Security & Compliance
Built Secure. Built for Enterprise.
At dotCMS, we deliver security from inside out by diligently implementing rigorous controls and procedures to protect the confidentiality, availability, and integrity of our infrastructure and customers’ data. We conform to the highest security standards with policies in place to ensure our people, processes and technologies are always in compliance.
SOC 2 Type II Certified
dotCMS is SOC 2 Type II certified, meaning that an external ICPA certified auditor has audited us and certified that we have instituted and maintained the appropriate controls over time and that we have effectively mitigated risks related to our customers security, availability, and confidentiality. You can request a copy of our SOC 2 report, which provides an overview of our security measures, through our Trust Report site.
TXRAMP
The Texas Risk and Authorization Management Program (TX-RAMP) is a certification and accreditation process specific to the state of Texas. It's essentially a security and compliance framework designed to ensure cloud service providers meet specific standards before offering their services to state agencies and local government entities.
ISO 27001:2022
dotCMS is ISO 27001 certified. ISO 27001 certification is currently the most widely adopted international information security standard used by organizations worldwide. By following ISO 27001, organizations can be confident that their ISMSes are up to date and comply with current best practices. Certification shows that dotCMS is committed to protecting our client's critical data and complying with applicable laws and regulations.
CAIQ
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. Answers to the questionnaire for dotCMS are available here and through our Trust Report site.
A Secure Organization
At dotCMS security is everybody’s responsibility. During employee onboarding and at least once a year thereafter, every employee completes mandatory privacy, data protection and security training. All employee devices are monitored for ongoing compliance with dotCMS security protocols. Every employee contract includes confidentiality clauses.
System Access and Authorization Controls
All access is granted via least-privilege principles, with employees only being granted access to the data or systems that they require in order to complete a given task. Each client's data utilizes a unique rotating credential set, with client-data credentials only granted to employees and systems necessary for support and maintenance tasks.
Secure Development Practices
dotCMS development staff are trained on secure coding practices and OWASP Top 10 most common vulnerabilities. All code changes undergo both automated analysis and stringent code review to stop security flaws emerging production.
Security & Privacy Policies
dotCMS has implemented a set of corporate policies to take maximum security measures for our clients and our company. These policies are reviewed periodically (at a minimum once per year) as part of our business continuity plan. dotCMS currently has the following security & privacy policies implemented:
Privacy policy
Cookie Policy
GDPR policy
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Change Management Policy
Code of Conduct
Cryptography Policy
Data Classification Policy
Data Deletion Policy
Data Protection Policy
Disaster Recovery Plan
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Program
Security Questionnaires Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Protecting Your Data
The dotCMS software runs on a secure enterprise stack of operating systems, application servers, and database servers. Multiple server pairs (CMS units) make up the dotCMS Cloud platform. Each customer is granted exclusive access to their own content management environment and database instance. A combination of Web, database, and application security methods and practices insulate customers both from each other and from external attack.
Data Ownership
All content, configuration, and targeting data belongs to the customer and can be entered through the dotCMS interface. This includes, click-path, and web-visitor information for the Personalization / Content Targeting module which is stored in a separate database.
Application Data Access
Applications are built using dotCMS’ tested and secure application delivery framework, which enforces a security session and is always present, making it possible to restrict access up to field level on content objects. dotCMS is functionally separated into the authoring tier, the repository and the delivery tier, but also logically separated into load balance layer, web proxy layer, application layer, and a database layer. Each virtual machine in each layer has its own host based firewall rules. Data lives less than seconds in the web layer as it’s only passed through by the proxies, unless (disk) caching is enabled in the proxy layer.
