Secure Content Management System

Availability and Continuity

Nuxeo Cloud is delivered primarily via the Amazon Web Services platform, which provides an extremely reliable environment that is trusted by many top global brands and businesses. The underlying infrastructure commits to 99.9% service availability - meaning that not only is your solution secure, but it will be accessible when you need it.

With multiple and geographically dispersed data centers, we ensure the highest levels of availability, business continuity, and disaster recovery for our customers.

In addition to incorporating robust security measures into our own platform, Nuxeo is also active in industry-wide security initiatives and participates in open-source projects to improve AWS security such as:

Okta AWS CLI

IvoryShield

AWS SMTP Replay

Security - A Core Element of Nuxeo’s DNA

The foundation of the Nuxeo approach to information security is based on four key security elements.

• Authentication: Reliably identify the user and ensure her/his identity is propagated at all times. Nuxeo supports a wide array of authentication protocols and providers including login/password, oAuth,
  SAML2, OpenID, LDAP/AD, Shibboleth, and advanced two-factor authentication (2FA).

• Access: Ensure each authorized user can access all permissible data and content, and perform all permissible actions (but nothing else) via ACLs and custom security policies.

• Protection: Ensure all content is secure - whether at rest or in transit. This includes ensuring content within the Nuxeo Platform has not been falsely altered in any manner. Nuxeo Platform traffic is encryptable with SSL and is fully-configurable for optimum performance. Nuxeo also supports AES encryption of content at rest (in storage), including safe storage of keys within a hardware security module (HSM) connected to Java virtual machine (JVM). It is also possible to encrypt the backend database and search indexes at a system level.

• Audit: In addition to taking a proactive stance against security breaches, our platform ensures an audit trail exists that provides a detailed history of all historical users and system activity.

We regularly perform rigorous security testing including bi-yearly penetration testing, automated scanning, and third-party audits. We design our incident response procedures and protocols to be able to react promptly in case of a security issue.

Compliance

Security comes first - and we never compromise when it comes to protecting our customers’ information. Below are the information security standards we adhere to.

• PCI: PCI DSS provides security and privacy protocols for accepting, storing, processing, and transmitting payment card information, including cardholder data. It requires merchants and service providers that store, process, or transmit customer payment card data to adopt information security controls and processes to ensure data integrity.

• SOC2: SOC 2 is a report based on AICPA’s existing Trust Services principles and criteria. This report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

• SEC Rule 17a-4: SEC Rule 17a-4 is a regulation issued by the U.S. Securities and Exchange Commission which is an independent agency of the United States federal government. This regulation contains requirements mainly for retention, legal hold, and accessibility of the records for organizations dealing in the trade or brokering of financial securities such as stocks, bonds, and futures.

• GDPR: Whether you’re a European company or an organization outside of the EU that collects or processes the personal data of EU residents, Nuxeo can help you comply with GDPR. Nuxeo delivers the platform and capabilities your organization needs to ensure compliance with GDPR’s personal data rules and regulations in a timely manner.