Security Trust Center

ProcessMaker follows established best practices and industry standards to meet general security and privacy requirements. This approach, in effect, supports our customers in fulfilling their specific compliance standards.

Our governance framework ensures transparent and responsible decision-making, guiding our organization towards ethical and effective practices. Key elements include:

• Leadership Structure: Clearly defined roles and responsibilities for leadership positions.
• Policies and Procedures: Establishing documented guidelines for decision-making and operations.
• Compliance: Adherence to applicable laws, regulations, and industry standards.
• Transparency: Open communication and disclosure of relevant information to stakeholders.
• Accountability: Ensuring individuals and teams are answerable for their actions and decisions.
• Ethical Practices: Upholding moral and ethical standards in all aspects of operations.
• Risk Management: Identifying, assessing, and mitigating potential risks to the organization.
• Stakeholder Engagement: Involving and considering the interests of relevant stakeholders.
• Continuous Improvement: Regularly reviewing and improving governance processes for effectiveness.

Updated – Jan 12, 2024

At ProcessMaker, we prioritize the security and privacy of our AI technologies. By integrating generative AI, we adhere to global standards to protect user data and ensure ethical AI usage. Additionally, we have implemented an internal policy, the “Generative AI Security Policy,” which outlines the procedures and controls for securely managing and integrating generative AI technologies within our products and services.

We follow the ISO/IEC 27001 and ISO/IEC 42001 frameworks to establish, implement, and continually improve our ISMS integrated into our AI management system, ensuring secure and ethical AI operations.

Our practices include:

• Strong Authentication and Authorization: Multi-factor authentication and strict access controls.
• Data Privacy: Anonymizing and securely processing personal data.
• Vulnerability Management: Regular scanning and patching of vulnerabilities.
• Incident Response: Comprehensive plans to address and mitigate breaches.
• Risk Assessment: Regular risk assessments to identify and address potential risks and concerns, ensuring safe and ethical use.

This statement reflects the Processmaker commitment to secure and ethical AI integration, drawing from ISO/IEC 42001 and OWASP AI Security Guidelines.

ProcessMaker uses the strongest encryption products to protect customer data and communications, using the industry standard AES-256 encryption algorithm and the Transport Layer Security v1.2 protocol.

Encryption in Transit
All interactions with ProcessMaker’s user interface (UI) and APIs are safeguarded through industry-standard HTTPS/TLS protocols, ensuring encryption (TLS 1.2 or higher) across public networks for secure data transit. Regarding email, our product defaults to opportunistic TLS, encrypting and securely delivering emails, protecting against eavesdropping between mail servers that support this protocol.

Encryption at Rest
Service Data is now encrypted at rest in both AWS and Azure using AES-256. This ensures that data is protected from unauthorized access and breaches.

Users access Processmaker only with a valid username and password combination, which is encrypted via TLS while in transmission. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.

Process Intelligence uses Azure AD Open ID Connect for Single Sign-On (SSO) and Multi-Factor Authentication (MFA). This enhances security by requiring multiple forms of verification before granting access to sensitive data and systems.

Our robust application security model preserves sessions. ProcessMaker uses various security tools to verify security best practices throughout the software development lifecycle (SDLC).

Inside of the perimeter firewalls, the systems are safeguarded by network address translation, port redirection, IP masquerading, non-routable IP addressing schemes, and more. The specific details of these features are proprietary.

ProcessMaker enforces tight operating system-level security by using a minimal number of access points to all production servers. We protect all operating system accounts with strong passwords, and two-factor authentication. All operating systems are maintained at each vendor’s recommended patch levels for security and are hardened by disabling and/or removing any unnecessary users, protocols, and processes.

Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is restricted to a limited number of points, and production databases do not share a master password database. All database volumes are encrypted.

All data entered into the Processmaker application by a customer is owned by that customer. ProcessMaker employees do not have direct access to the ProcessMaker production environments, except where necessary for system management, maintenance, monitoring, and backups.

