Security Trust Center

ProcessMaker follows established best practices and industry standards to meet general security and privacy requirements. This approach, in effect, supports our customers in fulfilling their specific compliance standards.

Our governance framework ensures transparent and responsible decision-making, guiding our organization towards ethical and effective practices. Key elements include:

• Leadership Structure: Clearly defined roles and responsibilities for leadership positions.
• Policies and Procedures: Establishing documented guidelines for decision-making and operations.
• Compliance: Adherence to applicable laws, regulations, and industry standards.
• Transparency: Open communication and disclosure of relevant information to stakeholders.
• Accountability: Ensuring individuals and teams are answerable for their actions and decisions.
• Ethical Practices: Upholding moral and ethical standards in all aspects of operations.
• Risk Management: Identifying, assessing, and mitigating potential risks to the organization.
• Stakeholder Engagement: Involving and considering the interests of relevant stakeholders.
• Continuous Improvement: Regularly reviewing and improving governance processes for effectiveness.

Updated – Jan 12, 2024

At ProcessMaker, we prioritize the security and privacy of our AI technologies. By integrating generative AI, we adhere to global standards to protect user data and ensure ethical AI usage. Additionally, we have implemented an internal policy, the “Generative AI Security Policy,” which outlines the procedures and controls for securely managing and integrating generative AI technologies within our products and services.

We follow the ISO/IEC 27001 and ISO/IEC 42001 frameworks to establish, implement, and continually improve our ISMS integrated into our AI management system, ensuring secure and ethical AI operations.

Our practices include:

• Strong Authentication and Authorization: Multi-factor authentication and strict access controls.
• Data Privacy: Anonymizing and securely processing personal data.
• Vulnerability Management: Regular scanning and patching of vulnerabilities.
• Incident Response: Comprehensive plans to address and mitigate breaches.
• Risk Assessment: Regular risk assessments to identify and address potential risks and concerns, ensuring safe and ethical use.

This statement reflects the Processmaker commitment to secure and ethical AI integration, drawing from ISO/IEC 42001 and OWASP AI Security Guidelines.

ProcessMaker uses the strongest encryption products to protect customer data and communications, using the industry standard AES-256 encryption algorithm and the Transport Layer Security v1.2 protocol.

Encryption in Transit
All interactions with ProcessMaker’s user interface (UI) and APIs are safeguarded through industry-standard HTTPS/TLS protocols, ensuring encryption (TLS 1.2 or higher) across public networks for secure data transit. Regarding email, our product defaults to opportunistic TLS, encrypting and securely delivering emails, protecting against eavesdropping between mail servers that support this protocol.

Encryption at Rest
Service Data is now encrypted at rest in both AWS and Azure using AES-256. This ensures that data is protected from unauthorized access and breaches.

Users access Processmaker only with a valid username and password combination, which is encrypted via TLS while in transmission. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.

Process Intelligence uses Azure AD Open ID Connect for Single Sign-On (SSO) and Multi-Factor Authentication (MFA). This enhances security by requiring multiple forms of verification before granting access to sensitive data and systems.

Our robust application security model preserves sessions. ProcessMaker uses various security tools to verify security best practices throughout the software development lifecycle (SDLC).

Inside of the perimeter firewalls, the systems are safeguarded by network address translation, port redirection, IP masquerading, non-routable IP addressing schemes, and more. The specific details of these features are proprietary.

ProcessMaker enforces tight operating system-level security by using a minimal number of access points to all production servers. We protect all operating system accounts with strong passwords, and two-factor authentication. All operating systems are maintained at each vendor’s recommended patch levels for security and are hardened by disabling and/or removing any unnecessary users, protocols, and processes.

Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is restricted to a limited number of points, and production databases do not share a master password database. All database volumes are encrypted.

All data entered into the Processmaker application by a customer is owned by that customer. ProcessMaker employees do not have direct access to the ProcessMaker production environments, except where necessary for system management, maintenance, monitoring, and backups.

ProcessMaker maintains a publicly available processmaker-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

ProcessMaker employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Disaster Recovery exercise for ProcessMaker Hosted in AWS and Azure allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Our Disaster Recovery exercise for ProcessMaker Hosted in AWS and Azure ensures that our services remain available and are easily recoverable in the case of a disaster.
This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

The ProcessMaker Disaster Recovery Policy, part of our Business Continuity Program, covers different type of disaster scenarios, including:

• Application data corruption
• Database corruption
• Networking issues
• Complete disaster

ProcessMaker has technical measures for every type of disaster, including a total system restore, which includes restoring all Infrastructure components and customer data to an alternative AWS region, if required.

As part of the Business Continuity Program, disaster recovery exercising is executed once a year, which provides the opportunity for participants to receive hands-on training in responding to an emergency, ranging from smaller disruptions to a complete system failure; and the chance to further improve the Disaster Recovery Policy.

