Liferay Trust Center /

Security Controls

Liferay understands how critical it is for our prospects and customers to find secure and compliant digital solutions for their business needs. We are committed to being not just a vendor, but a trusted partner for our customers.

Our focus is to ensure that the valuable information you entrust to us is secure and treated in accordance with the applicable data protection laws. As part of the FOSS community, we apply best practices when it comes to IP and FOSS licensing. We also believe in conducting business with integrity, ultimately fostering strong relationships with our customers and our community.

This Trust Center provides a comprehensive collection of resources designed to aid every customer’s due diligence process and demonstrate our commitment to security and compliance.

Security Controls

Security Controls

Infrastructure security

Intrusion detection system utilized

The company employs an intrusion detection system, which enables constant monitoring and the early identification of potential security breaches.

Production database access restricted

The company ensures that only those who require access to the database can view it.  This reduces the risks of unauthorized access and data breaches.

Remote access MFA enforced

Production systems will only grants access to authorized users through a multi-factor authentication (MFA) method.

Production network access restricted

Access to the production network is secured and will only be granted to authorized users with a legitimate business need.

Remote access security enforced

The remote access to production systems is granted only to authenticated users with proper authorization level through an encrypted connection.

Production data segmented

Non-production systems and environment are prohibited from storing any data that is considered confidential or sensitive and is segmented from other systems.

Firewall activated

Production environment is protected with firewall that denies all traffic by default and only allows valid connections like HTTPS.

DDoS and malicious traffic blocked

Customers are protected by Google’s DDoS technology enhanced with WAF and AI to protect against known and unknown malicious traffic.

Penetration and network vulnerability scanning performed

The company conducts annual penetration testing and vulnerability scanning and follows a remediation plan to address any findings.

Organizational security

Anti-malware technology utilized

The company installs anti-malware technology on all relevant systems and configures it to be updated routinely and logged. This helps protect environments that are commonly susceptible to malicious attacks.

Confidentiality Agreement acknowledgment

All workers, employees or contractors, are required to sign a confidentiality agreement with the company.

Asset disposal procedures utilized

The company destroys or purges electronic media that contains confidential information in accordance with best practices.

Employees trained

All employees go through security training annually.

Background checks executed

All employees go through a background upon hire

Access granted by job role

Access is only granted based their role in the company and not to everyone

Authentication and MFA enforced

We enforce additional authentication rules to prevent unwanted access

Product security

Development, test and release environment secure

The company has established separated and secure development environments

Code development follows OWASP rules

All developers have gone through OWASP training.

Secure Development practices enforced

Our internal SDLC includes planning, design, implementation, testing, release

Penetration testing performed

We conduct penetration testing on an annual basis and develop remediation plan(s) to address vulnerabilities. Changes are then implemented to remediate these vulnerabilities in accordance with service level agreements (SLAs).

SAST, DAST and SCA tests performed

We take several steps to ensure the security of our application, including scanning the code for vulnerabilities before deployment, testing the application for vulnerabilities while it was running, and checking for security risks in any third-party software we used. These tests helped us identify and address potential security issues before they could be exploited.

Internal security procedures

Continuity and disaster recovery plans tested

The company conducts an annual test of its documented business continuity/disaster recovery (BC/DR) plan.

Access requests required

The company ensures that user access to in-scope system components is granted based on job role and function, or by submitting a documented access request form that requires manager approval prior to access being provisioned.

Backup processes established

The company’s policy for data backup outlines the requirements for backing up and recovering customer data.

Incident response policies established

The company has documented and communicated security and privacy incident response policies and procedures to relevant employees.

Change management procedures enforced

The company mandates that changes to software and infrastructure components of the services must be authorized, formally documented, tested, reviewed, and approved before they can be implemented in the production environment or released as a product for customers.

Configuration management system established

To ensure that system configurations are deployed consistently throughout the environment, the company has implemented a configuration management procedures.

Service documentation available

The company offers a detailed description of its products and services to customers and community through learning and documentation sites.

Support system available

Liferay provides a system for customers to create support tickets and communicate with Liferay.

Third-party agreements established

The company has agreements with vendors and partners, ensuring confidentiality and privacy of sensitive information.

Incident management procedures followed

The company diligently adheres to its security response policy, ensuring all incidents are logged, tracked, resolved, and communicated to impacted individuals.

Cybersecurity insurance maintained

To safeguard against financial losses from disrupted operations, the company holds cybersecurity insurance.

Continuity and Disaster Recovery plans established

Even when key personnel are unavailable, the company's pre-defined communication plans in its Business Continuity and Disaster Recovery Plans ensure seamless information security operations.

1400 Montefino Avenue
Diamond Bar, CA 91765
USA
+1-877-LIFERAY
Built on Liferay Digital Experience Platform