Compliance FAQ
We've gathered all the frequently asked Compliance questions for you in one place.
Overview:
- Integrity
- Security
- Controls and Procedures
- Incident Control
- Data Privacy/GDPR
- Data Center Information and Hosting
Integrity
Has Umbraco A/S received any warnings, fines, or disciplinary action from regulators? or is Umbraco A/S subject to any ongoing regulatory investigations?
No, this is not the case.
Does Umbraco A/S have any relationships that may impact our independence towards our customers and partners?
No, we seek to stay independent, making it clear that we ourselves, can make necessary decisions towards our customers and partners.
Does Umbraco A/S follow relevant anti-corruption legislation?
Yes, we do follow the Danish Anti-corruption Act among other legislation.
Has Umbraco A/S, or any officers, directors, or CEOs, been under investigation for or charged with any criminal offense related to terrorism, corruption, or fraud?
No, this is not the case.
Does Umbraco A/S employ agents, intermediaries, or similar third parties affecting the proposed business relationship with any customers?
No, this is not the case.
Is Umbraco A/S prohibited or debarred from working with any potential clients?
No, this is not the case.
Does Umbraco A/S have a clear policy around slavery?
Yes, you will find our Anti-Slavery policy here.
Does Umbraco A/S have a clear policy around bribery and/or corruption?
Yes, you will find our Anti-Bribery policy here.
Prior to employing a new member of staff, does Umbraco A/S check employment history?
Yes, this is part of our recruiting effort, our HR department handles the procedures, and typically, as part of our hiring, we ask for references which will be checked.
Prior to employing a new member of staff, does Umbraco A/S check criminal records or credit history?
No, this is not the case.
Security
Can Umbraco A/S provide a documented network diagram?
We do not share detailed information on this publicly.
Are network access points protected through the use of firewalls?
Yes, firewalls are in place to protect Umbraco infrastructure.
Are firewall configurations hardened and administration passwords and account names changed and configured to be secure?
Yes, all devices are hardened at provisioning time and passwords are rotated periodically.
Are there firewall rules in place to only allow inbound/outbound traffic on individual ports required by the application?
Yes, inbound network connections have a defined set of ports that are allowed and Outbound traffic is also protected by firewalls.
Are Network Obfuscation Measures put in place?
Yes, the architecture behind Umbraco Cloud obfuscates the details about the network structure.
Is Network Obfuscation Measures used: NAT/ PAT used?
Yes, network Address Translation and Port Address Translation is used in Umbraco Cloud.
Is each user of the network allocated a unique user ID which is recorded upon access to all systems?
Yes.
Does authentication of each user include a password that conforms to Security Policy and Guidance?
Yes.
Are System Administrators, and privilege-level user accounts restricted to a minimum number of users?
Yes, least-privilege principle is used and all admin accounts are named and regularly reviewed.
Do all local and remote network-attached devices run a file system supporting access controls that limit access to only the required operations and data?
Yes, access controls are in place on file systems.
Are details provided for the following: Capabilities to control access to data and administrative functions.
Yes, We refer to Umbraco Cloud documentation.
Responsibilities for information security and information risk management must be clearly defined and accepted by the individuals holding those responsibilities.
Yes, roles and responsibilities are defined and communicated to the corresponding team. All relevant employee contracts have attached clear and defined roles.
Does Umbraco A/S have a configuration control process in place that prevents unauthorized changes to the standard build of network devices and hosts?
Yes, the underlying infrastructure is defined as code, and any manual changes are rolled back by the automation processes.
IT infrastructure components are subjected to regular software updates and critical security updates are applied within 30 days of release.
Yes, there is a schedule in place to rotate/replace/update infrastructure components every 30 days.
Does Umbraco A/S have the ability to audit IT systems against configuration records?
Yes, we keep an audit log to track changes made to the infrastructure, and Desired State Configuration is used to ensure that configuration records match with the live setup.
Does Umbraco scan all employee devices for the presence of security vulnerabilities?
Yes, as part of our thorough and ongoing control of relevant security measures, we run internal security testing and do have external consultants involved as well.
Does Umbraco consider external environmental and location threats and assess the physical risk to their estate, IT systems, and information? Systems must be protected against the risk of flooding, fire, and power outages.
Yes. We operate out of Denmark and therefore there is low to no risk of natural disasters and all infrastructure is safe and reliable. There is limited access to our offices (secured premises) and we have alarm- and fire-detection systems in place
Is a maintenance policy in place and documented for all software (including firmware) used on the network to ensure it is maintained in line with vendor/supplier recommendations?
Yes, maintenance for all software used in Umbraco Cloud is defined by our internal maintenance policy.
