At dotCMS, we deliver security from inside out by diligently implementing rigorous controls and procedures to protect the confidentiality, availability, and integrity of our infrastructure and customers’ data. We conform to the highest security standards with policies in place to ensure our people, processes and technologies are always in compliance.
dotCMS is SOC 2 Type II certified, meaning that an external ICPA certified auditor has audited us and certified that we have instituted and maintained the appropriate controls over time and that we have effectively mitigated risks related to our customers security, availability, and confidentiality. You can request a copy of our SOC 2 report, which provides an overview of our security measures, through our Trust Report site.
dotCMS is ISO 27001 certified. ISO 27001 certification is currently the most widely adopted international information security standard used by organizations worldwide. By following ISO 27001, organizations can be confident that their ISMSes are up to date and comply with current best practices. Certification shows that dotCMS is committed to protecting our client's critical data and complying with applicable laws and regulations.
The Texas Risk and Authorization Management Program (TX-RAMP) is a certification and accreditation process specific to the state of Texas. It's essentially a security and compliance framework designed to ensure cloud service providers meet specific standards before offering their services to state agencies and local government entities.
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. Answers to the questionnaire for dotCMS are available here and through our Trust Report site.
At dotCMS security is everybody’s responsibility. During employee onboarding and at least once a year thereafter, every employee completes mandatory privacy, data protection and security training. All employee devices are monitored for ongoing compliance with dotCMS security protocols. Every employee contract includes confidentiality clauses.
All access is granted via least-privilege principles, with employees only being granted access to the data or systems that they require in order to complete a given task. Each client's data utilizes a unique rotating credential set, with client-data credentials only granted to employees and systems necessary for support and maintenance tasks.
dotCMS development staff are trained on secure coding practices and OWASP Top 10 most common vulnerabilities. All code changes undergo both automated analysis and stringent code review to stop security flaws emerging production.
dotCMS has implemented a set of corporate policies to take maximum security measures for our clients and our company. These policies are reviewed periodically (at a minimum once per year) as part of our business continuity plan. dotCMS currently has the following security & privacy policies implemented:
The dotCMS software runs on a secure enterprise stack of operating systems, application servers, and database servers. Multiple server pairs (CMS units) make up the dotCMS Cloud platform. Each customer is granted exclusive access to their own content management environment and database instance. A combination of Web, database, and application security methods and practices insulate customers both from each other and from external attack.
All content, configuration, and targeting data belongs to the customer and can be entered through the dotCMS interface. This includes, click-path, and web-visitor information for the Personalization / Content Targeting module which is stored in a separate database.
Applications are built using dotCMS’ tested and secure application delivery framework, which enforces a security session and is always present, making it possible to restrict access up to field level on content objects. dotCMS is functionally separated into the authoring tier, the repository and the delivery tier, but also logically separated into load balance layer, web proxy layer, application layer, and a database layer. Each virtual machine in each layer has its own host based firewall rules. Data lives less than seconds in the web layer as it’s only passed through by the proxies, unless (disk) caching is enabled in the proxy layer. See the dotCMS Architecture Overview.
All data exchanged between the dotCMS Cloud tiers (Authoring, Repository, Delivery Tier) is handled via All data in transit (SSL) and at rest (AES-256) is encrypted using robust, industry-recognized algorithms. To keep data encrypted at rest, dotCMS uses Amazon server-side encryption. AWS encryption uses AWS-owned or AWS-managed keys stored in KMS or S3. AWS services can also be configured to use customer-managed encryption keys using KMS or customer-supplied encryption keys. Amazon server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt dotCMS data. For data in transit, the minimum acceptable TLS standard in use by the company is TLS v1.2. All dotCMS public web properties, applicable infrastructure components and applications using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public networks, must have certificates signed by a known, trusted provider. Encryption Keys generated, stored, and managed by dotCMS are generated and stored in a secure manner that prevents loss, theft, or compromise. Key generation is seeded from an industry standard cryptographically secure random number generator (CSRNG).
dotCMS makes full backups of all customer data on a daily basis. Since dotCMS/repository stores all information in the database, backing up the database is sufficient. The backups are transported to a second data center at a different location over a dedicated private line. It is very common to restore a Production backup in a Development or Testing environment for testing purposes during a project / new release. The dotCMS infrastructure team that manages the dotCMS Cloud platform tests the backup and restore procedures regularly.
