Sitefinity CMS Platform Security & Compliance

Built with Security Best Practices in Mind

Government agencies and businesses of all sizes and industries trust Progress Sitefinity with their applications and data. Specifically, Sitefinity focuses on four key security areas— security by design, cloud operations security, customer data protection and standards compliance

Secure by Design

• Designated security team
• Proactive monitoring of security bulletins (e.g. SANS, CERT and NIST)
• Scanning third-party dependencies for vulnerabilities
• Regular static code analysis (e.g. Veracode)
• Mandatory code and security reviews (OWASP and CWE/SANS)
• Comprehensive vulnerability and security incident management
• Regular risk assessments of security policies, procedures, controls and standards
• Regular code and data backups
• Built-in Web Security module to configure HTTP security headers, redirect and referrer validation and protect against cross-site scripting (XSS), click jacking, code injection, or man-in-the-middle attacks and content sniffing
• Built-in user authentication and management
• Endpoint protection to continuously assess staging and production environments
• Web Application Firewall to react to security threats faster by centrally patching known vulnerabilities

Cloud Security Operations

Trusted and reliable infrastructure, high availability, proactive monitoring of all system components and secure encryption is at the heart of Sitefinity operations.

• Proactive cloud monitoring of all system components
• Trusted and reliable cloud infrastructure – Microsoft Azure
• Very high data resiliency and cloud service availability
• Comprehensive performance dashboards displaying load, performance, availability, errors, and more
  

Customer Data Protection

• Supports requirements of the General Data Protection Regulation (GDPR) by:
  • Allowing the locating and deleting of personal data
  • Using secure APIs for integrated solutions
  • Securely handling Personal Identifiable Information (PII)
  • Providing a built-in tracking consent widget
  • Providing Sitefinity Insight data center hosted within Europe 
• Customer consent required before customer data is accessed and strict data access policies and controls (e.g. to fix reported issue)
• Customer data is stored and isolated on shared or fully dedicated storage
• Internal controls ensure customer data is never replicated or used in non-production environments
• Regular and highly secure data backups using Azure Storage

Regulatory Standards Compliance

Progress is a publicly traded company (NASDAQ: PRGS) and as such it is required to comply with and is audited under the Sarbanes–Oxley Act.