Security programs at Sitecore

We incorporate security into our products and best practices into everything we do

Some of the steps we have taken to ensure your data’s protection include:

• Security Governance - Sitecore has implemented a three-line defense model for security operations, governance, and assurance. This is supported by strong management and Board oversight.
  
  
• Security Operations – Sitecore has made significant investments to implement a security operations center in order to maintain state of the art technical controls and a comprehensive and robust approach across platform, processes, and people. This includes 24x7 security monitoring, vulnerability management, and external penetration testing. This allows us to adjust our security posture and protect customer data across our services.
  
  
• Secure Development – Sitecore has implemented a secure software development program, which aligns with Microsoft’s Security Development Lifecycle Framework, and includes developer training, secure design, threat modeling, secure coding, static analysis, dynamic analysis, and penetration testing.
  
  
• Responsible Disclosure - Sitecore is committed to working with security researchers who are responsibly reporting vulnerabilities in its software products.
  
  
• Security Compliance Programs - Sitecore has implemented robust information security practices to comply with industry-leading standards.
  
  
  

Compliance programs and certifications

To demonstrate our commitment to protecting customer data, Sitecore maintains a number of compliance programs and certifications in accordance with strict regulatory and industry standards

Compliance with these standards, confirmed by an accredited auditor, demonstrates Sitecore’s continued adoption of these internationally recognized standards, workflows and best practices in Sitecore’s people, processes, and technologies that are used to provide cloud-based services to its customers.

Please refer to the current list of compliance programs for more information on the certifications that Sitecore maintains.

For further detail on the scope of each compliance program, please refer to the appropriate certificate in the table below.

	ISO 27001: 2013 is a security standard that governs an organization’s Information Security Management System (ISMS) and mandates specific requirements in the implementation, monitoring, maintenance and continuous improvement of the ISMS. This includes implementing steps to identify and maintain the assets, technologies, and processes needed to protect customer information and to help ensure the confidentiality, integrity, and availability of customer data and supporting services.
	ISO 27017: 2015 is a security standard that provides guidance on the information security aspects of cloud computing. Sitecore uses this standard to supplement the ISO 27001:2013 standard with cloud-specific controls that are applied to its public cloud environment.
	ISO 27018: 2014 is a code of practice that focuses on protection of personally identifiable information (PII) in the public cloud. By providing cloud services, Sitecore acts as a data processor to its customers. Sitecore uses ISO/IEC 27018:2014 standard in order to protect the PII that it processes for its customers.
	The CSA STAR Certification is a technology-neutral independent certification that leverages the requirements of ISO 27001: 2013 management standard together with CSA Cloud Controls Matrix (CCM) to ensure compliance with issues critical to cloud security in the CCM.  Sitecore uses CSA STAR standard to continually measure the maturity of its control practices against the CCM and applicable sections of ISO 27001:2013.
	SOC 2 reports contain an independent attestation of control environment relevant to system security, confidentiality and availability. SOC 2 audits are conducted against SSAE 18 attestation standards. Sitecore uses the SOC 2 reports to demonstrate the operating effectiveness of its controls used to ensure security, confidentiality, and availability of its public cloud environment.
	Sitecore has completed a PCI Data Security Standard (DSS) assessment of its commerce software and associated cloud offering, and has issued a Product Applicability Guide.
	Sitecore complies with the E.U.-U.S. Privacy Shield and Swiss–U.S. Privacy Shield Frameworks (together referred to as “Privacy Shield”) as set forth by the U.S. Department of Commerce and the European Commission regarding the collection, use, and retention of personal information from data subjects who reside in the EU and Switzerland, respectively. For more information on this certification, please see here.