Legal and privacy
|
Technical and organizational measures

Technical and organizational measures

Frontify AG, Version: April 2023
Share

Table of contents

1. Preamble

Frontify’s information security program is designed in accordance with best practice industry standards, such as ISO 27001. Frontify’s security controls are designed to address its posture as a cloud-based software-as-a-service (SaaS) provider. The following concepts apply to Frontify’s software and its provision of the services (hereinafter “Frontify Services”) and are contextually important to understanding Frontify’s security measures.

Frontify has implemented appropriate technical and organizational measures (hereinafter "TOMs") to ensure a level of security appropriate to the risk of the processing activities performed to provide the Frontify Services. The TOMs shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The TOMs are subject to regular improvement and development; therefore, Frontify may review and update this document from time to time. In this respect, Frontify is entitled to implement adequate alternative measures, which shall not materially diminish the overall security level of the measures specified herein.

As Frontify uses the services of an external hosting partner, both for the hosting and processing of data, some measures will be solely implemented in the data center of such hosting partner. Accordingly, the TOMs which only concern the hosting partner are indicated in this document with the addition ("Hosting-Partner").

2. Audits and certifications

Frontify ensures that a yearly audit of the implemented information security program is performed by an external auditor and, upon request, provides its customers with documentation of proof of compliance by making available industry certificates (e.g., ISO 27001 certification, Cyber Essentials certification) and excerpts of audit results, subject to the condition that such customer is bound to confidentiality obligations.

3. Secure cloud hosting

The Frontify Services are performed using the secure server infrastructure of our cloud hosting partner AWS. For more information about the security standards implemented by AWS, please refer to:

4. Information security policy

Frontify has implemented an information security policy that governs all the relevant aspects of its security program and is aligned with best practice industry standards such as ISO 27001 requirements. Frontify's information security policy may be made available to customers upon request, subject to the condition that the customer is bound to confidentiality obligations. Further information on Frontify’s security controls can be accessed at https://www.frontify.com/en/security/.

5. Anonymization and pseudonymization

Anonymization of personal data involves the removal of personal identifiers, the aggregation of data, or the processing of data in such a way that it can no longer be associated with an individual person. Pseudonymization reduces the direct reference to an individual person during the processing in such a way that only the inclusion of additional information allows an assignment to that person.

To the extent technically possible and compatible with the provision of the Frontify Services, Frontify anonymizes personal data. Where anonymization is not possible, Frontify resorts to pseudonymization of personal data. However, in order to provide the Frontify Services, anonymization or pseudonymization of personal data is not always feasible and would be contrary to the purpose of the Frontify Services.

6. Encryption

Encryption is a measure or process that allows to convert information into an illegible, (i.e., not easily interpretable) character string (ciphertext), with the aid of an encryption method (cryptosystem).

6.1 Encryption during transmission (data in transit)

The Frontify Services are only available on pages with HTTPS, and HSTS headers are created for all subdomains. Frontify leverages Transport Layer Security (TLS) 1.2 (or better) for data in transit over any network. Frontify supports full data encryption in transit. No non-encrypted data leaves the data center. All monitoring and backend systems either send local traffic over the VPC (virtual private cloud) or use transport-level encryption when communicating with the rest of the Internet.

6.2 Encryption of resting data (data at rest)

Customer data is stored in encrypted form, in S3 buckets, and it is logically separated. Frontify encrypts data at rest using the Advanced Encryption Standard (AES) 256-bit (or better).

7. Confidentiality

Frontify adopts effective measures to ensure the confidentiality of data and to prevent any unauthorized disclosure of or access to transmitted, stored or otherwise processed data. These measures include physical access control, admission control, access control, and separation control.

7.1 Physical access control

Measures to ensure that unauthorized persons are prevented from gaining access to the data processing infrastructure.

Description of the physical access control:

  • controlled key management
  • door protection (electronic door-opener)
  • monitoring system (alarm system)
  • control system for visitors
  • Hosting-Partner: site security, gatekeeper
  • Hosting-Partner: server room protection

7.2 Admission control

Measures to ensure that unauthorized persons are prevented from accessing the data. Description of the admission control:

  • password policy, i.e., personal and individual user log-in when accessing the system (e.g., special characters, minimum length)
  • automatic locking (e.g., password, pause mode)
  • creation of a user master record per user
  • limiting the number of authorized employees
  • encryption of data storage
  • access lists
  • isolation of sensitive systems through separate network areas
  • authentication procedure (VPN, certificates, multi-factor authentication)
  • logging of login attempts and interruption of the login process after a defined number of unsuccessful attempts

7.3 Access control

Measures to ensure that those authorized to access a data processing infrastructure can only access the data that is subject to their access authorization. This ensures that data cannot be read, copied, modified, or removed without authorization during processing and storage.

Description of the access control:

  • concept based on the principle of the least privilege
  • authorization concepts (differentiated authorizations in profiles, roles, etc.)
  • encryption of different data storage
  • logging of accesses and attempted misuse

7.4 Separation control

Measures to ensure that data collected for different purposes are processed separately and kept separate from other data and systems, in order to exclude unplanned use of these data for other purposes.

