How to Navigate Cloud-Based WCM and DXP Solutions   –
Get the Gartner® Report

Statement on Processing of Customer Data for Cloud Services

This Statement on Processing of Customer Data for Liferay Cloud Services (the “Statement”) describes how Liferay, Inc., Liferay International Limited or one of its respective affiliates (the applicable entity referred to as “Liferay” ) process information, relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”) submitted by an authorized user (“Customer”) to Liferay through the use of certain Liferay hosted services and applications (the “Services”), on Customer's behalf.

Liferay will process the Personal Data only as set forth in this Statement, only for purposes set forth in this Statement, subject to the confidentiality and other relevant terms of Customer’s agreement with Liferay governing the provision of the applicable Services by Liferay to Customer ("Agreement"), and, if applicable, in accordance with the applicable data protection addendum (“DPA”). Any capitalized terms used but not defined here should have the meaning assigned to them in the applicable Agreement and/or DPA.
 
Liferay reserves the right to update this Statement from time to time by posting an updated version. Liferay encourages Customer to check this page for updates regularly, in particular, before Customer starts using any kind of additional Liferay Services offering Liferay might introduce in the future. Customer’s continued use of and access to the Services signifies Customer’s acceptance of the updated Statement. Notwithstanding the aforesaid, Liferay will notify Customer of any updates of this statement separately, if and as might be required under a written agreement between Customer and Liferay.
Subprocessors
Liferay DXP Cloud Subprocessors
Legal Entity and Contact Detail Location Function and Details of Processing Personal Data Data Transfer Mechanism (GDPR)
Liferay International Limited
(Liferay IE)
100 Mount Street Lower
Dublin 2
Ireland
Privacy Office, [email protected]
Dublin, Ireland Where Liferay IE is not the contracting entity selling the Services to the Customer, Liferay IE is the principal Subprocessor.
Otherwise, Liferay IE directly subcontracts parts of the services to the Sub-processors listed below.
Liferay IE owns a Google Cloud Platform (GCP) Account used for hosting of the service and subcontracts maintenance and support services to its Sub-processors as specified below.
Liferay IE furthermore relies on several contractors, serving as staff-augmentation, located in the EEA, not individually called out in the list of Sub-processors below.
Liferay IE does not access any Customer data stored in the service.
The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services.
n/a, EEA
Liferay Latin America Ltda.
(Liferay BR)
160 Arcos Street, rooms 7, 9 and 11-18, Poço,
Recife, PE, Brazil 52061-180
Privacy Office, [email protected]
Recife and São Paulo, Brazil Maintenance & Support, globally
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay BR.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay BR will be able to access such Personal Data provided by the Customer.
In addition, certain Liferay Engineers of Liferay BR hold super-admin rights to the Liferay IE Infrastructure that could technically provide them access to systems holding Personal Data. However, Liferay IE has implemented organizational measures to prevent unauthorized access by such Liferay Engineers including the requirement to obtain approval of a Security Committee prior to provisioning any access to systems.
Liferay BR furthermore relies on several contractors, located in Peru, serving as staff-augmentation, not individually called out in the list below.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
Standard Contractual Clauses.
In addition, in line with the EDPB guidelines, an assessment has been conducted by reputable law firms in Brazil and Peru confirming that there is nothing in the laws in Brazil and Peru that could impede on the level of protection afforded by the EU data protection laws.
Liferay Hungary Kft
(Liferay HU)
1138 Budapest Madarász Viktor Utca 47. a-b
Hungary
Privacy Office, [email protected]
Budapest, Hungary Maintenance & Support, globally
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay HU.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay HU will be able to access such Personal Data provided by the Customer.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
n/a, EEA
Liferay S. L. U., Spain
(Liferay ES)
Paseo de la Castellana, 280 Planta 1ª. Módulo B
28046 - Madrid Spain
Privacy Office, [email protected]
Madrid, Spain 1st level Support for ES & PT Customers.
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay ES.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay ES will be able to access such Personal Data provided by the Customer.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
n/a, EEA
Liferay Japan K. K.
(Liferay JP)
1F Faveur Ebisu, 1-26-7 Ebisu Nishi, Shibuya-ku
Tokyo 150-0021 JAPAN
Privacy Office, [email protected]
Tokyo, Japan Maintenance & Support, globally
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay JP.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay JP will be able to access such Personal Data provided by the Customer.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
