Open, agile, and secure are our three core values. This document provides an overview of how Enonic works with security.
Report vulnerability issues to [email protected].
Enonic is ISO 27001:2013 certified. Our information security policy is thus not only directed against malicious attacks, but also towards responsible data management.
We are annually audited by a certified external auditor, whom among other things verifies our compliance with the 114 InfoSec controls in the standard.
Finally, Enonic is also ISO 9001:2015 certified. This standard specifies requirements for a quality management system within an organisation.
A statement of applicability is available per request to customers.
As an extra level of assurance, Enonic has a Data Privacy Officer to oversee privacy matters and handle privacy requests.
When using Enonic Cloud, we deploy a number of measures to protect your data. We effectively manage areas such as: privileged access management, secrets management, network security, operational procedures, monitoring, and incident management.
Enonic treats data security with the highest degree of confidentiality and integrity, always aiming to protect your data against unauthorised access.
HTTPS is enabled by default to protect data in transit. We also perform regular OWASP penetration testing via external white hat agencies.
Enonic Cloud is built to satisfy enterprise level requirements in availability and scalability. We achieve resilience by the following means:
Our CDN is delivered in cooperation with our trusted partner Cloudflare. The CDN ensures resilience by caching assets, effectively offloading the origin servers. With 100+ locations, smart routing and caching, the CDN can also reduce latency by as much as 64%.
The DDoS and security filters protect websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
Our modern platform architecture and cloud services can handle extreme traffic and massive data sets, without sacrificing performance.
We provide clustered instances with full data replication, in order to minimise downtime and to improve availability for your visitors, customers and employees.
Our cloud customers always get dedicated platform instances—effectively isolating and minimising the impact of security incidents. Enterprise customers may also opt for dedicated infrastructure.
Our cloud supports continuous snapshotting and backups both onsite and offsite, giving you belts and buckles in protecting the integrity of your data.
Our software is the foundation of both our open source and commercial software offerings, as well as our cloud services.
As an open source company, we take pride in our transparency culture. We do not rely on security through obscurity. Our code is thus open for scrutiny. Visit us on Github.
Our defined development process is based on agile principles. Peer code reviews, feature branching, test automation, static code analysis, retrospectives, and automated dependency updates are just parts of this.
We use semantic versioning indicating major, feature, and fix releases for simplicity and ease of use. With approximately 6,000 automated unit and integration tests, we are able to change our code frequently and release new versions with high quality.
Our battle-hardened runtime is built on the Java Virtual Machine for high performance and optimal security. In case of vulnerabilities, we have standard procedures to notify, patch, and roll out fixes in a safe and timely manner.
Not only do we build software that is used by others, we also build our own services and websites on the same platform. New versions of our platform are always deployed on our own servers before being shipped to customers.
You are in charge of how your data is accessed and treated.
Use pluggable authentication to control access to your instances. Use our standard integrations with OpenID Connect and other popular identity providers and frameworks, or build your own. Visit our app store for more details.
Define fine-grained access management using roles, groups, and permissions, or implement custom security rules into your applications as desired.
We fully support modern development environments such as Continuous Delivery pipelines, and automated testing—configurable to meet your requirements.
Our system standard audit log records all relevant changes, and can also be used by your own applications if needed. Subscribing customers are also entitled to audit our entire company at will.