JFrog Trust Compliance

Certificate program

1. Is JFrog SOC 2 Type II compliant ?

   Yes, Ernst & Young has audited JFrog’s System and Organization Controls and issued SOC 2 Type II report (SOC2 Type II)], which explains the controls established to support our operations and compliance. Please read our certificate program https://jfrog.info/trust/certificate-program/.

2. Is JFrog ISO 27001 compliant ?

   Yes, JFrog is certified under ISO 27001, the international standard for information security management. Please read our certificate program https://jfrog.info/trust/certificate-program/.

3. Is JFrog PCI DSS compliant ?

   Yes, JFrog is certified for compliance with PCI DSS 3.2, SAQ A, an industry standard administered by the Payment Card Industry Security Standards Council. Please read our certificate program https://jfrog.info/trust/certificate-program/.

Risk Assessment

1. Do you have a formal information security policy that is reviewed at least once a year and approved by a senior executive?

   All policies are reviewed annually and approved by JFrog management.

2. Do you perform an organization-wide security risk assessment?

   Yes, this is performed based on the methodology of ISO 27001.

Application security

1. What security controls are in place to protect the JFrog infrastructure and applications (e.g. IDS, web application firewall)?

   As part of our multi-layer protection approach, a dedicated DDoS mitigation ecosystem has been put in place. JFrog utilizes anti-DDoS protection, a next-gen WAF, an API protection tool, advanced rate limiting and bot protection.

2. Does JFrog certify that the version of the application to be installed has been assessed with a compliant penetration test process?

   To complete our development lifecycle, our products and features are pentested on an ongoing basis, both internally, by the JFrog application security team, and externally, by third-party top experts.

3. Are there any networking tools used by JFrog to protect WAF, anti DDoS?

   As part of our multi-layer protection approach, a dedicated DDoS mitigation ecosystem has been put in place. JFrog utilizes anti-DDoS protection, a next-gen WAF, an API protection tool, advanced rate limiting and bot protection.

4. How does JFrog tackle vulnerabilities in its products and within the Docker images delivered to customers? How are vulnerabilities fixed? How does JFrog manage its patch deployment and frequency?

   JFrog has a comprehensive and automated vulnerability management, threat prioritization and patch deployment process in place to ensure that critical vulnerabilities are quickly detected, addressed and remediated. To perform security risk analysis, we work with Xray as part of our internal DevSecOps process which allows us to automatically fail builds when Xray detects security vulnerabilities across our pipelines.

Account Security

1. Is SAML 2.0 based identity federation supported?

   The JFrog Platform offers a SAML-based Single Sign-On service allowing federated JFrog partners (identity providers) full control over the authorization process.

2. Does the JFrog platform provide controls for restricting user access to data?

   The JFrog Platform provides a flexible permissions model that gives administrators fine-grained control over how users and groups access the different resources. Permissions are managed from a central location, where you can control users’ or groups’ access permissions.

3. How do you protect secrets such as user credentials, API tokens, and encryption keys?

   Customer-sensitive data, such as passwords and API keys, is encrypted by the applications.

Visibility & Monitoring

1. What data is logged?

   The JFrog Platform provides audit trail logs and standardized logs for all JFrog products.
   

1. What is the deployment model for the infrastructure supporting applications?

   JFrog customers can co-locate all cloud services with Artifactory Cloud on any of the three major cloud providers: Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure.
   JFrog offers a multi-tier architecture for your JFrog deployment including high-availability systems, backups and more.
   JFrog also supports hybrid solutions for customers wishing to mix self-managed with cloud.

2. Does your organization maintain a publicly available system-status webpage, which includes scheduled maintenance, service incident and event history?

   JFrog communicates the status of our platform and its incidents https://status.jfrog.io/.

Data Encryption

1. How is data protected in transit?

   Every customer’s data is encrypted in transit using HTTPS with TLS V1.2.

2. If encryption is enabled on the hosted environment, how is data protected at rest?

   All hosted data at rest is securely stored in a shared database and object storage using SHA-256 encryption.

