Frontify Security Controls
Infrastructure & Data Center
Frontify is hosted with one of the biggest data center providers, Amazon Web Services (AWS). Access to these data centers is strictly controlled and monitored by 24/7, on- site security staff,biometric scanning,and video surveillance.AWS maintains multiple certifications for its data centers,including ISO 27001,PCI DSS,Cloud Security Alliance Controls,and SOC reports.For more information about their certification and compliance, please visit the AWS Security website and the AWS Compliance website. Frontify runs in a VPC protected environment which has a logically separated database and dedicated file storage for each individual enterprise client. All services that make up the Frontify system are highly available. We use a combination of clustering, load-balancing, and replication in order to ensure that there are no single points of failure in the system. Each of our regions makes use of two or more availability zones, with redundancy across them.Frontify uses a WAF,Firewall,and Malware protected environment which meets the highest security standards.
All of Frontify’s production servers run with the latest security patches from their operating system vendors. Security Patches are applied at regular intervals. Critical patches are applied as soon as they are available.
Penetration Tests & Vulnerability Scanning
In addition to the weekly vulnerability scan, Frontify has hired an external company that performs a pentest on a regular basis. Vulnerabilities which fall into a defined risk criteria, trigger alerts and are prioritized for remediation based on their potential impact to the Service. Should a medium or high-risk vulnerability be found, it will be resolved as quickly as possible. Low risks are treated and discussed individually.
Encryption In Transit
Frontify leverages Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks.Frontify supports full encryption in transit.No non-encrypted data leaves our datacenter. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet.
Encryption At Rest
Frontify encrypts Customer Data at-rest using AES 256-bit (or better) encryption.
Our platform uses a centralized logging system which facilitates 24/7 monitoring,reporting, and traceability. You can check our past month stats at https://status.frontify.com.
For access purposes, we use dedicated roles and access for database administrators, general administrators, and support staff. In addition, we follow the principle of least privilege. All our employees are technically forced to use 2-factor-authentication whenever possible as well as our password policy for all internal and external tools.
Backup & Disaster Recovery
As a SaaS provider,we run a nightly backup of files,databases,configuration,and servers. A disaster recovery plan is in place and tested yearly.
Incidents Handling & Reporting
Frontify has an application incident management and reporting process in place which enables unified security monitoring and protection for our cloud environment. If Frontify becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Frontify shall notify the Customer without undue delay, and in any case, where feasible, notify Customers within 72 hours after becoming aware.
Frontify maintains separate testing, development, and production environments to ensure that the highest code quality is met. This includes code reviews and peer programming conducted by experienced developers with a strong focus on security and stability. In addition, we run automated tests and code builds are in place. By using a hosted code platform, we are able to reach a high level of traceability and automatically monitor our third-party dependencies for security vulnerabilities.
Frontify enterprise customers have the option of having the data hosted in one of the following regions: North Virginia (US), or Frankfurt (Germany). Further regions may be available if requested; ask your sales representative if you have a need to be hosted in a specific region for data sovereignty or legal purposes. Frontify uses a worldwide CDN for caching purposes, which means application speed is the same everywhere in the world.
Frontify performs internal audits for important business processes on a regular basis. Third-Party Audits are made available to Customers upon request.
Frontify currently strives to obtain the ISO 27001 certification. In terms of Security & Access controls we already adhere to the ISO standards. Please refer to the corresponding policies for details.
Cloud Security Alliance
Frontify is a proud member of the Cloud Security Alliance. To make it easier for our customers to assess the Security and Privacy of Frontify, a self-assessment with about 300 answered questions on a wide variety of topics like Application Security, Business Continuity Management, Data Security, Human Resources (and many more) are now publicly available in the CSA STAR Registry.