In Kentico, we value your privacy above everything else. That's why we have adopted Secured Deliver Lifecycle in our Agile processes in order to increase the security of the developed product. The main motivation is to increase the security of the developed product. This usually includes reducing the number of security flaws and reducing the severity of the security flaws. Read more about SDLC for agile
Moreover, all of our development team members must attend unique security training focused on writing secure code, doing a security code review, and performing security testing. We also regularly do code review as well as website security scans. Security review is performed:
- manually—by our security team
- automatically—we use web application security scanner to ensure Kentico Kontent is free of any security vulnerabilities
Both security reviews cover the most frequently occurring vulnerabilities defined as TOP 10 by OWASP standards. Any new vulnerability is inspected by our teams and security expert, and any threats found are fixed within a few hours/days, based on the severity.
Kentico Kontent stores the data in Microsoft Azure storage. You can choose to store your project data in a data center in Europe (the Netherlands), the United States (East Coast) or Australia (East Coast) . By choosing the location of the data center, your project data and tracked visitor data are stored in the selected area. Project data represents all your content created within the Kentico Kontent application. This does not include the user (meta)data required for the Kentico Kontent service to work, which will always be stored in the data center located in West Europe. You can find more information about data centers here.
Kentico Kontent uses a global Content Delivery Network (CDN) powered by Fastly to deliver content from your website. The CDN has edge nodes all around the world, ensuring fast content delivery no matter the destination.
All data is encrypted by default. We also back up the data on a daily basis and store the backups for 14 days.
We continuously monitor all of our services to ensure the highest availability. You can find the status information of all our services on this status page together with all information about planned maintenance. The Enterprise plan automatically comes with an SLA on service availability, and you can optionally also get an SLA on support response time.
Kentico Kontent uses FastSpring as a payment provider and we do not store any credit card information. FastSpring addresses all PCI compliance issues and securely processes sensitive data. All FastSpring stores are PCI compliant and adhere to PCI DSS regulations.
We take compliance with the European General Data Protection Regulation (GDPR) very seriously. You can find more information about Kentico Kontent's commitment to GPDR compliance on this page.
SOC 2 compliance
This auditing procedure ensures that service providers that store customer data in the cloud can securely manage data and protect the privacy and interests of their customers. Kentico Kontent is SOC 2 Type 1 and SOC 2 Type 2 compliant, and our reports cover the following Trust Services Criteria that are relevant to the services we provide:
- Availability – information and systems are available for operation and use as committed or agreed
- Security – information designated as confidential is protected against unauthorized access, both physical and logical
- Confidentiality – information designated as confidential is protected as committed or agreed
Completing the SOC 2 Type 2 examination demonstrates our continuous commitment to information security and protecting our customers’ sensitive data against breaches.
ISO recognizes organizations worldwide that successfully pass a full third-party audit. The audit determines whether or not processes, products, and services fulfill the ISO criteria.
Following the third-party audit, Kentico gained the following ISO certifications, which apply to both Kentico products – Kentico EMS, the all-in-one digital experience platform, and Kentico Kontent, the Content-as-a-Service solution:
- ISO 9001:2015 – Quality Management System
- ISO 27001:2013 – Information Security Management System
- ISO 20000-1:2011 – IT Service Management System
Kentico Kontent security review (OWASP standards)
The security review provides an overview of the security measures taken by Kentico Kontent to protect content and user data hosted on our platform from unauthorized access. Kentico Kontent security is based on OWASP security review standards. If you are interested in more details about Kentico Kontent security, you can download the full OWASP security report here.
We recognize how important it is to help protect your privacy and security. As a company, we have a vested interest in maintaining the trust you place in us and our products.
If you believe you’ve found a security vulnerability in Kentico Kontent, we encourage you to let us know right away by emailing firstname.lastname@example.org (optionally using our PGP key). We would like to ask you not to disclose publicly the issue until we have a chance to address it and will not pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.
Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities. It allows individuals to notify companies of any security threats before going public with the information. This gives software vendors such as us a chance to resolve the problem before the criminally-minded become aware of it.
We will not disclose security issues until our internal investigation is finished, but we will work with you to ensure we fully understand the issue. Once the issue is resolved, we will keep you posted along with a “thank you” and credit for the discovery. We ask for your patience while we make sure all users of our products are protected.
If you have any questions regarding the security of Kentico Kontent, do not hesitate to contact us.