Virtual Machine for high performance and optimal security. In case of vulnerabilities, we have standard procedures to notify, patch, and roll out fixes in a safe and timely manner.
Not only do we build software that is used by others, we also build our own services and websites on the same platform. New versions of our platform are always deployed on our own servers before being shipped to customers.
How You Can Contribute to Protect Your Data
You are in charge of how your data is accessed and treated.
Use pluggable authentication to control access to your instances. Use our standard integrations with OpenID Connect and other popular identity providers and frameworks, or build your own. Visit our app store for more details.
Permissions and access management
Define fine-grained access management using roles, groups, and permissions, or implement custom security rules into your applications as desired.
We fully support modern development environments such as Continuous Delivery pipelines, and automated testing—configurable to meet your requirements.
Our system standard audit log records all relevant changes, and can also be used by your own applications if needed. Subscribing customers are also entitled to audit our entire company at will.
- always comply with laws and regulations.
- do business in an ethical way, and never accept or pay bribes to achieve our goals.
- continuously work to improve our processes and procedures.
- have clear objectives and high, but realistic, goals.
- continuously work to uncover risks and threats to our operations and data.
- mitigate known risks, and eliminate risks that are deemed high.
- provide our employees with tools and training to be effective and creative in their work.
- systematically handle deviations to improve the quality of our products and services.
- systematically plan the development and improvement of our products and services.
- treat the information we manage ethically, and according to its classification.
- comply with the controls and requirements of our corporate certifications.
- continuously measure customer satisfaction, and act on negative feedback.
- work hard to exceed the expectations of our customers.