Description of the separation control:

  • authorization concepts (differentiated authorizations in profiles, roles, etc.)
  • encrypted storage of data
  • multi-tenant environment with logical customer separation
  • separation of test and production systems

8. Integrity

Measures to maintain integrity of data to prevent data from being modified in an unnoticed, unauthorized, or unintentional manner. These measures include data integrity, transmission control, transport control, and input control.

8.1 Data integrity control

Measures to ensure that data is not damaged or altered by malfunctions of the system.

Description of the data integrity control:

  • implementation of new releases and patches with a release/patch management
  • operational test during implementation and releases/patches by the IT department
  • logging
  • transport processes with individual responsibility

8.2 Transmission control

Measures to ensure that it is possible to verify and determine where data has been or can be transmitted or made available using data transmission facilities.

Description of the transmission control:

  • logging
  • transport processes with individual responsibility
  • hashing

8.3 Transport control

Measures to ensure that the confidentiality and integrity of data is protected during the transmission of data and transport of data carriers.

Description of the transport control:

  • transmission of data via encrypted data networks or tunnel connections (VPN)
  • transport processes with individual responsibility
  • encryption procedures which detect data modifications during transport
  • comprehensive logging procedures

8.4 Input control

Measures that allow to check and establish whether and by whom the data in the data processing infrastructure have been entered, modified, or removed.

Description of the input control:

  • logging of all system activities and retention of these logs for at least one year
  • protocol analysis systems
  • hashing
  • digital signatures

9. Vulnerability detection and management

Frontify uses threat detection tools to ensure that suspicious activities, potential malware, viruses, and/or malicious computer codes are detected and reported to Frontify.

By default, Frontify scans all file types for malware (malware scanning) and uses input validation measures to prevent the execution of programs in files uploaded by the user that contain malware. In addition, Frontify enables its customers to add specific file types to a block list.

Frontify has implemented a bug bounty program to ensure continuous vulnerability detection throughout the year.

Vulnerabilities that meet defined risk criteria trigger automatic alerts and are prioritized for remediation based on their potential threat and impact on the Frontify Services.

10. Data neutrality

Frontify does not review the data uploaded by customers to the Frontify Services and processes all data regardless of its nature provided it fits the predefined characteristics for processing. Frontify makes no data-based decisions, but only executes customers' instructions when they upload content to the Frontify Services to achieve the desired results.

11. Administrative controls

Frontify performs criminal background screening on its employees as part of its hiring process, as appropriate given the employee’s role and as permitted under applicable law. Frontify conducts regular training sessions on data privacy and security. Further, every employee is required to complete an onboarding program. Frontify employees are bound by confidentiality either under their respective employment contracts or under a separate confidentiality agreement. Frontify employees are bound to the adherence of information security policies either under their respective employment contracts or under a separate statement of acceptance.

12. Availability and resilience

Measures to ensure the availability and resilience of data processing equipment, to ensure that high loads or high continuous loads are feasible and that access to the data is restored in a timely manner in the event of a physical or technical incident. Such measures include availability control, timely recovery of availability, and reliability.

12.1 Availability control

Measures to ensure that data is protected against accidental destruction or loss.

Description of the availability control:

  • Hosting-Partner: data backup procedures
  • Hosting-Partner: uninterrupted power supply
  • Hosting-Partner: fire alarm system
  • Hosting-Partner: air conditioning
  • Hosting-Partner: alarm system
  • Hosting-Partner: emergency plans
  • Hosting-Partner: no water-carrying pipes above or next to server rooms

12.2 Timely recovery of availability

Measures to ensure that the availability of and access to data is promptly restored in the event of a physical or technical incident.

Description of the timely recovery of availability:

  • data backup procedures
  • regular tests of the data recovery
  • disaster and emergency plans
  • off-site backup
  • Hosting-Partner: availability zones

12.3 Reliability

Measures to ensure that all functions of the system are available and that any malfunctions are reported.

Description of the reliability:

  • automatic monitoring with e-mail notification
  • disaster and emergency plans with responsibilities
  • regular tests of the data recovery

13. Security incident reporting

If Frontify becomes aware of a security incident that results in the accidental or unlawful destruction, loss, alteration, disclosure, or access of customer personal data, Frontify will promptly notify affected customers in accordance with its contractual obligations and the requirements of applicable data protection laws. In addition, Frontify shall immediately take reasonable measures to contain, investigate and mitigate the security incident.

14. Regular review, assessment, and evaluation

Frontify implemented a procedure for regularly examining, assessing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing. This includes an assessment process and a contract control process.

14.1 Assessment process

Measures to ensure that data is processed securely and in accordance with data protection regulations.

Description of the assessment process:

  • data protection management
  • formalized processes for data protection incidents
  • documentation of customers’ instructions
  • formalized order management
  • service level agreements

14.2 Contract control process

Measures to ensure that data is processed according to the instructions of the customer.

Description of the contract controls:

  • clear contract drafting
  • documentation of customers’ instructions
  • formalized order management