Welcome to the ProcessMaker Security Trust Center, your assurance of our unwavering commitment to providing a secure and reliable platform. Trusted by 3 million users and customers worldwide, at ProcessMaker, we prioritize transparency and aim to empower our customers with the information they need to trust in the security and resilience of our services. Explore the Trust Center to gain insights into the safeguards we have in place to protect your data and ensure uninterrupted business operations. Your peace of mind is our top priority.
ProcessMaker follows established best practices and industry standards to meet general security and privacy requirements. This approach, in effect, supports our customers in fulfilling their specific compliance standards.
Our governance framework ensures transparent and responsible decision-making, guiding our organization towards ethical and effective practices. Key elements include:
Updated – Jan 12, 2024
At ProcessMaker, we prioritize the security and privacy of our AI technologies. By integrating generative AI, we adhere to global standards to protect user data and ensure ethical AI usage. Additionally, we have implemented an internal policy, the “Generative AI Security Policy,” which outlines the procedures and controls for securely managing and integrating generative AI technologies within our products and services.
We follow the ISO/IEC 27001 and ISO/IEC 42001 frameworks to establish, implement, and continually improve our ISMS integrated into our AI management system, ensuring secure and ethical AI operations.
Our practices include:
This statement reflects the Processmaker commitment to secure and ethical AI integration, drawing from ISO/IEC 42001 and OWASP AI Security Guidelines.
ProcessMaker provides state-of-the-art security to ensure that your customer data is never compromised. At ProcessMaker we know that security is crucial to you – that’s why security is our top priority. We devote significant resources to continually develop our world-class security infrastructure. The result: unsurpassed security and privacy for our customer’s information. With ProcessMaker, you enjoy protection and peace of mind that only our world-class security infrastructure can provide. Among other security measures, ProcessMaker provides:
Unless otherwise specified in your particular product or service contract, our service offerings utilize the AWS cloud, one of the leading cloud and facilities providers in the world.
Amazon Web Services Cloud Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS compliance enablers build on traditional programs, helping customers to establish and operate in an AWS security control environment.
ProcessMaker uses the strongest encryption products to protect customer data and communications, using the industry standard AES-256 encryption algorithm and the Transport Layer Security v1.2 protocol.
Encryption in Transit
All interactions with ProcessMaker’s user interface (UI) and APIs are safeguarded through industry-standard HTTPS/TLS protocols, ensuring encryption (TLS 1.2 or higher) across public networks for secure data transit. Regarding email, our product defaults to opportunistic TLS, encrypting and securely delivering emails, protecting against eavesdropping between mail servers that support this protocol.
Encryption at Rest
Service Data is now encrypted at rest in both AWS and Azure using AES-256. This ensures that data is protected from unauthorized access and breaches.
Users access Processmaker only with a valid username and password combination, which is encrypted via TLS while in transmission. An encrypted session ID cookie is used to uniquely identify each user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.
Process Intelligence uses Azure AD Open ID Connect for Single Sign-On (SSO) and Multi-Factor Authentication (MFA). This enhances security by requiring multiple forms of verification before granting access to sensitive data and systems.
Our robust application security model preserves sessions. ProcessMaker uses various security tools to verify security best practices throughout the software development lifecycle (SDLC).
Inside of the perimeter firewalls, the systems are safeguarded by network address translation, port redirection, IP masquerading, non-routable IP addressing schemes, and more. The specific details of these features are proprietary.
ProcessMaker enforces tight operating system-level security by using a minimal number of access points to all production servers. We protect all operating system accounts with strong passwords, and two-factor authentication. All operating systems are maintained at each vendor’s recommended patch levels for security and are hardened by disabling and/or removing any unnecessary users, protocols, and processes.
Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is restricted to a limited number of points, and production databases do not share a master password database. All database volumes are encrypted.
All data entered into the Processmaker application by a customer is owned by that customer. ProcessMaker employees do not have direct access to the ProcessMaker production environments, except where necessary for system management, maintenance, monitoring, and backups.
ProcessMaker maintains a publicly available processmaker-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
ProcessMaker employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Disaster Recovery exercise for ProcessMaker Hosted in AWS and Azure allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Our Disaster Recovery exercise for ProcessMaker Hosted in AWS and Azure ensures that our services remain available and are easily recoverable in the case of a disaster.
This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
The ProcessMaker Disaster Recovery Policy, part of our Business Continuity Program, covers different type of disaster scenarios, including:
ProcessMaker has technical measures for every type of disaster, including a total system restore, which includes restoring all Infrastructure components and customer data to an alternative AWS region, if required.
As part of the Business Continuity Program, disaster recovery exercising is executed once a year, which provides the opportunity for participants to receive hands-on training in responding to an emergency, ranging from smaller disruptions to a complete system failure; and the chance to further improve the Disaster Recovery Policy.
Our Business Continuity and Disaster Recovery plan outlines goals for Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
All networking components, NAT instances, Load Balancers, and Application Servers are deployed with high-availability and redundancy features. All customer data is stored on encrypted, fault tolerant volumes. All customer production database data is automatically backed up from to the last committed transaction, together with snapshots which are taken on a daily basis and stored in an AWS S3 bucket with encryption and geo-replication features enabled.
Processmaker utilizes both AWS and Azure for our reliability and backup solutions, alongside MongoDB Atlas. This combination provides robust backup mechanisms and ensures the integrity and availability of data across different environments.
We can provide additional resources upon request.
The following resources may require an NDA on file.
Facilities
ProcessMaker hosts Service Data primarily in AWS and Azure data centers that are certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about compliance at AWS, Learn about compliance at Azure.
AWS and Azure infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn about data center controls at AWS, Learn about data center controls at Azure.