Data Encryption
All data exchanged between the dotCMS Cloud tiers (Authoring, Repository, Delivery Tier) is handled via All data in transit (SSL) and at rest (AES-256) is encrypted using robust, industry-recognized algorithms. To keep data encrypted at rest, dotCMS uses Amazon server-side encryption. AWS encryption uses AWS-owned or AWS-managed keys stored in KMS or S3. AWS services can also be configured to use customer-managed encryption keys using KMS or customer-supplied encryption keys. Amazon server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt dotCMS data. For data in transit, the minimum acceptable TLS standard in use by the company is TLS v1.2. All dotCMS public web properties, applicable infrastructure components and applications using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public networks, must have certificates signed by a known, trusted provider. Encryption Keys generated, stored, and managed by dotCMS are generated and stored in a secure manner that prevents loss, theft, or compromise. Key generation is seeded from an industry standard cryptographically secure random number generator (CSRNG).
Backups
dotCMS makes full backups of all customer data on a daily basis. Since dotCMS/repository stores all information in the database, backing up the database is sufficient. The backups are transported to a second data center at a different location over a dedicated private line. It is very common to restore a Production backup in a Development or Testing environment for testing purposes during a project / new release. The dotCMS infrastructure team that manages the dotCMS Cloud platform tests the backup and restore procedures regularly.
Business Continuity and Disaster Recovery
Aside from backup and security protocols, dotCMS has an extensive business continuity and disaster recovery plan. For details please refer to the Business Continuity Plan which can be provided as a separate document upon request.
Hosting and infrastructure
Since 2009, we have delivered dotCMS Cloud with Amazon Web Services (AWS), a tier-5 global cloud infrastructure provider that meets the highest standards in availability and security. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
All content, configuration, and targeting data belongs to the customer and can be entered through the dotCMS interface. This includes, click-path, and web-visitor information for the Personalization / Content Targeting module which is stored in a separate database.
The dotCMS Cloud environment is set up based on dotCMS’ best-practices for performance and security as it follows. Each environment is made up of multiple layers: Load balance layer, Web proxy layer, Application layer and Database layer. Each virtual machine in each layer has its own host-based firewall rules. And because a typical environment contains multiple instances (nodes) of the site application server and the CMS application server, it ensures delivering high performance and availability. Environments in our context are indeed physically separate servers.
Network Security
dotCMS insulates the cloud platform from inappropriate or malicious Internet traffic by utilizing multiple network defenses, from firewalls and network intrusion detection to 24/7/365 network surveillance and incident response program.
Customers may connect to the CMS in any fashion over the internet as CMS security is independent of customer network connectivity. dotCMS Cloud is protected from network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules control the flow of traffic to and from the dotCMS Cloud platform, permitting only packets that are explicitly required to deliver the dotCMS Cloud service. Only secure sessions that pass inspection by the perimeter firewall can reach the dotCMS Cloud platform.
Explore Our Articles
Your go-to resource for the latest content, tech, marketing and developer strategies, insights and guides.
- 3Oct 24Security
Stability and Security: How the WordPress Licensing Dispute is Impacting Enterprise CMS
Recent events in the content management space, including WordPress's licensing disputes, have highlighted the critical need for stability in enterprise CMS platforms.
- 8Jul 24Security
dotCMS Recommendation and Response to the Polyfill.io Supply Chain Attack
In this article, dotCMS provides our investigation into the Pollyfill.io supply chain attack and a responsible recommendation to our valued customers.
- 1May 24
Security Headers Best Practices
Implementing a Content Security Policy and Permission Policy is more straightforward than people might think, and there are many resources available to guide developers through the process.
- 6Nov 23
Choosing Between Homegrown and Proprietary CMS Solutions: A Comprehensive Analysis
Are you torn between building a custom Content Management System (CMS) from scratch or opting for a proprietary solution? In a world with over 200 CMS vendors, making the right choice is crucial. Dive into our comprehensive analysis to discover which path aligns best with your business needs.
Get Inspired
Discover how DevOps teams have leveraged dotCMS
Reducing IT Dependencies with dotCMS Cloud
Learn how Northwest College stays up-to-date on the latest dotCMS upgrades and security fixes without overtaxing IT resources.
Being on the Cloud has been a lifesaver for me. I try to upgrade our dotCMS instance at least once a year and the support I get from dotCMS to do that is critical. I couldn’t do it on my own.