JFrog Trust

FAQ

  • JFrog Compliance

    • Certificate program

      • Is JFrog SOC 2 Type II compliant ?
      • Is JFrog ISO 27001 compliant ?
      • Is JFrog PCI DSS compliant ?
    • Risk Assessment

      • Do you have a formal information security policy that is reviewed at least once a year and approved by a senior executive?
      • Do you perform an organization-wide security risk assessment?
    • Privacy

      • Does JFrog have a Privacy Policy which is applicable to the relevant service?
      • Does the organization collect, process, or store any personal data to perform the relevant services?
      • Does JFrog comply with CCPA?
      • Does JFrog comply with GDPR ?
  • Product Security

    • Application security

      • What security controls are in place to protect the JFrog infrastructure and applications (e.g. IDS, web application firewall)?
      • Does JFrog certify that the version of the application to be installed has been assessed with a compliant penetration test process?
      • Are there any networking tools used by JFrog to protect WAF, anti DDoS?
      • How does JFrog tackle vulnerabilities in its products and within the Docker images delivered to customers? How are vulnerabilities fixed? How does JFrog manage its patch deployment and frequency?
    • Account Security

      • Is SAML 2.0 based identity federation supported?
      • Does the JFrog platform provide controls for restricting user access to data?
      • How do you protect secrets such as user credentials, API tokens, and encryption keys?
    • Visibility & Monitoring

      • What data is logged?
  • Cloud Security

      • What is the deployment model for the infrastructure supporting applications?
      • Does your organization maintain a publicly available system-status webpage, which includes scheduled maintenance, service incident and event history?
  • Data

    • Data Encryption

      • How is data protected in transit?
      • If encryption is enabled on the hosted environment, how is data protected at rest?
      • For data at rest encryption, how are encryption keys managed?
    • Data Management

      • How is data securely deleted after an account is deactivated and terminated ?
      • How is customer data isolated from other tenant’s data (e.g. separate database, or through application logic or other mechanisms)?
  • Security Incident Management

      • How are anomalies detected?
      • Does your company have an Cyber Security Incident Response plan and processes to report an incident?
      • Does the organization maintain 24x7 coverage for responding to security alerts and events?
      • How do you continuously assess and remediate your organization’s cyber vulnerabilities?
  • Access Control & Identity Management

      • For applications hosted at public cloud or co-location facilities: What controls are in place for remote administrative access to the infrastructure (e.g. site-to-site VPN, or multi-factor authentication)?
      • Which security controls do you use to protect against spoofed or forged emails on the domains you own and use?
      • Describe your policy and security measures in place to manage the use of devices in your organization.
  • Awareness & Education

      • Are all staff provided with training on the information security policies and procedures of the organization?

Release Fast Or Die

Start Free Buy Now