On-Site Security
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.
Data Hosting Location
ProcessMaker’s cloud services are hosted on secure infrastructure provided by leading cloud service providers such as AWS and Azure. These providers offer globally distributed data centers with strict security protocols, ensuring compliance with regional regulations and customer requirements. Customers may select preferred data hosting locations based on their compliance needs and data residency policies.
For more details on data center locations and security measures, refer to:
ProcessMaker minimizes risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or Service Data.
System Monitoring
Our system monitoring practices combine native cloud provider monitoring tools, centralized log collection solutions, and endpoint protection measures. This multi-layered approach ensures comprehensive monitoring and protection of our network and systems, leveraging the latest technologies and tools available from both AWS and Azure.
ProcessMaker AI integrates cutting-edge artificial intelligence capabilities to enhance workflow automation, decision-making, and operational efficiency. The following sections outline the security, privacy, and compliance measures implemented to safeguard data and ensure responsible AI usage.
ProcessMaker AI ensures that all data processed through AI models is encrypted both in transit and at rest. Industry-standard encryption protocols are used to protect sensitive information, and access controls are strictly enforced to limit exposure to authorized personnel only.
The AI models used by ProcessMaker are regularly evaluated for security vulnerabilities. Mechanisms such as adversarial testing, monitoring for model drift, and automated threat detection help prevent exploitation and unauthorized access to AI-powered functionalities.
ProcessMaker AI models are trained using diverse, high-quality datasets that adhere to ethical AI principles. Training data is carefully curated to minimize bias, and robust validation mechanisms ensure that models perform reliably across various scenarios. Updates and retraining are performed periodically to maintain performance and security.
To ensure the highest levels of accuracy, ProcessMaker AI models undergo continuous testing, validation, and fine-tuning. Performance metrics are monitored in real-time to identify discrepancies and refine the model accordingly. Transparency in AI decision-making is prioritized to build trust and improve outcomes.
ProcessMaker AI services are hosted on secure cloud environments, with options for data residency based on customer preferences. Data is stored and processed in compliance with relevant legal and regulatory frameworks, ensuring alignment with jurisdictional requirements.
User data privacy is paramount in ProcessMaker AI. Personally identifiable information (PII) and sensitive data are handled according to strict privacy policies and compliance standards, including GDPR, CCPA, and other applicable regulations. AI models are designed to minimize the retention and usage of personal data to protect user confidentiality.
ProcessMaker AI leverages OpenAI technologies to power advanced natural language processing and automation capabilities. These integrations enhance user interactions, document analysis, and workflow intelligence while maintaining strict security and compliance standards. OpenAI-powered features are designed to function within enterprise security frameworks, ensuring safe and responsible AI deployment.
The Process Intelligence (PI) platform offered by ProcessMaker operates with robust security and compliance measures to ensure the protection of customer data and adherence to international standards.
Secure Code Training
Regarding our Software Development Policy Processmaker performs an Annual secure code training for all engineers, based on OWASP Top 10 security risks.
Framework Security Controls
ProcessMaker leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Quality Assurance
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Separate Environments
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
ProcessMaker conducts annual penetration tests to identify and address potential vulnerabilities, reinforcing our commitment to maintaining a secure platform.
At ProcessMaker, we take security seriously and welcome responsible disclosures from security researchers to help us keep our systems safe. We appreciate the efforts of the security community in helping us improve our security posture.
If you identify a potential security vulnerability in our systems, please report it to us at security@processmaker.com with the following details for each vulnerability:
In Scope:
Out of Scope:
For any security concerns, please contact us at security@processmaker.com. Thank you for helping us maintain a secure environment!
Policies
ProcessMaker has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to ProcessMaker information assets.
Training
All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Background Checks
ProcessMaker performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification. Cleaning crews are included.
Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements.
ProcessMaker provides an advanced set of access and encryption features to help customers effectively protect their information. We do not access or use customer data for any purpose other than providing, maintaining, and improving the ProcessMaker Services and as otherwise required by applicable law.
ProcessMaker has achieved a number of internationally recognized certifications and accreditations demonstrating compliance with third-party assurance frameworks.
Our agreements and policies offer clear and detailed insights into ProcessMaker’s services. This information empowers our subscribers, helping them align with their own legal and compliance standards.
ProcessMaker has implemented a company-wide GDPR compliance strategy. Our legal and security experts have rigorously assessed GDPR requirements, consistently staying informed about evolving best practices. We’ve updated our products, contracts, and policies to align with GDPR, not just for compliance but also to actively assist our customers in meeting these standards. More information about our compliance efforts with the General Data Protection Regulation (GDPR).
You can review, complete and/or execute our GDPR-compliant DPA by requesting our ProcessMaker Customer Data Processing Addendum.
This document outlines how we collect, use, and safeguard your data in adherence to privacy laws. Our commitment is to be transparent about the information we gather, ensuring it’s handled responsibly and securely. Please review our Privacy Policy to understand how we prioritize your privacy, empowering you with the knowledge you need to make informed decisions about your data on our platform.
ProcessMaker employs cookies on our Services and associated Websites to enhance functionality, provide analytics, and store preferences. These cookies, categorized as session and persistent, are organized alphabetically within each Service or Website.
ProcessMaker collects and processes service data strictly to improve performance, enhance security, and refine platform capabilities. No user data is shared with third parties without explicit consent. Service data retention policies align with global compliance frameworks to ensure privacy and security.
If any security incidents need to be reported, please do not hesitate to contact security@processmaker.com.
Use of ProcessMaker services is subject to the terms and conditions of the customer’s subscription agreement with ProcessMaker Inc. ProcessMaker may modify its security infrastructure and/or this document from time to time.