Camunda Cloud Security
Built-in security and data privacy with Camunda Cloud
Committed to Information Security and Privacy
Camunda maintains a comprehensive information security program that includes technical and organizational measures designed to protect our customers’ cluster data against unauthorized access, modification or deletion.
Camunda’s security and privacy programs are led by a Chief Information Security Officer (CISO) and a data protection officer (DPO). In addition, we have teams focusing on information security (InfoSec), regulatory compliance, software vulnerabilities, and Camunda Cloud security operations to keep your data private and secure.
Clear and Transparent
Camunda respects the privacy rights of individuals. Our privacy statement clearly states how and when we collect personal data and how we use it. We’ve written our privacy statement in plain language to be transparent to our users and customers.
Automatic Virus Scans
Automatic virus scans are part of our release process. Catalogues are up to date and it is used to scan the released distributions our users can download. In addition automatic virus scans are being performed on our core infrastructure components.
ISO 27001 Certified
Camunda Cloud is implemented on a modern, flexible, scalable, service-oriented architecture. Camunda has formally adopted an Information Security Program, which is certified on ISO 27001.
Strong Physical Security Controls
Camunda Cloud is hosted on the certified Google Cloud Platform. Camunda reviews the security certifications and practices of its infrastructure-as-a-service provider and sub-processors to ensure that there are appropriate physical security measures in place at all premises at which Camunda Cloud data is processed and stored.
Compliance With Principles of GDPR
Camunda has prepared for GDPR by carefully reviewing and documenting how it handles personal data, implementing technical and organizational measures to protect the personal data it does handle, and defining and implementing processes to respect the rights of data subjects, across all its products and services. Camunda is committed to operating in compliance with the principles of GDPR.
Regularly Conducted Penetration Testing
Camunda has contracted an independent, external security expert to regularly conduct penetration tests of the software. The advisor operates according to industry best practices recommended by the OWASP organization such as the OWASP Testing Guide. The tools used for testing include Burp Suite and DefenseCode Thunderscan.
Reporting Security Issues and Vulnerabilities
In order to report a vulnerability in Camunda Cloud, please follow these steps:
- Create an account on the Camunda JIRA issue tracker
- Navigate to the issue creation screen
- Create a JIRA ticket in the Security (SEC) project of type Security Report. The issue will only be accessible by Camunda staff and you, the reporter.
- Please provide as many details as are known to you.
Once reported, Camunda staff will get back to you and treat your report according to our Security Issue Process.
Vulnerabilities discovered by our enterprise customers are treated as bugs and the agreed SLAs apply.
Protecting Your Account
At Camunda, we know that security is everyone’s responsibility. That’s why we bake security into the development of our products and into the foundation of Camunda Cloud. The security and privacy of your Camunda Cloud data also relies on you keeping your clusters configured securely and maintaining the confidentiality of your Camunda Cloud login credentials.
Here’s a quick checklist:
- Don’t share your credentials with others
- Update your account profile to make sure information is correct and current
- Add operational contacts as appropriate
- Ensure that you’ve created secure passwords
If you need to make changes that are not offered in the Camunda Cloud Console, please create a Camunda Support case.