Security Statement

Updated - May 22, 2018

World-Class Security Infrastructure

ProcessMaker provides state-of-the-art security to ensure that your customer data is never compromised. At ProcessMaker we know that security is crucial to you - that's why security is our top priority. We devote significant resources to continually develop our world-class security infrastructure. The result: unsurpassed security and privacy for our customer's information. With ProcessMaker, you enjoy protection and peace of mind that only our world-class security infrastructure can provide. Among other security measures, ProcessMaker provides:

  • Experienced, professional engineers and security specialists dedicated to data and systems protection

  • Continuous deployment of proven, up-to-date security technologies, including proprietary products developed for ProcessMaker

  • Ongoing evaluation of emerging security developments and threats

  • Redundancy throughout the entire ProcessMaker online infrastructure

 

Security Details

ProcessMaker is configured by experts and rigorously tested before going into production. Our hosting facilities adhere to world-class security policies including proven, up-to-date firewall protection, intrusion detection systems, SSL encryption, and other security technologies.

Unless otherwise specified in your particular product or service contract, our service offerings utilize the AWS cloud, one of the leading cloud and facilities providers in the world.

Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS compliance enablers build on traditional programs, helping customers to establish and operate in an AWS security control environment.


Data Encryption

ProcessMaker uses the strongest encryption products to protect customer data and communications, using industry standard the AES-256 encryption algorithm and the using the industry standard AES-256 encryption algorithm and the Transport Layer Security v1.2 protocol.  


User Authentication

Users access Processmaker only with a valid username and password combination, which is encrypted via TLS while in transmission. Users are prevented from choosing weak or obvious passwords. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.


Application Security

Our robust application security model prevents one ProcessMaker customer from accessing another's data. This security model is reapplied with every request and enforced for the entire duration of a user session.  ProcessMaker uses various security tools to verify security best practices throughout the software development lifecycle (SDLC).


Internal Systems Security

Inside of the perimeter firewalls, the systems are safeguarded by network address translation, port redirection, IP masquerading, non-routable IP addressing schemes, and more. The specific details of these features are proprietary.


Operating System Security

ProcessMaker enforces tight operating system-level security by using a minimal number of access points to all production servers. We protect all operating system accounts with strong passwords, and two-factor authentication. All operating systems are maintained at each vendor's recommended patch levels for security and are hardened by disabling and/or removing any unnecessary users, protocols, and processes.

 

Database Security

Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is restricted to a limited number of points, and production databases do not share a master password database. All database volumes are encrypted.

 

Server Management Security

All data entered into the Processmaker application by a customer is owned by that customer. ProcessMaker employees do not have direct access to the ProcessMaker production environments, except where necessary for system management, maintenance, monitoring, and backups.


Reliability and Backup

All networking components, NAT instances, Load Balancers, and Application Servers are deployed with high-availability and redundancy features. All customer data is stored on encrypted, fault tolerant volumes. All customer production database data is automatically backed up from to the last committed transaction, together with snapshots which are taken on a daily basis and stored in an AWS S3 bucket with encryption and geo-replication features enabled.


Disaster Recovery

The ProcessMaker Disaster Recovery Policy, part of our Business Continuity Program, covers different type of disaster scenarios, including:

  • Application data corruption
  • Database corruption
  • Networking issues
  • Complete disaster

ProcessMaker has technical measures for every type of disaster, including a total system restore, which includes restoring all Infrastructure components and customer data to an alternative AWS region, if required.

As part of the Business Continuity Program, disaster recovery exercising is executed once a year, which provides the opportunity for participants to receive hands-on training in responding to an emergency, ranging from smaller disruptions to a complete system failure; and the chance to further improve the Disaster Recovery Policy.

 

Disclaimer

Use of ProcessMaker services is subject to the terms and conditions of the customer's subscription agreement with ProcessMaker Inc. ProcessMaker may modify its security infrastructure and/or this document from time to time.