FAQ
-
JFrog Compliance
Expand allCertificate program
-
Is JFrog SOC 2 Type II compliant ?
-
Is JFrog ISO 27001 compliant ?
-
Is JFrog PCI DSS compliant ?
-
Risk Assessment
-
Do you have a formal information security policy that is reviewed at least once a year and approved by a senior executive?
-
Do you perform an organization-wide security risk assessment?
-
-
Product Security
Application security
-
What security controls are in place to protect the JFrog infrastructure and applications (e.g. IDS, web application firewall)?
-
Does JFrog certify that the version of the application to be installed has been assessed with a compliant penetration test process?
-
Are there any networking tools used by JFrog to protect WAF, anti DDoS?
-
How does JFrog tackle vulnerabilities in its products and within the Docker images delivered to customers? How are vulnerabilities fixed? How does JFrog manage its patch deployment and frequency?
-
Account Security
-
Is SAML 2.0 based identity federation supported?
-
Does the JFrog platform provide controls for restricting user access to data?
-
How do you protect secrets such as user credentials, API tokens, and encryption keys?
-
Visibility & Monitoring
-
What data is logged?
-
-
Cloud Security
-
-
What is the deployment model for the infrastructure supporting applications?
-
Does your organization maintain a publicly available system-status webpage, which includes scheduled maintenance, service incident and event history?
-
-
-
Data
Data Encryption
-
How is data protected in transit?
-
If encryption is enabled on the hosted environment, how is data protected at rest?
-
For data at rest encryption, how are encryption keys managed?
-
Data Management
-
How is data securely deleted after an account is deactivated and terminated ?
-
How is customer data isolated from other tenant’s data (e.g. separate database, or through application logic or other mechanisms)?
-
-
Security Incident Management
-
-
How are anomalies detected?
-
Does your company have an Cyber Security Incident Response plan and processes to report an incident?
-
Does the organization maintain 24x7 coverage for responding to security alerts and events?
-
How do you continuously assess and remediate your organization’s cyber vulnerabilities?
-
-
-
Access Control & Identity Management
-
-
For applications hosted at public cloud or co-location facilities: What controls are in place for remote administrative access to the infrastructure (e.g. site-to-site VPN, or multi-factor authentication)?
-
Which security controls do you use to protect against spoofed or forged emails on the domains you own and use?
-
Describe your policy and security measures in place to manage the use of devices in your organization.
-
-
-
Awareness & Education
-
-
Are all staff provided with training on the information security policies and procedures of the organization?
-
-