Frontify security controls

Frontify’s security mission is aligned with the company vision: to create a home where all brands are safe. That’s why, since day one, IT and information security have been included in every aspect of our system development, internal operations, and data handling. Only by involving all employees, finding the right experts in their fields, and ensuring full transparency for our stakeholders are we able to achieve the highest levels of security.

We are certified against the best industry security standards

Our efforts to establish security excellence across our entire organization have been officially recognized and certified against industry-known standards.

ISO 27001

ISO 27001 was established by the International Organization for Standardization (ISO). The well-known standard gives companies guiding principles for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Frontify has been officially ISO 27001 certified since 2021. The scope of the FISMS covers all essential assets, processes, and services connected to the Frontify application and the company’s business operations, irrespective of where the process or service is carried out. We perform annual internal and external audits in line with the ISO 27001 certification.

TISAX

Frontify’s efforts to address additional, industry-specific data protection and information security requirements resulted in our latest certification (2022) for the TISAX standard: The Trusted Information Security Assessment Exchange is a standard for information security specifically relevant to the automotive industry, and it’s operated and managed by the ENX Association (an association of European vehicle manufacturers, suppliers, and organizations). Highly qualified auditors from an audit service provider approved by TISAX perform the audit and conduct the tests based on a specific testing catalog, which follows key aspects of the international standard ISO 27001.

DCSO

The Deutsche Cyber-Sicherheitsorganisation GmbH (DCSO) is a competence center for cybersecurity in Germany. The DCSO Cloud Vendor Assessment Service assesses the security level of cloud service providers.

In 2021, Frontify was evaluated based on the DCSO Cloud Vendor Assessment framework and reached risk-free maturity levels in all subject areas. Members of the DCSO community can obtain more insights into Frontify’s results directly from the DCSO.

Cyber Essentials

Cyber Essentials is a globally recognised IT security standard developed by the UK’s National Cyber Security Centre, which is used to ensure that IT software and processes are secure and organisations are protected from data breaches and leaks. The Cyber Essentials assessment involves 5 technical controls and is designed to show that an organisation has an extended level of protection in cyber security through annual assessments. Frontify has been assessed for compliance against all controls, and has officially obtained the Cyber Essentials certification in 2022.

HIPAA

Frontify is, as far as applicable, compliant with the HIPAA security, privacy, and breach regulations. To support our customers in aligning their vendor assessments with HIPAA compliance, we have prepared comprehensive self-assessment documentation outlining our security and privacy measures, mapped to the HIPAA security, privacy, and breach notification guidelines. Contact security@frontify.com to grab a copy of our self-assessment.

SSPA

The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft’s baseline data processing instructions to suppliers in the form of the Microsoft Supplier Data Protection Requirements (DPR). At the core of Microsoft’s SSPA Program are strong privacy and security practices, which are aligned with industry-wide standards such as ISO 27701 (privacy) and ISO 27001 (security).

Frontify is officially compliant with the SSPA and is independently audited against the DPR on a yearly basis, proving our strong commitment towards data privacy and security.

Network and application
security measures

Our services and operations rely on the most secure cloud infrastructure.

Hosting

Frontify is hosted in a multi-tenant environment. All data for enterprise customers is protected in a virtual private cloud (VPC) with a logically separated database and dedicated file storage. All services that make up the Frontify system are highly available: We use a combination of clustering, load balancing, and replication to ensure no single point of failure. Each of our hosting regions uses two or more availability zones, with redundancy across them to guarantee the ongoing operation of our critical components in the unlikely case of a system failure.

Data center security

Frontify is hosted by one of the biggest data center providers, Amazon Web Services (AWS). Access to these data centers is strictly controlled and monitored by 24/7 on-site security staff, biometric scanning, and video surveillance. AWS maintains multiple certifications for its data centers, including ISO 27001, PCI DSS, Cloud Security Alliance Controls, and SOC reports.

Data sovereignty

Frontify enterprise customers have the option of having the data hosted in one of the following regions: North Virginia (US), or Frankfurt (Germany). Frontify uses a worldwide CDN for caching purposes, which means application speed is the same everywhere in the world.

Backup and disaster recovery

We run a nightly backup of files, databases, configuration, and servers. Our detailed business continuity plan covers several scenarios, responsibilities, and action steps, including a disaster recovery process that is tested at least yearly.

A secure platform
for all Frontify users

We have implemented strong authentication and authorization concepts to ensure the highest level of protection for our customers’ Frontify accounts.

Secure authentication

The Frontify access rights are managed at Guideline, Project, and Library levels. Currently, access to Frontify is organized in three ways:

  • Single sign-on (SAML 2.0, OpenID Connect)
  • Access request
  • Invitation

All access methods (except SSO) require a dedicated email address and password to properly authenticate the user logging in. Multi-factor authentication can also be enabled for an extra layer of security when accessing the platform.

User roles and permissions

The granular authorization rules within the Frontify platform allow customers to easily add and manage users, assign them the appropriate privileges, and limit access to selected features. Frontify supports the following main roles: Viewer, Editor, Owner, and Account Admin.

Frontify has implemented an official bug bounty program at BugCrowd. If you've found a security issue that you believe we should know about, please don’t hesitate to contact our security team at security@frontify.com to be included in the program.

A proactive vulnerability management approach

Our proactive security approach results from a cross-team collaboration that involves our entire organization.

Development practices

Frontify maintains separate testing, development, and production environments to meet the highest code quality. This process includes code reviews and pair programming conducted by experienced developers with a strong focus on security and stability. In addition, we run automated tests and put code builds in place. We use a hosted code platform to reach a high level of traceability and automatically monitor our third-party dependencies for security vulnerabilities.

Pentesting and scanning

We conduct vulnerability scans of our entire infrastructure weekly, and our internal teams and an external third party perform regular penetration tests. We classify vulnerabilities internally and treat them accordingly.

Due to Frontify's agile approach we have implemented an official bug bounty program at BugCrowd which helps us to proactively manage vulnerbailities on an ongoing basis as opposed to point-in-time penetration tests.

Patching policy

Because of our agile software development, we perform multiple updates and patches on the application every day. These processes do not cause any downtime for the customer. Additionally, we continuously monitor our infrastructure for security updates and promptly test and install all new releases as soon as they become available.

Incidents handling and reporting

Frontify has an incident management and reporting process that unifies security monitoring and covers all our internal operations and the services provided to our customers. If a security breach leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer data, we’ll notify the customers within 48 hours.

Monitoring

Frontify operates a centralized logging system that facilitates 24/7 monitoring, reporting, and traceability.

Need more? Our offering helps you in strengthening your security measures even more. Don't hesitate to reach out to your Frontify Sales Representative to discuss additional options.

A wide set of organisational 
security practices

We put the protection of data at the core of all our operations.

The information security team

Frontify’s dedicated Information Security Team works closely with all departments in our company. This collaboration — together with continuous investments in improving and expanding security controls and technical and organizational measures — ensures the highest protection for our customer data.

Risk management

Frontify has implemented a risk assessment strategy and methodology that is ISO 27001 certified, and we regularly assess risks, threats, and vulnerabilities based on our asset inventory. We perform periodic overall risk assessments and categorize risks according to their likelihood and impact. For each risk, we create a remediation action plan or an acceptance statement in line with the criticality level.

Access management

Frontify adheres to the principle of least privilege for provisioning access. We use dedicated roles for different topics and access for database administrators, general administrators, and support staff. All our employees are technically forced to use two-factor authentication and adhere to our password policy for all internal and external tools.

If you’d like to get more details into our Security Controls let our Security Team know. We’re happy to supply you with our custom security questionnaire.