Our Business Continuity and Disaster Recovery plan outlines goals for Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

All networking components, NAT instances, Load Balancers, and Application Servers are deployed with high-availability and redundancy features. All customer data is stored on encrypted, fault tolerant volumes. All customer production database data is automatically backed up from to the last committed transaction, together with snapshots which are taken on a daily basis and stored in an AWS S3 bucket with encryption and geo-replication features enabled.

Processmaker utilizes both AWS and Azure for our reliability and backup solutions, alongside MongoDB Atlas. This combination provides robust backup mechanisms and ensures the integrity and availability of data across different environments.

• TX-RAMP Certification Level 2
• ISO 27001:2013 certificates

Get resources

The following resources may require an NDA on file. Click the button to gain access.

• SOC 2 Type II Report
• ISO 27001 Report
• Annual Penetration Test Summary
• Business Continuity and Disaster Recovery Test Summary
• Data Processing Agreement (DPA)

Get resources

Facilities
ProcessMaker hosts Service Data primarily in AWS and Azure data centers that are certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about compliance at AWS, Learn about compliance at Azure.

AWS and Azure infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about data center controls at AWS, Learn about data center controls at Azure.

On-Site Security
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.

Data Hosting Location
ProcessMaker’s cloud services are hosted on secure infrastructure provided by leading cloud service providers such as AWS and Azure. These providers offer globally distributed data centers with strict security protocols, ensuring compliance with regional regulations and customer requirements. Customers may select preferred data hosting locations based on their compliance needs and data residency policies.

For more details on data center locations and security measures, refer to:

• AWS Data Center Locations: https://aws.amazon.com/about-aws/global-infrastructure/
• Azure Data Center Locations: https://azure.microsoft.com/en-us/explore/global-infrastructure/geographies/

ProcessMaker minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.

System Monitoring
Our system monitoring practices combine native cloud provider monitoring tools, centralized log collection solutions, and endpoint protection measures. This multi-layered approach ensures comprehensive monitoring and protection of our network and systems, leveraging the latest technologies and tools available from both AWS and Azure.

ProcessMaker AI ensures that all data processed through AI models is encrypted both in transit and at rest. Industry-standard encryption protocols are used to protect sensitive information, and access controls are strictly enforced to limit exposure to authorized personnel only.

The AI models used by ProcessMaker are regularly evaluated for security vulnerabilities. Mechanisms such as adversarial testing, monitoring for model drift, and automated threat detection help prevent exploitation and unauthorized access to AI-powered functionalities.

ProcessMaker AI models are trained using diverse, high-quality datasets that adhere to ethical AI principles. Training data is carefully curated to minimize bias, and robust validation mechanisms ensure that models perform reliably across various scenarios. Updates and retraining are performed periodically to maintain performance and security.

To ensure the highest levels of accuracy, ProcessMaker AI models undergo continuous testing, validation, and fine-tuning. Performance metrics are monitored in real-time to identify discrepancies and refine the model accordingly. Transparency in AI decision-making is prioritized to build trust and improve outcomes.

ProcessMaker AI services are hosted on secure cloud environments, with options for data residency based on customer preferences. Data is stored and processed in compliance with relevant legal and regulatory frameworks, ensuring alignment with jurisdictional requirements.

User data privacy is paramount in ProcessMaker AI. Personally identifiable information (PII) and sensitive data are handled according to strict privacy policies and compliance standards, including GDPR, CCPA, and other applicable regulations. AI models are designed to minimize the retention and usage of personal data to protect user confidentiality.

ProcessMaker AI leverages OpenAI technologies to power advanced natural language processing and automation capabilities. These integrations enhance user interactions, document analysis, and workflow intelligence while maintaining strict security and compliance standards. OpenAI-powered features are designed to function within enterprise security frameworks, ensuring safe and responsible AI deployment.

• PI is fully compliant with the General Data Protection Regulation (GDPR). Personal data is hosted securely in Microsoft Azure West Europe and MongoDB Atlas, with strict access controls and encryption practices in place.
• Data collected by the PI platform is anonymized by design, ensuring that no Personally Identifiable Information (PII) is captured or stored unless explicitly configured by the customer.
• Advanced security features, including pseudonymization and encryption (AES-256), protect all data at rest and in transit.

• PI leverages Microsoft Azure and MongoDB to provide highly secure, scalable, and reliable infrastructure.
• All communications are secured using TLS 1.2 or higher, ensuring data integrity and confidentiality during transfers.
• The platform supports Multi-Factor Authentication (MFA) and integrates with Azure AD OpenID Connect for seamless Single Sign-On (SSO) capabilities.

• The PI platform incorporates Privacy by Design and Privacy by Default principles. Data collection is configurable to exclude sensitive information and optimize security for customer-specific needs.
• Robust access control ensures data is accessible only to authorized personnel, with role-based permissions for enhanced security.

