General

In Kentico, we value your privacy above everything else. That's why we have adopted Secured Deliver Lifecycle in our Agile processes in order to increase the security of the developed product. The main motivation is to increase the security of the developed product. This usually includes reducing the number of security flaws and reducing the severity of the security flaws. Read more about SDLC for agile

Moreover, all of our development team members must attend unique security training focused on writing secure code, doing a security code review, and performing security testing. We also regularly do code review as well as website security scans. Security review is performed:

  • manually—by our security team
  • automatically—we use web application security scanner to ensure Kentico Cloud is free of any security vulnerabilities

Both security reviews cover the most frequently occurring vulnerabilities defined as TOP 10 by OWASP standards. Any new vulnerability is inspected by our teams and security expert, and any threats found are fixed within a few hours/days, based on the severity.

Data Storage

Kentico Cloud stores the data in Microsoft Azure storage. You can choose to store your project data in a data center in Europe (the Netherlands) or the United States (West Coast). By choosing the location of the data center, your project data and tracked visitor data are stored in the selected area. Project data represents all your content created within the Kentico Cloud application. This does not include the user (meta)data required for the Kentico Cloud service to work, which will always be stored in the data center located in West Europe. You can find more information about data centers here.

Kentico Cloud uses a global Content Delivery Network (CDN) powered by Fastly to deliver content from your website. The CDN has edge nodes all around the world, ensuring fast content delivery no matter the destination.

All data is encrypted by default. We also back up the data on a daily basis and store the backups for 14 days.

Availability

We continuously monitor all of our services to ensure the highest availability. You can find the status information of all our services on this status page together with all information about planned maintenance. The Enterprise plan automatically comes with an SLA on service availability, and you can optionally also get an SLA on support response time.

Payment Information

Kentico Cloud uses FastSpring as a payment provider and we do not store any credit card information. FastSpring addresses all PCI compliance issues and securely processes sensitive data. All FastSpring stores are PCI compliant and adhere to PCI DSS regulations.

GDPR Compliance

We take compliance with the European General Data Protection Regulation (GDPR) very seriously. You can find more information about Kentico Cloud's commitment to GPDR compliance on this page.

Kentico Cloud Security Review (OWASP Standards)

The security review provides an overview of the security measures taken by Kentico Cloud to protect content and user data hosted on our platform from unauthorized access. Kentico Cloud security is based on OWASP security review standards. If you are interested in more details about Kentico Cloud security, you can download the full OWASP security report here.

Issues reporting

We recognize how important it is to help protect your privacy and security. As a company, we have a vested interest in maintaining the trust you place in us and our products.

If you believe you’ve found a security vulnerability in Kentico Cloud, we encourage you to let us know right away by emailing security@kentico.com (optionally using our PGP key). We would like to ask you not to disclose publicly the issue until we have a chance to address it and will not pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.

Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities. It allows individuals to notify companies of any security threats before going public with the information. This gives software vendors such as us a chance to resolve the problem before the criminally-minded become aware of it.

We will not disclose security issues until our internal investigation is finished, but we will work with you to ensure we fully understand the issue. Once the issue is resolved, we will keep you posted along with a “thank you” and credit for the discovery. We ask for your patience while we make sure all users of our products are protected.

If you have any questions regarding the security of Kentico Cloud, do not hesitate to contact us.