Access Control |
- Each cloud customer account is (i) deployed with a unique ID to guarantee adequate separation; (ii) granted its own unique and narrow role, based on least privilege principle. Permissions are granted as required to perform tasks and access shared resources, such as databases and cloud object storage.
- The default and automatic deployment of the JFrog Platform is on a shared environment including the following resources:
- The load balancer is a shared component at the region level;
- The applications’ database schema and role are dedicated for each customer.
- The applications’ database and file store are deployed using a cloud provider managed service, shared at the region level;
- Each customer has its own unique role with permissions for their own files.
- JFrog Platform uses managed object storage and databases from the major cloud providers.
|
Data Encryption |
- Data in transit is defined as data that is actively transferring between different destinations (e.g., applications to databases or object storage) over the same network or over the internet. In the JFrog Platform, Customer Data is encrypted in transit using HTTPS with TLS V1.2.
- Data at rest is defined as data that is physically stored and hosted in any digital form (e.g., cloud storage, databases, data warehouses, or cloud backups) and not actively transferring between different destinations. In the JFrog Platform, all hosted data at rest is securely stored in a database and object storage using 256-bit AES encryption.
|
Application and Infrastructure Control |
- As part of our multi-layer cloud protection approach, a dedicated DDoS mitigation ecosystem has been put in place. JFrog utilizes anti-DDoS protection, a next-gen WAF, an API protection tool, advanced rate limiting and bot protection
|
Network Control |
- JFrog has appropriate network perimeter defense solutions in place, to monitor, detect, and prevent malicious network activity and restrict access to authorized users and services.
|
Backup |
- JFrog maintains an internal backup solution for the Artifactory instance, by replicating the storage and database to a different region in the same continent. For the removal of doubt, the purpose of such backup is solely to ensure JFrog’s continuous ability to provide use of the JFrog Platform and is not intended for the restoration of Customer Data upon Customer request.
|
Business Continuity Plan and Disaster Recovery Plan |
- JFrog maintains a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) consistent with industry best practices for the JFrog Platform, which is tested annually. In addition, the BCP and DRP will ensure: (i) installed systems used to provide the JFrog Platform will be restored in case of interruption; (ii) JFrog’s ability to restore the availability and access to the Customer Data in a timely manner in the event of a physical or technical incident; and (iii) the ongoing confidentiality, integrity, availability, and resilience of systems JFrog uses to provide the JFrog Platform.
|
Certificate Program |
- JFrog is certified under ISO 27017, the global security standard for cloud service providers and users. ISO 27017 provides guidance on the information security aspects of cloud computing, to make a safer cloud-based environment and reduce the risk of security issues.
|