JFrog Trust FAQ


  • JFrog Compliance

    Expand all
    • Certificate program

      1. Is JFrog SOC 2 Type II compliant ?
      2. Is JFrog ISO 27001 compliant ?
      3. Is JFrog PCI DSS compliant ?
    • Risk Assessment

      1. Do you have a formal information security policy that is reviewed at least once a year and approved by a senior executive?
      2. Do you perform an organization-wide security risk assessment?
  • Product Security

    • Application security

      1. What security controls are in place to protect the JFrog infrastructure and applications (e.g. IDS, web application firewall)?
      2. Does JFrog certify that the version of the application to be installed has been assessed with a compliant penetration test process?
      3. Are there any networking tools used by JFrog to protect WAF, anti DDoS?
      4. How does JFrog tackle vulnerabilities in its products and within the Docker images delivered to customers? How are vulnerabilities fixed? How does JFrog manage its patch deployment and frequency?
    • Account Security

      1. Is SAML 2.0 based identity federation supported?
      2. Does the JFrog platform provide controls for restricting user access to data?
      3. How do you protect secrets such as user credentials, API tokens, and encryption keys?
    • Visibility & Monitoring

      1. What data is logged?
  • Cloud Security

      1. What is the deployment model for the infrastructure supporting applications?
      2. Does your organization maintain a publicly available system-status webpage, which includes scheduled maintenance, service incident and event history?
  • Data

    • Data Encryption

      1. How is data protected in transit?
      2. If encryption is enabled on the hosted environment, how is data protected at rest?
      3. For data at rest encryption, how are encryption keys managed?
    • Data Management

      1. How is data securely deleted after an account is deactivated and terminated ?
      2. How is customer data isolated from other tenant’s data (e.g. separate database, or through application logic or other mechanisms)?
  • Security Incident Management

      1. How are anomalies detected?
      2. Does your company have an Cyber Security Incident Response plan and processes to report an incident?
      3. Does the organization maintain 24x7 coverage for responding to security alerts and events?
      4. How do you continuously assess and remediate your organization’s cyber vulnerabilities?
  • Access Control & Identity Management

      1. For applications hosted at public cloud or co-location facilities: What controls are in place for remote administrative access to the infrastructure (e.g. site-to-site VPN, or multi-factor authentication)?
      2. Which security controls do you use to protect against spoofed or forged emails on the domains you own and use?
      3. Describe your policy and security measures in place to manage the use of devices in your organization.
  • Awareness & Education

      1. Are all staff provided with training on the information security policies and procedures of the organization?

Powering the Software
that Powers the World

It’s our Liquid Software vision to automatically deliver software
packages seamlessly and securely from any source to any device.