Controls and Procedures
Are formal procedures to register, grant, and revoke user access to information in place, and encompass all in-scope network, application, and IT devices?
Yes, IT procedures are in place to manage user access (including onboarding and offboarding procedures for users).
Do user access conform to principles of least privilege (PoLP)?
Yes, user access is managed by internal IT procedures for onboarding, exit, and regular audit. All user access levels conform with PoLP.
Are all workstations at the workplace encrypted?
Yes, including monitoring and regular audits.
Are strong passwords required?
Yes, as per company password policy and guidelines.
Is it required that passwords are changed regularly and/or that multi-factor is used?
At Umbraco A/S passwords must be stored in the company’s central password storage service for audit purposes and automated policy review.
Where possible, multi-factor authentication is enforced for validation of account ownership. Maximum lifetime for any personal Umbraco-related password where multi-factor is not in use is 1 year.
Is it required that workstations are locked when abandoned, or is automatic lock required?
Yes, every employee must lock their computer when abandoning their workstation.
Do all Umbraco employees/ contractors receive appropriate awareness training and awareness updates in organizational policies and procedures relevant to their job function?
Yes, they do. As part of our onboarding program, we train and educate every Umbraco A/S employee in organizational policies and procedures relevant to their job function. On a yearly basis, we update, and renew, relevant training for Umbraco employees.
Does Umbraco have the following policies: IT Security, User Policy, and Clear Desk policy?
Yes, we do. Our IT Security Policy is introduced in our onboarding program and is available on our internal employee platform.
Do Umbraco employees and other users receive instructions to always log off or activate a password-protected screen saver when leaving user equipment unattended?
Yes, during our onboarding program, every Umbraco A/S employee receives instructions on how to work in a safe and secure way.
Does Umbraco A/S perform regular penetration testing?
Yes, we perform pen tests on a 6-month basis.
Does Umbraco A/S follow OWASP standards?
Yes Umbraco A/S follows OWASP standards, we rely on OWASP procedures in our development department and our penetration tests are performed with OWASP best practices.
Is access to removable media disabled unless there is a business requirement for its use?
It is not possible to insert removable media within the Umbraco Cloud infrastructure. For workstations, our internal security policy prohibits storing internal information on external hardware. Where exceptions are granted, the use of encrypted USB keys is mandatory.
Is all sensitive data held on systems, desktops, laptops, or backup media encrypted using strong communication protocols?
Yes, all data at rest is encrypted.
Is encryption used to transmit or receive sensitive data and avoid communication in clear text format?
Yes, all data in transit is encrypted.
Application Server Encryption:
Umbraco uses TLS encryption to secure data in transit between clients and the server. This encryption protocol ensures that data exchanged between a user's browser and the Umbraco application server remains confidential and cannot be intercepted or tampered with during transmission. (https://umbraco.com/products/umbraco-cloud/automatic-tls-certificates/)
Database encryption:
Microsoft Azure SQL has Transparent Data Encryption to encrypt database at rest (https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal) and is by default enabled.
For the Media files Azure blob storage has by default encryption for data at rest (https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption)
End-to-end encryption:
We use Microsoft Azure default backbone, and service interfaces are locked down.
Key Management practices:
All Secrets are stored in Microsoft Azure Key Vault: https://azure.microsoft.com/en-us/products/key-vault and only explicitly accessed by services and resources with assigned rights. Azure KeyVault has fully managed HSM https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
Infrastructure diagrams:
These are found for both Umbraco Cloud & Umbraco Heartcore here
Is data backed up, held securely, and regularly tested to enable data recovery when requested?
Yes, backups are automatically taken and tested regularly.
Can data be fully recovered and restored from backups within a 12-hour timeframe?
Yes, data can be recovered point-in-time covering the past 30 days.
Incident Control
Are Information Security Incidents reported through appropriate internal management channels as quickly as possible and are management responsibilities established to ensure quick, effective, and orderly reporting?
Yes, internal processes are in place to handle incident resolution and communication.
Is an Incident Log maintained and regularly reviewed?
Incidents are logged and a post-mortem is published after each incident.
Are Security response plans in place for security incidents/cyber attacks?
Yes, internal processes are in place to handle incident resolution and communication (including security incidents).
Are all Umbraco employees provided with clear guidance on the process for accidentally or deliberately compromising sensitive information?
Yes, all Umbraco A/S employees are aware of the procedures that are in place to handle accidental or deliberate compromising sensitive information. This is also a part of the standard contractual agreement between Umbraco and the employee.
I found a vulnerability in Umbraco. What should I do?
In order to take care of the vulnerability in the most responsible manner, we ask you to follow the guidelines for how to report a vulnerability.
Are patches applied in a timely fashion and audited to ensure compliance?