Adequacy Decision
Liferay, Inc., USA
(Liferay US)
1400 Montefino Ave
Diamond Bar, CA 91765
Privacy Office, [email protected]
Diamond Bar, California, and Hamilton, Ohio, U. S. Maintenance & Support for NA & APAC Customers (except Japan) only.
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay US.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay US will be able to access such Personal Data provided by the Customer located in NA and APAC (except Japan).
Globally, if and to the extent, a Customer chooses to purchase, activate and use Dynatrace services. Dynatrace provides additional performance monitoring services, the services are provided on behalf of Liferay, Inc. by
Dynatrace LLC, USA (optional)
(Dynatrace)
1601 Trapelo Road, Suite 116,
Waltham, MA 02451, USA
[email protected]
Dynatrace utilizes certain sub-processors as identified here.
Detailed information regarding retention terms can be found here.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
Dynatrace service merely reports on metrics like memory, traffic, CPU, etc. While it also provides for certain logging capabilities which might involve Personal Data, it provides for smart obfuscation and Liferay applies it in accordance with Dynatrace instructions per default.
Detailed information regarding Personal Data captured by Dynatrace can be found here.
n/a
For Dynatrace: Standard Contractual Clauses
Liferay India Pvt. Ltd., India
(Liferay IN)
#147, 1st floor, Green Glen Layout, Sobha City
Outer ring road, Bellandur
Bangalore - 560103 India
Privacy Office, [email protected]
Bellandur, India Maintenance & Support for APAC Customers only (except Japan) and where explicitly requested by a NA Customer.
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay IN.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay IN will be able to access such Personal Data provided by the Customer located in APAC (except Japan), and where explicitly requested by a NA Customer.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
n/a
Google Cloud EMEA Ltd. (Google IE)
70 Sir John Rogersons Quay Dublin , Ireland, 2
Contact Details: https://support.google.com/cloud/contact/dpo
Dublin, Ireland Google IE is the hosting provider.
Hosting location of the data depends on the region that is chosen by the customer (according to setting in the admin console).
Google utilizes certain subprocessors as identified at: https://cloud.google.com/terms/subprocessors.
Liferay IE will remove Customer data from the Services upon expiration of a 30 day period after expiration of Customer’s subscription.
The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services. n/a, EEA
Liferay Dalian Software Co. Ltd.
(Liferay China)
537 Huangpu Road Taide
Building, 1005 High-Tech Zone,
Dalian
Liaoning, 116023
Privacy Office, [email protected]
Maintenance & Support for APAC Customers only (except Japan) and where explicitly requested by a NA Customer.
Customer’s use of the Services and Liferay’s ordinary performance of the Services do not require the disclosure of any Personal Data to Liferay China.
If and to the extent the Customer provides Liferay’s support team with Personal Data (e. g. contained in unsanitized data dumps or screenshots), Liferay China will be able to access such Personal Data provided by the Customer located in APAC (except Japan), and where explicitly requested by a NA Customer.
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.
Otherwise, business contact data of Customers’ support contacts is used only for purposes of contract fulfillment on behalf of the Liferay entity acting as controller.
n/a
Liferay Analytics Cloud Subprocessors
In addition to the Subprocessors listed above, for purposes of Liferay Analytics Cloud Liferay also relies on the following Subprocessors:
Legal Entity Location Function Personal Data Processed Data Transfer Mechanism (GDPR)
Liferay, Inc.
(Liferay US)
1400 Montefino Ave
Diamond Bar, CA 91765
Privacy Office, [email protected]
Diamond Bar, California, and Hamilton, Ohio, U. S. Engineering, Maintenance and Support, globally The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services. Standard Contractual Clauses.
Liferay Japan K. K.
(Liferay JP)
1F Faveur Ebisu, 1-26-7 Ebisu Nishi, Shibuya-ku
Tokyo 150-0021 JAPAN
Privacy Office, [email protected]
Tokyo, Japan Engineering, Maintenance and Support, globally The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services. Adequacy Decision
ZenDesk Inc.
(ZenDesk US)
989 Market Street
San Francisco, CA 94103, United States
[email protected]
San Francisco, California, U. S. Support Communication Tool
Where the Customer provides Liferay’s support team with data dumps or screenshots through ZenDesk US, Personal data contained in such a data dump or screenshot.
ZenDesk US utilizes certain subprocessors as identified at: https://support.zendesk.com/hc/en-us/articles/360022185294-Sub-processors
The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team through ZenDesk is fully controlled and determined by the Customer. ZenDesk BCR
Liferay Experience Platform Subprocessors
For purposes of Liferay Experience Platform Liferay utilizes the Subprocessors listed above. To the extent the Customer activates and utilizes the optional tracking and analytics capabilities provided, the Subprocessors listed above in Section “Analytics Cloud Subprocessors” will be utilized. 

