Frontify Security Controls
Frontify is ISO/IEC 27001:2013 Certified
Earning and maintaining our customers' trust is – and always was – a huge deal at Frontify. Since day one, IT and information security were included in every aspect of our system development, internal operations, and handling (customer) data.
A well-known standard is the ISO/IEC 27001:2013 standard established by the International Organization for Standardization (ISO). The framework gives companies guiding principles on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
As of the 15th of June 2021, Frontify is officially ISO/IEC 27001:2013 certified. The scope of the Frontify Information Management Security System (FISMS) covers all essential assets, processes, and services that are connected with the Frontify application and the company’s business operations, irrespective of where the process or service is carried out. In line with the ISO/IEC 27001:2013 certification, Frontify performs internal as well as external audits on a yearly basis.
Infrastructure & Data Center
Frontify is hosted with one of the biggest data center providers, Amazon Web Services (AWS). Access to these data centers is strictly controlled and monitored by 24/7 on-site security staff, biometric scanning, and video surveillance. AWS maintains multiple certifications for its data centers, including ISO 27001, PCI DSS, Cloud Security Alliance Controls, and SOC reports. Please visit the AWS Security website and the AWS Compliance website for more information about their certification and compliance. Frontify runs in a VPC protected environment with a logically separated database and dedicated file storage for each enterprise client. All services that make up the Frontify system are highly available. We use a combination of clustering, load-balancing, and replication to ensure no single system failure point. Each of our regions makes use of two or more availability zones, with redundancy across them. Frontify uses a WAF, Firewall, and Malware protected environment that meets the highest security standards.
All of Frontify’s production servers run with the latest security patches from their operating system vendors. Security Patches are applied at regular intervals. Critical patches are applied as soon as they are available.
Penetration Tests & Vulnerability Scanning
In addition to the weekly vulnerability scan, Frontify has hired an external company that performs a pentest on a regular basis. Vulnerabilities which fall into a defined risk criteria, trigger alerts and are prioritized for remediation based on their potential impact to the Service. Should a medium or high-risk vulnerability be found, it will be resolved as quickly as possible. Low risks are treated and discussed individually.
Encryption In Transit
Frontify leverages Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks.Frontify supports full encryption in transit.No non-encrypted data leaves our datacenter. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet.
Encryption At Rest
Frontify encrypts Customer Data at-rest using AES 256-bit (or better) encryption.
Our platform uses a centralized logging system which facilitates 24/7 monitoring,reporting, and traceability. You can check our past month stats at https://status.frontify.com.
For access purposes, we use dedicated roles and access for database administrators, general administrators, and support staff. In addition, we follow the principle of least privilege. All our employees are technically forced to use 2-factor-authentication whenever possible as well as our password policy for all internal and external tools.
Backup & Disaster Recovery
As a SaaS provider,we run a nightly backup of files, databases, configuration, and servers. A disaster recovery plan is in place and tested yearly.
Incidents Handling & Reporting
Frontify has an application incident management and reporting process, enabling unified security monitoring and protection for our cloud environment. If Frontify becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Frontify shall notify the Customer without undue delay, and in any case, where feasible, notify Customers within 72 hours after becoming aware.
Frontify maintains separate testing, development, and production environments to ensure that the highest code quality is met. This includes code reviews and peer programming conducted by experienced developers with a strong focus on security and stability. In addition, we run automated tests and code builds are in place. By using a hosted code platform, we are able to reach a high level of traceability and automatically monitor our third-party dependencies for security vulnerabilities.
Frontify enterprise customers have the option of having the data hosted in one of the following regions: North Virginia (US), or Frankfurt (Germany). Further regions may be available if requested; ask your sales representative if you have a need to be hosted in a specific region for data sovereignty or legal purposes. Frontify uses a worldwide CDN for caching purposes, which means application speed is the same everywhere in the world.
If you've found a security issue that you believe we should know about, please don’t hesitate to contact our security team at firstname.lastname@example.org.
Frontify currently doesn’t have a bug bounty program but is glad about every hint – who knows, we might be able to supply you with some delicious Swiss chocolate instead.
If you’d like to get more details into our Security Controls let our Security Team know at email@example.com.
We’re happy to supply you with our custom security questionnaire.