Yes, we refer to Umbraco Cloud documentation.
Does Umbraco monitor the use of systems and services to support incident response and investigation of activities?
Yes, the use of systems and services is monitored.
Are audit logs of user activities available?
Yes, audit logs are in place. This also applies to Umbraco Cloud and Umbraco CMS.
Data Privacy/GDPR
Does Umbraco A/S hold any official audit reports or certifications?
Umbraco A/S currently does not hold any official certifications. We are actively working towards obtaining this and we do follow the standards of ISO27001 and SOC 1,2,3. As we use Microsoft Azure for hosting we refer to Microsoft's official audit reports here. Furthermore, Umbraco A/S is subject to a financial audit once a year - Find the link to our open books here.
Is Umbraco A/S GDPR compliant?
Yes, see this section on privacy GDPR.
Does Umbraco have a Data Processing Agreement (DPA)?
Yes, we do. The Umbraco DPA is relevant for our customers. You can find more information about the DPA here.
Does Umbraco A/S educate internal staff on Data Privacy?
Yes, we do. As a part of our onboarding program, we educate every Umbraco A/S employee on Data Privacy and GDPR. Furthermore, we conduct annual awareness training on this matter.
Is Umbraco sharing any of my personal data?
No, we do not share your data with anyone or sell them to others. We, like many other companies, use cookies which gives us the possibility to show you more relevant content and information. When you visit our site for the first time you will be notified with a “We use cookies”-pop-up. For more specific information about this, we have a dedicated Cookie Information page.
Does Umbraco have a Data Protection Officer?
Yes, we do. Do not hesitate to contact gdpr@umbraco.com, if you have any questions.
What third-party suppliers do you have?
At Umbraco, we have third-party suppliers. You can find a full list here.
Here you can also get an overview of what we use them for, where they are located in the world, and what their legal grounds are for processing data.
Does Umbraco A/S perform audits on third-party suppliers?
Yes, at Umbraco A/S we perform audits on all our third-party suppliers once a year.
How can I have my personal data deleted?
If you want your personal data deleted, we can help you with this. Please reach out to our friendly supporters at contact@umbraco.com and they will contact the Compliance Team responsible for this action.
Describe what technical measures you have taken to secure that personal data is being handled appropriately.
In Umbraco Cloud, access to customer data requires permission from the customer in order to help e..g during support cases. Furthermore, system-level admin roles are limited, restricted, and named. Audit logs are available in the backoffice and encryption is used for storage (e.g. passwords) and for any transfer of data.
Does Umbraco access customer data?
No, all data is encrypted and hosted in Microsoft Azure. Umbraco will only access customer data if requested or consented to by customers, e.g. in relation to a support case.
Does Umbraco A/S store paper records at the main office environments?
Yes, however the only paper records we store physically are related to our employees and/or suppliers. Every six months all paper records are audited and shredded if necessary (as part of our GDPR audit).
Does Umbraco A/S store paper records at any record archive service?
No, the only paper records we store physically are related to our employees and/or suppliers and are stored at Umbraco HQ. Every six months all paper records are audited and shredded if necessary (as part of our GDPR audit).
Is any EU PII sent to/accessed from the US?
We make use of a number of third-party processors to deliver our services where some are located outside the EU/EEA. Please see here.
The only PII information we share on customers are contact information.
However we have a US subsidiary and in support cases that take place outside of EU business hours, we use our support team in the US. However the support team only access customer data in such cases with explicit consent from you, the customer.
To ensure an adequate protection level we hold a DPA & SCC with our US subsidiary and all third-party data processors. We conduct TIA’s on all third-party data processors located outside the EU/EEA. We furthermore perform annual audits on all our suppliers.
Data Center Information and Hosting
Does Umbraco host anything on-premise?
No, all data is hosted in Microsoft Azure (currently NL, US, or UK, depending on what you as a customer choose).
Are all hosts and network equipment located in secure accommodation commensurate with protecting assets based on their data classification level?
Yes, we refer to Azure Trust Center here.
Does Umbraco consider external environmental and location threats, and assess the physical risk to data centers, IT systems, and information? Systems must be protected against the risk of flooding, fire, and power outages.
We do not host data on-premise and therefore refer to Azure Trust Center.
Are intrusion detection mechanisms in place to identify potential attacks?
Yes, Umbraco Cloud follows the recommendations defined by the Azure Security Benchmark.
Where are Umbraco Cloud data centers located?
Umbraco offers the ability to host in EU West (NL), US East (Virginia), and UK South (London) using Microsoft Azure as a hosting provider.
What physical access restrictions are in place for the Umbraco Cloud data center?
We refer to the physical access restriction description from Microsoft Azure.