3. For data at rest encryption, how are encryption keys managed?

   All our encryption keys are stored and managed in a cloud-hosted key management service, which lets us create and manage cryptographic keys and control their use across a wide range of services and in your applications. It lets us generate, use, rotate, and destroy cryptographic keys.

Data Management

1. How is data securely deleted after an account is deactivated and terminated ?

   A commercial customer account is typically deactivated after being inactive for 60 days or 30 days after the end of its current subscription period. If the customer does not reach our support team, we delete its data completely.
   A Free tier account is typically deactivated after being inactive for 21 days. After 7 days all its data will be deleted from JFrog SaaS solution.
   For more information please refer to section 14.6 in our EULA - https://jfrog.info/jfrog-cloud-general-terms/ .

2. How is customer data isolated from other tenant’s data (e.g. separate database, or through application logic or other mechanisms)?

   Each customer account is deployed with a unique ID to guarantee adequate separation.
   
   Each customer account is granted with its own unique and narrow role, based on least privilege principle. We grant just the permissions which are required to perform tasks and access shared resources, such as databases and cloud object storage.
   
   The default and automatic deployment of JFrog SaaS solution is on a shared environment including the following resources:
   
   The load balancer is a shared component at the region level.
   The applications’ database schema and role are dedicated for each customer. The applications’ database is a cloud provider managed service, shared at the region level.
   Each customer has its own unique role with permissions for their own files. The applications’ filestore is a cloud provider managed service, shared at the region level.

1. How are anomalies detected?

   JFrog’s cyber incident response team (CIRT) continuously monitors our products’ logs, infrastructure operations and systems audit logs in our internal SIEM (Security Information and Event Management) to promptly and efficiently detect potential incidents. As part of this ongoing effort, the CIRT team investigates and respond to reports from their bug bounty program, vulnerability disclosure program, automated scanners, customer support portal and security email inbox.

2. Does your company have an Cyber Security Incident Response plan and processes to report an incident?

   Yes. Our Cyber Security Incident Response team follows clearly defined and detailed methods and procedures to identify, contain, investigate, report and respond to every type of incident.

3. Does the organization maintain 24x7 coverage for responding to security alerts and events?

   Yes. To ensure prompt and efficient response time, our SOC (Security Operations Center) is staffed with highly qualified and experienced security experts, who work to fulfill our internal SLA policy.

4. How do you continuously assess and remediate your organization’s cyber vulnerabilities?

   JFrog has a program that assesses, monitors and manages vulnerabilities from multiple sources and resolves them based on our internal SLA.
   We also have bug bounty and vulnerability disclosure programs to help us identify vulnerabilities. Issues are evaluated and investigated by the security team and resolved based on their possible impact and level of criticality.
   Penetration tests that help ensure the overall security status of the production platform are performed at least annually by an external third-party, as well as internally by the security team.
   In addition, security scans are performed on an ongoing basis.

1. For applications hosted at public cloud or co-location facilities: What controls are in place for remote administrative access to the infrastructure (e.g. site-to-site VPN, or multi-factor authentication)?

   JFrog uses a zero trust solution to securely connect our employees, devices, and apps over JFrog’s internal network. Our zero trust solution provides Web and URL filtering, sandboxing, cloud firewall, CASB and DLP.
   JFrog engineers connect to our production resources using an advanced 2FA and just-in-time access solution, which allows us to employ the principle of least privilege and conduct a full audit.

2. Which security controls do you use to protect against spoofed or forged emails on the domains you own and use?

   JFrog.com uses the SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) email authentication methods. JFrog uses email protection solutions designed to prevent malware, zero-day attacks, phishing, BEC (business email compromise), spam and N-days.

3. Describe your policy and security measures in place to manage the use of devices in your organization.

   Yes, All JFrog laptops have installed MDM and have enforced encryption policy in place along with advanced anti-malware software.

1. Are all staff provided with training on the information security policies and procedures of the organization?

   All JFrog employees have annual mandatory cyber security and privacy awareness training, as well as part of their onboarding.