Liferay Trust Center /
Security Controls
Liferay understands how critical it is for our prospects and customers to find secure and compliant digital solutions for their business needs. We are committed to being not just a vendor, but a trusted partner for our customers.
Our focus is to ensure that the valuable information you entrust to us is secure and treated in accordance with the applicable data protection laws. As part of the FOSS community, we apply best practices when it comes to IP and FOSS licensing. We also believe in conducting business with integrity, ultimately fostering strong relationships with our customers and our community.
This Trust Center provides a comprehensive collection of resources designed to aid every customer’s due diligence process and demonstrate our commitment to security and compliance.
Security Controls
Infrastructure security
Intrusion detection system utilized
The company employs an intrusion detection system, which enables constant monitoring and the early identification of potential security breaches.
Production database access restricted
The company ensures that only those who require access to the database can view it. This reduces the risks of unauthorized access and data breaches.
Remote access MFA enforced
Production systems will only grants access to authorized users through a multi-factor authentication (MFA) method.
Production network access restricted
Access to the production network is secured and will only be granted to authorized users with a legitimate business need.
Remote access security enforced
The remote access to production systems is granted only to authenticated users with proper authorization level through an encrypted connection.
Production data segmented
Non-production systems and environment are prohibited from storing any data that is considered confidential or sensitive and is segmented from other systems.
Firewall activated
Production environment is protected with firewall that denies all traffic by default and only allows valid connections like HTTPS.
DDoS and malicious traffic blocked
Customers are protected by Google’s DDoS technology enhanced with WAF and AI to protect against known and unknown malicious traffic.
Penetration and network vulnerability scanning performed
The company conducts annual penetration testing and vulnerability scanning and follows a remediation plan to address any findings.
Organizational security
Anti-malware technology utilized
The company installs anti-malware technology on all relevant systems and configures it to be updated routinely and logged. This helps protect environments that are commonly susceptible to malicious attacks.
Confidentiality Agreement acknowledgment
All workers, employees or contractors, are required to sign a confidentiality agreement with the company.
Asset disposal procedures utilized
The company destroys or purges electronic media that contains confidential information in accordance with best practices.
Employees trained
All employees go through security training annually.
Background checks executed
All employees go through a background upon hire
Access granted by job role
Access is only granted based their role in the company and not to everyone
Authentication and MFA enforced
We enforce additional authentication rules to prevent unwanted access
Product security
Development, test and release environment secure
The company has established separated and secure development environments
Code development follows OWASP rules
All developers have gone through OWASP training.
Secure Development practices enforced
Our internal SDLC includes planning, design, implementation, testing, release
Penetration testing performed
We conduct penetration testing on an annual basis and develop remediation plan(s) to address vulnerabilities. Changes are then implemented to remediate these vulnerabilities in accordance with service level agreements (SLAs).
SAST, DAST and SCA tests performed
We take several steps to ensure the security of our application, including scanning the code for vulnerabilities before deployment, testing the application for vulnerabilities while it was running, and checking for security risks in any third-party software we used. These tests helped us identify and address potential security issues before they could be exploited.
Internal security procedures
Continuity and disaster recovery plans tested
The company conducts an annual test of its documented business continuity/disaster recovery (BC/DR) plan.
Access requests required
The company ensures that user access to in-scope system components is granted based on job role and function, or by submitting a documented access request form that requires manager approval prior to access being provisioned.
Backup processes established
The company’s policy for data backup outlines the requirements for backing up and recovering customer data.
Incident response policies established
The company has documented and communicated security and privacy incident response policies and procedures to relevant employees.
Change management procedures enforced
The company mandates that changes to software and infrastructure components of the services must be authorized, formally documented, tested, reviewed, and approved before they can be implemented in the production environment or released as a product for customers.
Configuration management system established
To ensure that system configurations are deployed consistently throughout the environment, the company has implemented a configuration management procedures.
Service documentation available
The company offers a detailed description of its products and services to customers and community through learning and documentation sites.
Support system available
Liferay provides a system for customers to create support tickets and communicate with Liferay.
Third-party agreements established
The company has agreements with vendors and partners, ensuring confidentiality and privacy of sensitive information.
Incident management procedures followed
The company diligently adheres to its security response policy, ensuring all incidents are logged, tracked, resolved, and communicated to impacted individuals.
Cybersecurity insurance maintained
To safeguard against financial losses from disrupted operations, the company holds cybersecurity insurance.
Continuity and Disaster Recovery plans established
Even when key personnel are unavailable, the company's pre-defined communication plans in its Business Continuity and Disaster Recovery Plans ensure seamless information security operations.