ProcessMaker maintains a publicly available processmaker-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

ProcessMaker employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Disaster Recovery exercise for ProcessMaker Hosted in AWS and Azure allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Our Disaster Recovery exercise for ProcessMaker Hosted in AWS and Azure ensures that our services remain available and are easily recoverable in the case of a disaster.
This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

The ProcessMaker Disaster Recovery Policy, part of our Business Continuity Program, covers different type of disaster scenarios, including:

• Application data corruption
• Database corruption
• Networking issues
• Complete disaster

ProcessMaker has technical measures for every type of disaster, including a total system restore, which includes restoring all Infrastructure components and customer data to an alternative AWS region, if required.

As part of the Business Continuity Program, disaster recovery exercising is executed once a year, which provides the opportunity for participants to receive hands-on training in responding to an emergency, ranging from smaller disruptions to a complete system failure; and the chance to further improve the Disaster Recovery Policy.

Our Business Continuity and Disaster Recovery plan outlines goals for Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

All networking components, NAT instances, Load Balancers, and Application Servers are deployed with high-availability and redundancy features. All customer data is stored on encrypted, fault tolerant volumes. All customer production database data is automatically backed up from to the last committed transaction, together with snapshots which are taken on a daily basis and stored in an AWS S3 bucket with encryption and geo-replication features enabled.

Processmaker utilizes both AWS and Azure for our reliability and backup solutions, alongside MongoDB Atlas. This combination provides robust backup mechanisms and ensures the integrity and availability of data across different environments.

• TX-RAMP Certification Level 2
• ISO 27001:2013 certificates

Get resources

The following resources may require an NDA on file. Click the button to gain access.

• SOC 2 Type II Report
• ISO 27001 Report
• Annual Penetration Test Summary
• Business Continuity and Disaster Recovery Test Summary
• Data Processing Agreement (DPA)

Get resources

Facilities
ProcessMaker hosts Service Data primarily in AWS and Azure data centers that are certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about compliance at AWS, Learn about compliance at Azure.

AWS and Azure infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about data center controls at AWS, Learn about data center controls at Azure.

On-Site Security
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.

ProcessMaker minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.

System Monitoring
Our system monitoring practices combine native cloud provider monitoring tools, centralized log collection solutions, and endpoint protection measures. This multi-layered approach ensures comprehensive monitoring and protection of our network and systems, leveraging the latest technologies and tools available from both AWS and Azure.

Secure Code Training
Regarding our Software Development Policy Processmaker performs an Annual secure code training for all engineers, based on OWASP Top 10 security risks.

Framework Security Controls
ProcessMaker leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

ProcessMaker conducts annual penetration tests to identify and address potential vulnerabilities, reinforcing our commitment to maintaining a secure platform. Request our Annual Penetration Test Summary.

Policies
ProcessMaker has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to ProcessMaker information assets.

Training
All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.

Background Checks
ProcessMaker performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification. Cleaning crews are included.

Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements.

ProcessMaker provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer data for any purpose other than providing, maintaining, and improving the ProcessMaker Services and as otherwise required by applicable law.

ProcessMaker has achieved a number of internationally recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks. Security certifications are described here. Request our Certifications.

ProcessMaker has implemented a company-wide GDPR compliance strategy. Our legal and security experts have rigorously assessed GDPR requirements, consistently staying informed about evolving best practices. We’ve updated our products, contracts, and policies to align with GDPR, not just for compliance but also to actively assist our customers in meeting these standards. More information about our compliance efforts with the General Data Protection Regulation (GDPR).

You can review, complete and/or execute our GDPR-compliant DPA by requesting our ProcessMaker Customer Data Processing Addendum.

This document outlines how we collect, use, and safeguard your data in adherence to privacy laws. Our commitment is to be transparent about the information we gather, ensuring it’s handled responsibly and securely. Please review our Privacy Policy to understand how we prioritize your privacy, empowering you with the knowledge you need to make informed decisions about your data on our platform.

ProcessMaker employs cookies on our Services and associated Websites to enhance functionality, provide analytics, and store preferences. These cookies, categorized as session and persistent, are organized alphabetically within each Service or Website. For a concise overview, refer to our Cookie Policy.