At Nuxeo, we’re committed to helping companies protect not just their own confidential information, but also the data and content they manage on behalf of their customers.
Our platform is built around the strictest security standards and procedures and provides a strategic security foundation to develop, test, and deploy highly-secure and content-critical applications.
Nuxeo Cloud is delivered primarily via the Amazon Web Services platform, which provides an extremely reliable environment that is trusted by many top global brands and businesses. The underlying infrastructure commits to 99.9% service availability - meaning that not only is your solution secure, but it will be accessible when you need it.
With multiple and geographically dispersed data centers, we ensure the highest levels of availability, business continuity, and disaster recovery for our customers.
In addition to incorporating robust security measures into our own platform, Nuxeo is also active in industry-wide security initiatives and participates in open-source projects to improve AWS security such as:
The foundation of the Nuxeo approach to information security is based on four key security elements.
Authentication: Reliably identify the user and ensure her/his identity is propagated at all times. Nuxeo supports a wide array of authentication protocols and providers including login/password, oAuth, SAML2, OpenID, LDAP/AD, Shibboleth, and advanced two-factor authentication (2FA).
Access: Ensure each authorized user can access all permissible data and content, and perform all permissible actions (but nothing else) via ACLs and custom security policies.
Protection: Ensure all content is secure - whether at rest or in transit. This includes ensuring content within the Nuxeo Platform has not been falsely altered in any manner. Nuxeo Platform traffic is encryptable with SSL and is fully-configurable for optimum performance. Nuxeo also supports AES encryption of content at rest (in storage), including safe storage of keys within a hardware security module (HSM) connected to Java virtual machine (JVM). It is also possible to encrypt the backend database and search indexes at a system level.
Audit: In addition to taking a proactive stance against security breaches, our platform ensures an audit trail exists that provides a detailed history of all historical users and system activity.
We regularly perform rigorous security testing including bi-yearly penetration testing, automated scanning, and third-party audits. We design our incident response procedures and protocols to be able to react promptly in case of a security issue.
As part of our “open kitchen” approach, transparency at the heart of everything we do. We partner with Shared Assessment to make our Standardized Information Gathering (SIG) Questionnaire publicly available.
Security comes first - and we never compromise when it comes to protecting our customers’ information. Below are the information security standards we adhere to.
HITRUST: HITRUST, in collaboration with healthcare, business, financial, technology and information security leaders, has established the HITRUST CSF, as a risk management and compliance framework that can be used by – any and all – organizations that create, access, store, or exchange personal health and financial information. The Nuxeo Platform is HITRUST Certified with a HITRUST CSF Assurance Validated Assessment Report.
PCI: PCI DSS provides security and privacy protocols for accepting, storing, processing, and transmitting payment card information, including cardholder data. It requires merchants and service providers that store, process, or transmit customer payment card data to adopt information security controls and processes to ensure data integrity.
SOC2: SOC 2 is a report based on AICPA’s existing Trust Services principles and criteria. This report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
SEC Rule 17a-4: SEC Rule 17a-4 is a regulation issued by the U.S. Securities and Exchange Commission which is an independent agency of the United States federal government. This regulation contains requirements mainly for retention, legal hold, and accessibility of the records for organizations dealing in the trade or brokering of financial securities such as stocks, bonds, and futures.
GDPR: Whether you’re a European company or an organization outside of the EU that collects or processes the personal data of EU residents, Nuxeo can help you comply with GDPR. Nuxeo delivers the platform and capabilities your organization needs to ensure compliance with GDPR’s personal data rules and regulations in a timely manner.