In addition, for purposes of Liferay Experience Platform Liferay also relies on the following Subprocessors:
Legal Entity Location Function Personal Data Processed Data Transfer Mechanism (GDPR)
Liferay Italy SRL
(Liferay IT)
via Torri Bianche 9 - Palazzo
Quercia - 20871 Vimercate (MB),
Italy [email protected]
Vimercate, Italy Engineering, Maintenance and Support, globally The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services. N/A
Liferay Nordics Oy
(Liferay Nordics)
Hiilikatu 3, 00180 HELSINKI,
Finland
[email protected]
Helsinki, Finland Engineering, Maintenance and Support, globally The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services. N/A
Flowmailer B.V.
(Flowmailer)
Van Nelleweg 1, 3044BC
Rotterdam, the Netherlands
Rotterdam, Netherlands SMTP for SaaS By default the service requires and saves at least the recipient’s email address and email status tracking information, including email headers and time stamps. In addition, any personal data contained in the email content created by the Customer. N/A, EEA
Liferay, Inc.
(Liferay US)
1400 Montefino Ave
Diamond Bar, CA 91765
Privacy Office, [email protected]
Diamond Bar, California, and Hamilton, Ohio, U. S.
Waltham, Massachusetts, U. S.
Liferay US procures the following services for all customers globally:
DNS services by Cloudflare, Inc., USA
(Cloudflare)
101 Townsend Street
San Francisco, CA 94107
USA
[email protected]

Cloudflare utilizes certain sub-processors as identified here.
The DNS service processes the customers’ end users’ IP, pseudonymized by the customers’ users’ internet service provider in order to respond to their requests. Standard Contractual Clauses.
Categories and Types of Personal Data
Within the scope of Customer’s use of the Services, Customer may submit Personal Data to the Services. The extent, categories, and types of such Personal Data that Customer submits to the Services is fully controlled and determined by Customer and may vary depending on Customer’s individual use of the Services.
Liferay anticipates that such Personal Data may, for example, include Personal Data of the following categories of data subjects:
  • employees, agents, advisors, contractors of the Customer and Customer Affiliates.  
  • Employees, agents, advisors and contractors of Customers’ and Customers’ Affiliates’ prospects, customers, business partners, vendors.

Liferay anticipates that such Personal Data may, for example, include, the following types of Personal Data:
  • First and last name
  • Gender
  • Title
  • Position
  • Company
  • Private or professional Email
  • Phone number
  • Business or private address
  • Further contact information, such as e. g. Skype ID
  • Geo-localization data
  • Language preferences
  • IP addresses
  • Access data
  • Usage data
  • Authorization data
  • Other use case specific data, such as posts, documents transmitted, contract or invoice data, etc.
Technical and Organizational Measures
The following describes the  technical and organizational measures implemented by Liferay  to to ensure confidentiality, integrity and availability of Personal Data submitted by Customer to the Services:

Liferay uses several systems to manage Personal Data. The main system used for processing of Personal Data is Google Cloud Platform. It is prohibited to store Personal Data on other electronic devices such as employee workstations, BYOD and data carriers.

