Frontify security controls

Frontify’s security mission is aligned with the company vision: to create a home where all brands are safe. That’s why, since day one, IT and information security have been included in every aspect of our system development, internal operations, and data handling. Only by involving all employees, finding the right experts in their fields, and ensuring full transparency for our stakeholders are we able to achieve the highest levels of security.

Download the whitepaper

We are certified against the best industry security standards

ISO/IEC 27001:2013

ISO 27001 was established by the International Organization for Standardization (ISO). The well-known standard gives companies guiding principles for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Frontify has been officially ISO 27001 certified since 2021. The scope of the FISMS covers all essential assets, processes, and services connected with the Frontify application and the company’s business operations, irrespective of where the process or service is carried out. In line with the ISO 27001 certification, we perform annual internal and external audits.

TISAX

Frontify’s efforts to address additional, industry-specific data protection and information security requirements resulted in our latest certification (2022) for the TISAX standard: The Trusted Information Security Assessment Exchange is a standard for information security specifically relevant to the automotive industry, and it’s operated and managed by the ENX Association 
(an association of European vehicle manufacturers, suppliers, and organizations). Highly qualified auditors from an audit service provider approved by TISAX perform the audit and conduct the tests based on a specific testing catalog, which follows key aspects of the international standard ISO 27001.

DCSO cloud vendor assessment

The Deutsche Cyber-Sicherheitsorganisation GmbH (DCSO) is a competence center for cybersecurity in Germany. The DCSO Cloud Vendor Assessment Service assesses the security level of cloud service providers.

Frontify was evaluated based on the DCSO Cloud Vendor Assessment framework and reached risk-free maturity levels in all subject areas. Members of the DCSO community can obtain more insights into Frontify’s results directly from the DCSO.

Network and application 
security measures

Hosting

Frontify is hosted with one of the biggest data center providers, Amazon Web Services (AWS). Frontify is hosted in a multi-tenant environment. All data for enterprise customers is protected in a virtual private cloud (VPC) with a logically separated database and dedicated file storage. All services that make up the Frontify system are highly available: We use a combination of clustering, load balancing, and replication to ensure no single point of failure. Each of our hosting regions uses two or more availability zones, with redundancy across them to guarantee the ongoing operation of our critical components in the unlikely case of a system failure.

Encryption

Encryption in Transit

Frontify leverages Transport Layer Security (TLS) 1.2 (or better) for customer data in transit over any network. Frontify supports full encryption in transit: No non-encrypted data leaves our data center. All our monitoring and backend systems either send local traffic over the VPC or use transport-level encryption when communicating with the rest of the internet.

Encryption at Rest

Frontify encrypts customer data at rest using the Advanced Encryption Standard (AES) 256-bit (or better).

Data center security

Access to data centers is strictly controlled and monitored by 24/7 on-site security staff, biometric scanning, and video surveillance. AWS maintains multiple certifications for its data centers, including ISO 27001, PCI DSS, Cloud Security Alliance Controls, and SOC reports. Please visit the AWS Security website and the AWS Compliance website for more information about their certification and compliance.

Data sovereignity

Frontify enterprise customers have the option of having the data hosted in one of the following regions: North Virginia (US), or Frankfurt (Germany). Frontify uses a worldwide CDN for caching purposes, which means application speed is the same everywhere in the world.

Backup and disaster recovery

We run a nightly backup of files, databases, configuration, and servers. We have implemented a detailed business continuity plan covering several scenarios, responsibilities, and action steps, including a disaster recovery process that is tested at least yearly.

A secure platform 
for all Frontify users

Secure Authentication

Access to Frontify is organized in three ways:

  • Single sign-on (SAML 2.0, OpenID Connect)
  • Access request
  • Invitation

All access methods require a dedicated email address and password to properly authenticate the user logging in. Multi-factor authentication can also be enabled for an extra layer of security when accessing the platform.

User roles and permissions

The granular authorization rules within the Frontify platform allow customers to easily add and manage users, assign them the appropriate privileges, and limit access to selected features. Frontify supports the following main roles: Viewer, Editor, Owner, and Account Admin. For more information, please refer to our help guide.

Frontify has implemented an official bug bounty program at BugCrowd. If you've found a security issue that you believe we should know about, please don’t hesitate to contact our security team at security@frontify.com to be included in the program.

A proactive vulnerability management approach

Development practices

Frontify maintains separate testing, development, and production environments to meet the highest code quality. This process includes code reviews and pair programming conducted by experienced developers with a strong focus on security and stability. In addition, we run automated tests and put code builds in place. We use a hosted code platform to reach a high level of traceability and automatically monitor our third-party dependencies for security vulnerabilities.

Patching Policy

Because of our agile software development, we perform multiple updates and patches on the application every day. These processes do not cause any downtime for the customer. Additionally, we continuously monitor our infrastructure for security updates and promptly test and install all new releases as soon as they become available.

Monitoring

Frontify operates a centralized logging system that facilitates 24/7 monitoring, reporting, and traceability. You can check our past month stats at https://status.frontify.com.

Pentest and scanning

We conduct vulnerability scans of our entire infrastructure weekly, and our internal teams and an external third party perform regular penetration tests. We classify vulnerabilities internally and treat them accordingly. In line with our proactive approach toward vulnerability monitoring and reporting methodology, we have implemented an official bug bounty program at BugCrowd.

Incidents handling and reporting

Frontify has an incident management and reporting process that unifies security monitoring and covers all our internal operations and the services provided to our customers. If a security breach leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer data, we’ll notify the customers immediately.

Need more? Our offering helps you in strengthening your security measures even more. Don't hesitate to reach out to your Frontify Sales Representative to discuss additional options.

A wide set of organisational 
security practices

The information security team

Frontify’s dedicated Information Security Team works closely with all departments in our company. This collaboration – together with continuous investments in improving and expanding security controls and technical and organizational measures – ensures the highest protection for our customer data.

Access management

Frontify adheres to the principle of least privilege for provisioning access. We use dedicated roles for different topics and access for database administrators, general administrators, and support staff. All our employees are technically forced to use two-factor authentication and adhere to our password policy for all internal and external tools.

Risk management

Frontify has implemented a risk assessment strategy and methodology that is ISO 27001 certified, and we regularly assess risks, threats, and vulnerabilities based on our asset inventory. We perform periodic overall risk assessments and categorize risks according to their likelihood and impact. For each risk, we create a remediation action plan or an acceptance statement in line with the criticality level.

If you’d like to get more details into our Security Controls let our Security Team know. We’re happy to supply you with our custom security questionnaire.

Copyright 2022 Frontify AG. 'Frontify' is a registered trademark of Frontify AG. All rights reserved.