Aside from backup and security protocols, dotCMS has an extensive business continuity and disaster recovery plan. For details please refer to the Business Continuity Plan which can be provided as a separate document upon request.
Since 2009, we have delivered dotCMS Cloud with Amazon Web Services (AWS), a tier-5 global cloud infrastructure provider that meets the highest standards in availability and security. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
The dotCMS software runs on a secure enterprise stack of operating systems, application servers, and database servers. Multiple server pairs (CMS units) make up the dotCMS Cloud platform. Each customer is granted exclusive access to their own content management environment and database instance. A combination of web, database, and application security methods and practices insulate customers both from each other and from external attack.
The dotCMS Cloud environment is set up based on dotCMS’ best-practices for performance and security as it follows. Each environment is made up of multiple layers: Load balance layer, Web proxy layer, Application layer and Database layer. Each virtual machine in each layer has its own host-based firewall rules. And because a typical environment contains multiple instances (nodes) of the site application server and the CMS application server, it ensures delivering high performance and availability. Environments in our context are indeed physically separate servers.
Explore our secure environment design:
dotCMS insulates the cloud platform from inappropriate or malicious Internet traffic by utilizing multiple network defenses, from firewalls and network intrusion detection to 24/7/365 network surveillance and incident response program.
Customers may connect to the CMS in any fashion over the internet as CMS security is independent of customer network connectivity. dotCMS Cloud is protected from network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules control the flow of traffic to and from the dotCMS Cloud platform, permitting only packets that are explicitly required to deliver the dotCMS Cloud service. Only secure sessions that pass inspection by the perimeter firewall can reach the dotCMS Cloud platform.
dotCMS’s internal vulnerability monitoring and external vulnerability scanning are in place to keep up with new threats while validating security controls put in place so that dotCMS’s security posture is maintained. dotCMS performs internal vulnerability scanning and package monitoring on a constant basis using tools such as Vanta agent and OWASP ZAP. Security-related events are routinely monitored and logged by dotCMS’s firewalls and servers. A monitoring daemon on each server also keeps an eye on operational events, including host resources and environmental factors. All alerts are relayed to dotCMS’s Network Operations Center (NOC). In addition, priority 1 alerts are immediately escalated by paging dotCMS NOC staff. At the dotCMS NOC, trained network and system administrators monitor incoming alerts 24/7/365, verifying each new alert before initiating the appropriate response.
dotCMS Cloud platform undergoes vulnerability assessments and penetration tests at regular intervals. In addition, clients of dotCMS conduct load and penetration tests periodically. Some dotCMS clients in government and cyber-security go even further by inspecting every single line of code on an annual basis. All security vulnerabilities are shared and resolved immediately in the core software if needed. dotCMS’s clients (particularly in financial services or government ) engage third parties to conduct penetration tests on the dotCMS Cloud platform. If non-compliances are found in either the core software of dotCMS or the Cloud platform, they are resolved with the highest priority.
dotCMS values the role that independent security researchers play in keeping our products secure and we encourage responsible reporting of found vulnerabilities in our software. When working with security researchers, we support the idea of responsible disclosure and expect that when reporting potential bugs and vulnerabilities, you allow us to respond and/or resolve security issues before details are publicly disclosed. See our Responsible Disclosure Policy for full details.
To help eliminate vulnerabilities before they can possibly be exploited, dotCMS combines proactive patch management with periodic internal penetration tests. dotCMS monitors security lists for new exposures that may impact dotCMS Cloud. As new security patches become available, they are first reviewed for relevance to dotCMS Cloud Platform. Relevant security patches are first verified on QA/ Staging servers, typically for two days before being applied to production servers. Routine vulnerability scans are also performed by dotCMS semi-annually.
dotCMS has a dedicated and specific process around security issues and issues are dealt with higher priority than other issues. During incident investigation, if NOC staff determines that an attack is underway or has occurred, actions will be taken to quarantine IP addresses and/or disconnect sessions as needed to contain the incident and prevent future damage. If necessary to mitigate the attack or protect customer content, sta may also temporarily disable CMS customer accounts and/or databases.The dotCMS Service Manager assigned to each affected customer account will contact the customer to review the incident, actions taken, and impact on that customer.
dotCMS defines the severity of an issue via industry-recognized Common Vulnerability Scoring System (CVSS) scores, which all modern scanning and continuous monitoring systems utilize. The CVSS provides a way to capture the characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. Vulnerability details and related mitigations are made public and can be found on our known security issues page.