Sitefinity Platform Security

Sitefinity Platform Security

With 10,000+ web properties built on Sitefinity by 2700+ global organizations, security and data privacy are an integral part of everything we do.

Government agencies and businesses of all sizes and industries trust Progress with their applications and data. Composed of a web Content Management System and a Digital Experience Cloud, customers deploy and manage their CMS on premises or in the cloud while accessing DEC as a SaaS application. To provide this we focus on four security areas—security by design, cloud operations security, customer data protection and standards compliance.

Security by Design

  • Employee security training and certifications 
  • Security principles rooted in core company policies
  • Designated security team
  • Proactive monitoring of security bulletins (e.g. SANS, CERT and NIST)
  • Scanning third-party dependencies for vulnerabilities
  • Regular static code analysis (e.g. Veracode)
  • Mandatory code and security reviews (OWASP and CWE/SANS)
  • Comprehensive vulnerability and security incident management
  • Regular risk assessments of security policies, procedures, controls and standards

Cloud Security Operations

Trusted and reliable infrastructure, high availability, proactive monitoring of all system components and secure encryption is at the heart of day-to-day Digital Experience Cloud operations.

  • Proactive cloud monitoring of all system components
  • Trusted and reliable cloud infrastructure
  • Microsoft Azure meets a broad set of industry-specific compliance and country-standards. 

  • High data resiliency and cloud service availability

    Monitor health status of all cloud services through disruption and incident reports. 

  • Data Encryption  

    All communication between Sitefinity DEC components and users is conducted over secure and encrypted (TLS 1.2) channels, while all unencrypted connections to the cloud are automatically rejected.

  • Comprehensive visual logs

    Load, performance, availability, errors, etc., allow for better detection of suspicious activity and odd trends or spikes with the most important data visualized in near real-time.

  • User authentication over OAuth 2.0 protocol

    Authentication is done through Telerik Federated Identity Services (TFIS)

  • Secure encryption keys

    Secure encryption keys are managed by dedicated personnel.

  • Strict incident management  

    Reported incidents are followed by a thorough retrospective to prevent future occurrences.

  • Extensive code reviews

    Code reviews are performed by a software architect, team lead and a security expert in Customer Data Access.

Data Protection

  • Customer consent required before customer data is accessed, such as to fix a reported issue
  • Least privilege principle with audit trail, filtering and firewalls
  • Strict data access policies and controls, such as access, scope and time restrictions
  • Customer data is stored and isolated on shared or fully dedicated storage
  • Internal controls ensure customer data is never replicated or used in non-production environments
  • Regular and highly secure data backups using Azure Storage

Standards Compliance

Progress is a publicly traded company (NASDAQ: PRGS) and as such it is required to comply with the Sarbanes–Oxley Act and is audited accordingly. 


The Sitefinity platform is certified by an independent third party to comply with the service organization control standards (SOC 2) developed by the Association of International Certified Professional Accountants (AICPA). Compliance with SOC 2 is a testament that Progress has established a comprehensive set of internal procedures and controls to ensure the security, confidentiality and availability of its cloud services and software development infrastructure increasing the level of trust and confidence organizations have when choosing to rely on Progress services and products.

The Progress SOC 2 certification report for the Sitefinity platform covers the following areas of internal controls:

  • Security
    • Helps protect against unauthorized access, use or modification
  • Availability
    • Ensures service is available for operation and use as committed or agreed upon
  • Confidentiality
    • Ensures confidential information is well protected

Both the Sitefinity Digital Experience Cloud and the CMS are covered by SOC 2 controls, but the scope differs because DEC is a cloud service while the CMS is a downloadable product that can be hosted anywhere. Hence, we have created two main areas for certification:

    • Cloud Operations
      • Covers Sitefinity DEC for the areas of security, availability and confidentiality
    • App Services
      • Covers the Sitefinity CMS application development process for IT controls
    Sitefinity Platform Security

    Progress Sitefinity

    Meaningful engagement, elevated experiences delivered with ease.
    Set your sites on Sitefinity.