Security

featureArticle.chapters

featureArticle.introduction
Compliance & Certifications
Privacy
How We Protect Your Data
How We Keep Services Reliable
How We Keep Our Software Secure
How You Can Contribute to Protect Your Data
Our Promise

featureArticle.introduction

Open, agile, and secure are our three core values. This document provides an overview of how Enonic works with security.

Report vulnerability issues to security@enonic.com.

authorBox.about

Thomas Sigdestad

Thomas Sigdestad is the CTO of Enonic, which he co-founded in 2000 together with Morten Eriksen. He enjoys trail biking, hunting, and spending time with his family.

Compliance & Certifications

Enonic is ISO 27001:2022 certified. Our information security policy is thus not only directed against malicious attacks, but also towards responsible data management.

We are annually audited by a certified external auditor, whom among other things verifies our compliance with the 93 InfoSec controls in the standard.

Enonic is compliant with DORA (Digital Operational Resilience Act). This EU regulation aims at strengthening the digital resilience of the financial sector. It mandates robust IT risk management, incident reporting, strict oversight of critical third-party IT providers, mandatory cybersecurity testing, and increased collaboration on threat intelligence.

Finally, Enonic is also ISO 9001:2015 certified. This standard specifies requirements for a quality management system within an organization.

A statement of applicability is available per request to customers.

Privacy

Enonic is fully GDPR compliant. Have a look at our privacy policy details.

As an extra level of assurance, Enonic has a Data Privacy Officer to oversee privacy matters and handle privacy requests.

How We Protect Your Data

When using Enonic Cloud, we deploy a number of measures to protect your data. We effectively manage areas such as: privileged access management, secrets management, network security, operational procedures, monitoring, and incident management.

Enonic treats data security with the highest degree of confidentiality and integrity, always aiming to protect your data against unauthorized access.

HTTPS is enabled by default to protect data in transit. We also perform regular OWASP penetration testing via external white hat agencies.

Download our full Data Processing Agreement for more information.

How We Keep Services Reliable

Enonic Cloud is built to satisfy enterprise level requirements in availability and scalability. We achieve resilience by the following means:

Global CDN and DDoS protection

Our CDN is delivered in cooperation with our trusted partner F astly. The CDN ensures resilience by caching assets, effectively offloading the origin servers. With 70+ locations, smart routing and caching, the CDN can also significantly reduce latency.

The DDoS and security filters protect websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.

Scalability

Our modern platform architecture and cloud services can handle extreme traffic and massive data sets, without sacrificing performance.

Redundancy

We provide clustered instances with full data replication, in order to minimize downtime and to improve availability for your visitors, customers and employees.

Isolation

Our cloud customers always get dedicated platform instances—effectively isolating and minimizing the impact of security incidents. Enterprise customers may also opt for dedicated infrastructure.

Backup and disaster recovery

Our cloud supports continuous snapshotting and backups both onsite and offsite, giving you belts and buckles in protecting the integrity of your data.

How We Keep Our Software Secure

Our software is the foundation of both our open source and commercial software offerings, as well as our cloud services.

Transparency

As an open source company, we take pride in our transparency culture. We do not rely on security through obscurity. Our code is thus open for scrutiny. Visit us on GitHub.

Process and automation

Our defined development process is based on agile principles. Peer code reviews, feature branching, test automation, static code analysis, retrospectives, and automated dependency updates are just parts of this.

Test and release

We use semantic versioning indicating major, feature, and fix releases for simplicity and ease of use. With approximately 6,000 automated unit and integration tests, we are able to change our code frequently and release new versions with high quality.

Vulnerability handling

Our battle-hardened runtime is built on the Java Virtual Machine for high performance and optimal security. In case of vulnerabilities, we have standard procedures to notify, patch, and roll out fixes in a safe and timely manner.

Dog feeding

Not only do we build software that is used by others, we also build our own services and websites on the same platform. New versions of our platform are always deployed on our own servers before being shipped to customers.

How You Can Contribute to Protect Your Data

You are in charge of how your data is accessed and treated.

Pluggable authentication

Use pluggable authentication to control access to your instances. Use our standard integrations with OpenID Connect and other popular identity providers and frameworks, or build your own. Visit our app store for more details.

Permissions and access management

Define fine-grained access management using roles, groups, and permissions, or implement custom security rules into your applications as desired.

Automation

We fully support modern development environments such as Continuous Delivery pipelines, and automated testing—configurable to meet your requirements.

Audits

Our system standard audit log records all relevant changes, and can also be used by your own applications if needed. Subscribing customers are also entitled to audit our entire company at will.

Our Promise

We will:

always comply with laws and regulations.
do business in an ethical way, and never accept or pay bribes to achieve our goals.
continuously work to improve our processes and procedures.
conduct our business with a focus on sustainability.
have clear objectives and high, but realistic, goals.
continuously work to uncover risks and threats to our operations and data.
mitigate known risks, and eliminate risks that are deemed high.
provide our employees with tools and training to be effective and creative in their work.
systematically handle deviations to improve the quality of our products and services.
systematically plan the development and improvement of our products and services.
treat the information we manage ethically, and according to its classification.
comply with the controls and requirements of our corporate certifications.
continuously measure customer satisfaction, and act on negative feedback.
work hard to exceed the expectations of our customers.