• ProcessMaker is certified under ISO 27001 and SOC 2 Type 2. These certifications validate our commitment to maintaining high standards for security, availability, and confidentiality.
• Regular third-party penetration tests and internal security audits are conducted to ensure the platform’s ongoing compliance and resilience.

• Data Encryption: All data is encrypted using Advanced Encryption Standard (AES) 256 for storage and TLS for transmission.
• Environment Separation: PI instances (production, staging, and development) are separated by resource groups, ensuring granular access control.
• Health Monitoring: PI uses a Healthcheck API to continuously monitor agent functionality, license usage, and system performance.
• Incident Response: Security incidents are promptly managed and reported within 12 hours as per GDPR and SOC 2 requirements.

• Customers have full control over data collection settings via the PI Web Dashboard. This includes defining which applications and data points are included in the analysis, as well as the granularity of data collection.
• Data deletion requests and configurations can be managed directly by the customer in compliance with GDPR and other regulatory requirements.

Secure Code Training
Regarding our Software Development Policy Processmaker performs an Annual secure code training for all engineers, based on OWASP Top 10 security risks.

Framework Security Controls
ProcessMaker leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

ProcessMaker conducts annual penetration tests to identify and address potential vulnerabilities, reinforcing our commitment to maintaining a secure platform. Request our Annual Penetration Test Summary.

If you identify a potential security vulnerability in our systems, please report it to us at [email protected] with the following details for each vulnerability:

• Name and a clear description of the vulnerability.
• Steps to reproduce the issue
• Severity/risk assessment.
• Any supporting screenshots or logs, if applicable

• We encourage good-faith security research and will not take legal action against ethical researchers following responsible disclosure practices.
• We will acknowledge receipt of a report within 10 business days and provide an initial assessment within 30 days.
• ProcessMaker does not require indefinite non-disclosure but may request a reasonable timeframe for remediation before public disclosure.
• If a vulnerability qualifies for a reward under our Bug Bounty Program, the researcher will be informed, and the report will be evaluated under the terms outlined in the ProcessMaker Bug Bounty Policy.

In Scope:

• Web applications and APIs managed by ProcessMaker.
• Cloud infrastructure security vulnerabilities.

Out of Scope:

• Social engineering, phishing, or DDoS attacks.
• Physical security vulnerabilities.
• Systems not managed by ProcessMaker.

ProcessMaker operates a Bug Bounty Program that offers monetary rewards for valid security vulnerability reports based on severity. Not all vulnerabilities qualify for a bounty, but we recognize and appreciate all responsible disclosures. Researchers reporting through the VDP may be eligible for a bounty if their findings meet the criteria outlined in our Bug Bounty Policy.

For more details on potential rewards, please contact us at [email protected].

• All vulnerability reports will be treated confidentially.
• Researchers must maintain the confidentiality of any accessed information until the vulnerability has been fixed and publicly disclosed.
• ProcessMaker will work with the researcher to coordinate public disclosure after remediation.

For any security concerns, please contact us at [email protected]. Thank you for helping us maintain a secure environment!

Policies
ProcessMaker has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to ProcessMaker information assets.

Training
All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.

Background Checks
ProcessMaker performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification. Cleaning crews are included.

Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements.

ProcessMaker provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer data for any purpose other than providing, maintaining, and improving the ProcessMaker Services and as otherwise required by applicable law.

ProcessMaker has achieved a number of internationally recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks. Security certifications are described here. Request our Certifications.

ProcessMaker has implemented a company-wide GDPR compliance strategy. Our legal and security experts have rigorously assessed GDPR requirements, consistently staying informed about evolving best practices. We’ve updated our products, contracts, and policies to align with GDPR, not just for compliance but also to actively assist our customers in meeting these standards. More information about our compliance efforts with the General Data Protection Regulation (GDPR).

You can review, complete and/or execute our GDPR-compliant DPA by requesting our ProcessMaker Customer Data Processing Addendum.

This document outlines how we collect, use, and safeguard your data in adherence to privacy laws. Our commitment is to be transparent about the information we gather, ensuring it’s handled responsibly and securely. Please review our Privacy Policy to understand how we prioritize your privacy, empowering you with the knowledge you need to make informed decisions about your data on our platform.

ProcessMaker employs cookies on our Services and associated Websites to enhance functionality, provide analytics, and store preferences. These cookies, categorized as session and persistent, are organized alphabetically within each Service or Website. For a concise overview, refer to our Cookie Policy.

ProcessMaker collects and processes service data strictly to improve performance, enhance security, and refine platform capabilities. No user data is shared with third parties without explicit consent. Service data retention policies align with global compliance frameworks to ensure privacy and security.