Security

Compliance & Certifications

Enonic is ISO 27001:2013 certified. Our information security policy is thus not only directed against malicious attacks, but also towards responsible data management.

We are annually audited by a certified external auditor, whom among other things verifies our compliance with the 114 InfoSec controls in the standard.

Finally, Enonic is also ISO 9001:2015 certified. This standard specifies requirements for a quality management system within an organisation.

A statement of applicability is available per request to customers.

Privacy

Enonic is fully GDPR compliant. Have a look at our privacy policy, and Data Processing and Security Terms for Enonic Cloud for more details.

As an extra level of assurance, Enonic has a Data Privacy Officer to oversee privacy matters and handle privacy requests.

How we protect your data 

When using Enonic Cloud, we deploy a number of measures to protect your data. We effectively manage areas such as: privileged access management, secrets management, network security, operational procedures, monitoring, and incident management.

Enonic treats data security with the highest degree of confidentiality and integrity, always aiming to protect your data against unauthorised access.

HTTPS is enabled by default to protect data in transit. We also perform regular OWASP penetration testing via external white hat agencies.

How we keep services reliable

Enonic Cloud is built to satisfy enterprise level requirements in availability and scalability. We achieve resilience by the following means:

Global CDN and DDoS protection

Our CDN is delivered in cooperation with our trusted partner Cloudflare. The CDN ensures resilience by caching assets, effectively offloading the origin servers. With 100+ locations, smart routing and caching, the CDN can also reduce latency by as much as 64%.

The DDoS and security filters protect websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.

Scalability

Our modern platform architecture and cloud services can handle extreme traffic and massive data sets, without sacrificing performance.

Redundancy

We provide clustered instances with full data replication, in order to minimise downtime and to improve availability for your visitors, customers and employees.

Isolation

Our cloud customers always get dedicated platform instances—effectively isolating and minimising the impact of security incidents. Enterprise customers may also opt for dedicated infrastructure.

Backup and disaster recovery

Our cloud supports continuous snapshotting and backups both onsite and offsite, giving you belts and buckles in protecting the integrity of your data.

How we keep our software secure

Our software is the foundation of both our open source and commercial software offerings, as well as our cloud services.

Transparency

As an open source company, we take pride in our transparency culture. We do not rely on security through obscurity. Our code is thus open for scrutiny. Visit us on Github.

Process and automation

Our defined development process is based on agile principles. Peer code reviews, feature branching, test automation, static code analysis, retrospectives, and automated dependency updates are just parts of this.

Test and release

We use semantic versioning indicating major, feature, and fix releases for simplicity and ease of use. With approximately 6,000 automated unit and integration tests, we are able to change our code frequently and release new versions with high quality.

Vulnerability handling

Our battle-hardened runtime is built on the Java Virtual Machine for high performance and optimal security. In case of vulnerabilities, we have standard procedures to notify, patch, and roll out fixes in a safe and timely manner.

Dog feeding

Not only do we build software that is used by others, we also build our own services and websites on the same platform. New versions of our platform are always deployed on our own servers before being shipped to customers.

How you can contribute to protect your data

You are in charge of how your data is accessed and treated. 

Pluggable authentication

Use pluggable authentication to control access to your instances. Use our standard integrations with OpenID Connect and other popular identity providers and frameworks, or build your own. Visit our app store for more details.

Permissions and access management

Define fine-grained access management using roles, groups, and permissions, or implement custom security rules into your applications as desired. 

Automation

We fully support modern development environments such as Continuous Delivery pipelines, and automated testing—configurable to meet your requirements.

Audits

Our system standard audit log records all relevant changes, and can also be used by your own applications if needed. Subscribing customers are also entitled to audit our entire company at will.

Our promise

We will:

• always comply with laws and regulations.
• do business in an ethical way, and never accept or pay bribes to achieve our goals.
• continuously work to improve our processes and procedures.
• have clear objectives and high, but realistic, goals.
• continuously work to uncover risks and threats to our operations and data.
• mitigate known risks, and eliminate risks that are deemed high.
• provide our employees with tools and training to be effective and creative in their work.
• systematically handle deviations to improve the quality of our products and services.
• systematically plan the development and improvement of our products and services.
• treat the information we manage ethically, and according to its classification.
• comply with the controls and requirements of our corporate certifications.
• continuously measure customer satisfaction, and act on negative feedback.
• work hard to exceed the expectations of our customers.