Prior to processing of Personal Data by a Sub-processor, each service or system provided by such a Sub-processor is reviewed and  approved based on a vendor assessment, Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents  and additional supporting documentation describing the respective system protections and compliance with the applicable data protection laws
Liferay takes the following security measures to process Personal Data submitted by Customer to the Services, as certified by the SOC 2 Type 2 and ISO 27001: 2013 compliance report available upon request, and assures that any sub-processors utilized by Liferay provide for at least the same level of protection:
  • Office Space: Access to Liferay’s  office space is physically secured through a badge management system, lockdown procedures, and access monitoring.
  • Passwords and Credentials:  Not only are the systems protected from inappropriate access by employees involved in the performance of the Service ("Team Members”), but also from unwanted access from non-Team Members. For this reason, all Team Members are obliged  to use strong and protected credentials.
  • Password Protection:  All Team Members are obliged to use a password management system, verified by Liferay’s  committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this password management system.
  • Automatic blocking is enabled on all personal machines and internal systems.
  • Multi-Factor Authentication (MFA): Wherever possible, MFA is enforced, and even mandatory, on all system accounts. If MFA is not possible, accounts must authenticate through a third-party account that provides MFA (e.g. Google, GitHub). If neither of these options are possible and only basic authentication is available (e.g. computer login), the account password must follow strict standards.
  • Encryption: All private and restricted data is encrypted at rest using AES-256. All data is encrypted at rest and in transit.
  • Need to Know: Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks. Security Committee  revokes any unnecessary access when it does not comply with this policy.
  • User Roles: Access control privileges to systems are assigned to users via user roles wherever possible and practical. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
  • Review of Administrator Access: When a change to an individual’s access privileges is needed, they must contact the Security Committee. Then, at least one of the members of the Security Committee will review the individual's role and make system changes to grant or maintain access. The Security Committee must review all systems and all individuals’ administrator access according to the Compliance Monitoring Policy.
  • Group Credentials: Whenever possible, no administrator access is given in the form of a group account, that is, one credential that validates multiple individuals. This way of authentication provides no way of monitoring individual access and introduces risks from shared passwords and tokens. If a system requires this type of authentication, the password or token is changed when an individual is removed from the group.
  • All direct access to servers via SSH will be connected through a Bastion Host solution to prevent brute force attacks. All SSH activity is being logged and kept forever. Only members who must have access,  may have access. All Security Policies also apply to remote access situations. All credentials must be compliant with the Access Control Policy.
  • Customers' databases are segregated in their own virtual machines and every project environment is segregated on it's own private network.
  • No production data is used in any development environment.
  • Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks.
  • It is the Security Committee’s responsibility to revoke any unnecessary access when it does not comply with this policy.
  • All data in transit uses enforced TLS connections with minimum AES-256 encryption.
  • All requests are signed by the request actor in the form of user access token or ID.
  • All server and database history is logged and retained forever.
  • All document creation, changes, and deletion are kept in recorded logs. These logs are retained for 6 months and protected against unauthorized tampering by secure redundancy and access controls.
  • For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest, and permanently retained. For Personal Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.
  • Firewall configurations provide rugged inbound/outbound rules that are tested annually by internal/external penetration testing.
  • System availability is monitored and reported according to Liferay’s System Availability Policy.
  • A disaster recovery plan is in place, documented and tested regularly.
  • In the event where an incident requires a full disaster recovery, the entire infrastructure can be brought back online within 2 hours.
  • The screens of Liferay employee computers are always locked when left unattended; Personal Data is not shared informally; Personal Data is not saved to personal computers.
  • All incidents are promoted immediately to the Security Committee and logged in an incident registry and graded by impact. Incidents are treated by priority and a post mortem root cause analysis is completed by the Security Committee regarding every incident.
  • All systems are built to provide adequate pseudonymisation and data protection to not risk their availability, confidentiality, or integrity.

