Liferay Trust Center /
Security Compliance
Liferay understands how critical it is for our prospects and customers to find secure and compliant digital solutions for their business needs. We are committed to being not just a vendor, but a trusted partner for our customers.
Our focus is to ensure that the valuable information you entrust to us is secure and treated in accordance with the applicable data protection laws. As part of the FOSS community, we apply best practices when it comes to IP and FOSS licensing. We also believe in conducting business with integrity, ultimately fostering strong relationships with our customers and our community.
This Trust Center provides a comprehensive collection of resources designed to aid every customer’s due diligence process and demonstrate our commitment to security and compliance.
Security Compliance
Since 2019 Liferay undergoes independent verification of our security, privacy, and compliance controls to help you meet your regulatory and policy objectives and is certified in the following:
Spain Esquema Nacional de Seguridad (ENS)
Information Security Management System
Corrective Actions
Improvements to the ISMS are realized via corrective actions which remediate identified nonconformities. A nonconformity is any failure to meet a requirement specified in the Organization’s ISMS policies or procedures.
The Corrective Action Policy describes activities related to initiation, implementation and record keeping of corrective actions, as well as how to manage necessary changes within ISMS requirements to minimize the risk exposure of information assets.
Internal Audits
Liferay’s Internal Audit Policies describe all internal audit related activities including writing the audit program, selecting an auditor, conducting individual audits and reporting. Additionally, defined within the policy are the processes for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of data processing for Liferay.
Risk Management
The Risk Management Policy defines the methodology for the assessment and treatment of Information Risks within Liferay and to define the acceptable level of Risk.
Data Retention
The Data Retention Policy defines retention guidelines for Customer Data while a client account is active and deletion processes after account termination for Liferay services. The Policy applies to the handling of Customer Data stored by a managed Liferay Cloud Service. Customer Data includes any non-public information.
Document and Record Control
The Document and Record Control Policy ensures controls over creation, approval, distribution, usage and updates of policy and records used within the Information Security Management System (ISMS).
Information Classification
The Information Classification Policy ensures that information within the context of the Liferay ISMS is labeled, classified and protected at an appropriate level.
Access Control
Liferay’s Access Control Policy defines the rules for access to various systems, equipment, facilities and information based on business and security requirements for access. The concept of access control touches all three of the fundamental components of information security. It is a key component in preserving Confidentiality and Integrity by limiting access to information, and by assuring that access is granted only to those personnel with a valid business reason for using the information. Access control also directly affects Availability, by restricting access to those personnel with a legitimate “need to know” and by limiting user privileges to manipulate or process the information.
Physical and Environmental Security
The Physical and Environmental Security Policy ensures that Liferay Information Resources are protected by physical security measures that prevent physical tampering, damage, theft, or unauthorized physical access of Liferay assets.
Hiring, Transfer and Termination
The Hiring, Transfer and Termination Policy defines general processes to be followed when hiring, promoting or terminating an employee with respect to the handling of HR, system access, and project responsibilities.
Training and Awareness
Liferay’s Training and Awareness Policy requires that Liferay employees and contractors are appropriately trained on security best practices.
Encryption
Liferay’s Encryption Policy defines rules for the use of encryption and cryptographic keys, in order to protect the confidentiality, integrity, availability and non-repudiation of information.
Encryption is a process that takes regular, readable text (“plaintext”) and converts into random or unreadable text (“ciphertext”) by running it through an algorithm (“cipher”) that makes use of a unique secret value known as the cryptographic key.
IT Security
The IT Security Policy defines clear rules for the use of Devices, Software Applications, Cloud-Based Services and Networks
Secure Development
The Secure Development Policy defines basic rules for secure acquisition, development and maintenance of Liferay software and systems.
Supplier Security
The Supplier Security Policy defines the rules for relationships with suppliers and partners who are considered external interested parties in Liferay’s Information Security Management System.
Backup Requirements
Liferay’s Backup Policy defines guidelines to ensure that backups of Liferay data are available and accurate in the event that Liferay systems must be restored.
Vulnerability and Patch Management
Liferay’s Vulnerability and Patch Management Policy defines requirements for the management of information security vulnerabilities and the notification, testing, and installation of security-related patches for Liferay systems.
Incident Response
Liferay's Incident Response Policy ensures that a consistent approach is applied to the management and communication of Security Incidents that may affect Liferay.
The Policy lays out the general principles for successfully managing the response to a Security Incident.
Disaster Recovery
The Disaster Recovery Policy defines how Liferay will recover IT infrastructure, services and data in the event of a disaster or other disruptive incident.