dot CMS

Security & Compliance

Built Secure. Built for Enterprise.

At dotCMS, we deliver security from inside out by diligently implementing rigorous controls and procedures to protect the confidentiality, availability, and integrity of our infrastructure and customers’ data. We conform to the highest security standards with policies in place to ensure our people, processes and technologies are always in compliance.

Request a demo
image
SOC 2 Type II Certified

SOC 2 Type II Certified

dotCMS is SOC 2 Type II certified, meaning that an external ICPA certified auditor has audited us and certified that we have instituted and maintained the appropriate controls over time and that we have effectively mitigated risks related to our customers security, availability, and confidentiality. You can request a copy of our SOC 2 report, which provides an overview of our security measures, through our Trust Report site.

TXRAMP

TXRAMP

The Texas Risk and Authorization Management Program (TX-RAMP) is a certification and accreditation process specific to the state of Texas. It's essentially a security and compliance framework designed to ensure cloud service providers meet specific standards before offering their services to state agencies and local government entities.

ISO 27001:2022

ISO 27001:2022

dotCMS is ISO 27001 certified. ISO 27001 certification is currently the most widely adopted international information security standard used by organizations worldwide. By following ISO 27001, organizations can be confident that their ISMSes are up to date and comply with current best practices. Certification shows that dotCMS is committed to protecting our client's critical data and complying with applicable laws and regulations.

CAIQ

CAIQ

The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. Answers to the questionnaire for dotCMS are available here and through our Trust Report site.

A Secure Organization

At dotCMS security is everybody’s responsibility. During employee onboarding and at least once a year thereafter, every employee completes mandatory privacy, data protection and security training. All employee devices are monitored for ongoing compliance with dotCMS security protocols. Every employee contract includes confidentiality clauses.

System Access and Authorization Controls

System Access and Authorization Controls

All access is granted via least-privilege principles, with employees only being granted access to the data or systems that they require in order to complete a given task. Each client's data utilizes a unique rotating credential set, with client-data credentials only granted to employees and systems necessary for support and maintenance tasks.

Secure Development Practices

Secure Development Practices

dotCMS development staff are trained on secure coding practices and OWASP Top 10 most common vulnerabilities. All code changes undergo both automated analysis and stringent code review to stop security flaws emerging production.

Security & Privacy Policies

dotCMS has implemented a set of corporate policies to take maximum security measures for our clients and our company. These policies are reviewed periodically (at a minimum once per year) as part of our business continuity plan. dotCMS currently has the following security & privacy policies implemented:

  • Privacy policy

  • Cookie Policy

  • GDPR policy

  • Acceptable Use Policy

  • Asset Management Policy

  • Backup Policy

  • Business Continuity Plan

  • Change Management Policy

  • Code of Conduct

  • Cryptography Policy

  • Data Classification Policy

  • Data Deletion Policy

  • Data Protection Policy

  • Disaster Recovery Plan

  • Incident Response Plan

  • Information Security Policy

  • Password Policy

  • Physical Security Policy

  • Responsible Disclosure Policy

  • Risk Assessment Program

  • Security Questionnaires Policy

  • System Access Control Policy

  • Vendor Management Policy

  • Vulnerability Management Policy

Protecting Your Data

The dotCMS software runs on a secure enterprise stack of operating systems, application servers, and database servers. Multiple server pairs (CMS units) make up the dotCMS Cloud platform. Each customer is granted exclusive access to their own content management environment and database instance. A combination of Web, database, and application security methods and practices insulate customers both from each other and from external attack.

Data Ownership

All content, configuration, and targeting data belongs to the customer and can be entered through the dotCMS interface. This includes, click-path, and web-visitor information for the Personalization / Content Targeting module which is stored in a separate database.

Application Data Access

Applications are built using dotCMS’ tested and secure application delivery framework, which enforces a security session and is always present, making it possible to restrict access up to field level on content objects. dotCMS is functionally separated into the authoring tier, the repository and the delivery tier, but also logically separated into load balance layer, web proxy layer, application layer, and a database layer. Each virtual machine in each layer has its own host based firewall rules. Data lives less than seconds in the web layer as it’s only passed through by the proxies, unless (disk) caching is enabled in the proxy layer.

Data Encryption

All data exchanged between the dotCMS Cloud tiers (Authoring, Repository, Delivery Tier) is handled via All data in transit (SSL) and at rest (AES-256) is encrypted using robust, industry-recognized algorithms. To keep data encrypted at rest, dotCMS uses Amazon server-side encryption. AWS encryption uses AWS-owned or AWS-managed keys stored in KMS or S3. AWS services can also be configured to use customer-managed encryption keys using KMS or customer-supplied encryption keys. Amazon server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt dotCMS data. For data in transit, the minimum acceptable TLS standard in use by the company is TLS v1.2. All dotCMS public web properties, applicable infrastructure components and applications using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public networks, must have certificates signed by a known, trusted provider. Encryption Keys generated, stored, and managed by dotCMS are generated and stored in a secure manner that prevents loss, theft, or compromise. Key generation is seeded from an industry standard cryptographically secure random number generator (CSRNG).

Backups

dotCMS makes full backups of all customer data on a daily basis. Since dotCMS/repository stores all information in the database, backing up the database is sufficient. The backups are transported to a second data center at a different location over a dedicated private line. It is very common to restore a Production backup in a Development or Testing environment for testing purposes during a project / new release. The dotCMS infrastructure team that manages the dotCMS Cloud platform tests the backup and restore procedures regularly.

Business Continuity and Disaster Recovery

Aside from backup and security protocols, dotCMS has an extensive business continuity and disaster recovery plan. For details please refer to the Business Continuity Plan which can be provided as a separate document upon request.

Hosting and infrastructure

Since 2009, we have delivered dotCMS Cloud with Amazon Web Services (AWS), a tier-5 global cloud infrastructure provider that meets the highest standards in availability and security. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

All content, configuration, and targeting data belongs to the customer and can be entered through the dotCMS interface. This includes, click-path, and web-visitor information for the Personalization / Content Targeting module which is stored in a separate database.

The dotCMS Cloud environment is set up based on dotCMS’ best-practices for performance and security as it follows. Each environment is made up of multiple layers: Load balance layer, Web proxy layer, Application layer and Database layer. Each virtual machine in each layer has its own host-based firewall rules. And because a typical environment contains multiple instances (nodes) of the site application server and the CMS application server, it ensures delivering high performance and availability. Environments in our context are indeed physically separate servers.

Network Security

dotCMS insulates the cloud platform from inappropriate or malicious Internet traffic by utilizing multiple network defenses, from firewalls and network intrusion detection to 24/7/365 network surveillance and incident response program.

Customers may connect to the CMS in any fashion over the internet as CMS security is independent of customer network connectivity. dotCMS Cloud is protected from network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules control the flow of traffic to and from the dotCMS Cloud platform, permitting only packets that are explicitly required to deliver the dotCMS Cloud service. Only secure sessions that pass inspection by the perimeter firewall can reach the dotCMS Cloud platform.

Get Inspired

Discover how DevOps teams have leveraged dotCMS

Reducing IT Dependencies with dotCMS Cloud

Learn how Northwest College stays up-to-date on the latest dotCMS upgrades and security fixes without overtaxing IT resources.

brand logo

Being on the Cloud has been a lifesaver for me. I try to upgrade our dotCMS instance at least once a year and the support I get from dotCMS to do that is critical. I couldn’t do it on my own.