Confidentiality

Physical Access Control
Objective: No unauthorized physical access to facilities processing Personal Data.

Measures:
  • Facilities processing Personal Data are Google Cloud Platform facilities and facilities of other Sub-Processors.
  • Personal Data is not stored in Liferay facilities, facilities are providing internet connection for employees. 
  • Liferay facilities and/or offices use keys, magnetic or chip cards to access the place and an alarm system where available.
  • Liferay infrastructure and data storage rooms access is limited only to selected IT administrators, guarded using a key, magnetic or chip card and a CCTV system where available. 
  • Employees are prohibited from storing Personal Data on workstations, BYOD and other devices or data carriers.
  • Employee computers have a password protected access, screen-saver locks, disk encryption and anti-malware solution installed with 24/7 monitoring.
Electronic Access Control
Objective: No unauthorized use of the Personal Data processing and storage systems.

Measures:
  • Liferay uses a centralized Identity Management System and Single Sign On (“SSO”) login provider with Multi-Factor Authentication (“MFA”)  to protect from unauthorized access to systems. Where not available, non-authenticated access is forbidden, local accounts must use strong passwords and MFA.
  • All employees involved in the performance of the respective Service with a need-to-know for the Personal Data or specific portions thereof (“Team Members”) are obliged to use a password management system, verified by Liferay’s committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this password management system. Access to the password management system is protected using a strong key, MFA and a password.
  • Not only are the systems protected from inappropriate access by Team Members, but also from unwanted access from non-Team Members. For this reason, all Team Members are obliged to use strong and protected credentials.
  • Privileged access to the systems and backups is limited only to selected IT administrators.
  • Firewall rules deny any incoming traffic, only ports 80 and 443 are allowed by default.
  • System access is monitored through audit logs.
Internal Access Control
Objective: No unauthorized reading, copying, changes or deletions of Personal Data within the system (permissions for user rights of access to and amendment of data).

Measures:
  • Only authorized Team Members can access and modify Personal Data, access and roles are based on their work department.
  • Individuals are prohibited from accessing information they otherwise would not have a need to know, unless a Team Member is required to do so in the performance of specific authorized tasks. The Security Committee revokes any unnecessary access when it does not comply with this policy.
  • Access control privileges to systems are assigned to Team Members via user roles wherever possible and practical. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
  • Background checks are executed prior to hiring new Team Members. Access is removed or reviewed, credentials and tokens are rotated for termination of employment or change of role.
  • Employees are regularly trained on Data Protection and General Security Awareness.
  • When a change to an employee's access privileges is needed, the employee  must contact the Security Committee. Then, at least one of the members of the Security Committee will review the employee's role and make system changes to grant or maintain access. The Security Committee must review all systems and all employees’ administrator access according to the Compliance Monitoring Policy.
Isolation Control
Objective: Data isolation during processing of Personal Data, which is collected for differing purposes

Measures:
  • Customers' databases are segregated in their own virtual machines and every project environment is segregated on its own private network.
  • No production data is used in any development environment.
  • Personal Data is processed in isolation by sandboxing, separating production vs test systems, logical client separation, physical separation of data (different systems, data carriers), encryption of data processed for same purposes, segmented access control list, or others. 
Pseudonymisation
Objective:  Processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.

Measures:
  • Manual pseudonymisation is applied where reasonably possible.
  • Services provide tools/features to enable pseudonymization/anonymization to be applied by the Customer.
Integrity
Data Transfer Control
Objective: No unauthorized reading, copying, changes or deletions of Personal Data during electronic transfer or transport.

Measures:
  • All data is encrypted at rest and in transit.
  • All Personal Data is encrypted at rest using AES-256, including but not limited to live systems, databases and backups.
  • Only encrypted network transport protocols (TLS, SSH and similar) are allowed for access and transfer of the Personal Data. It is prohibited to use insecure cryptography ciphers.
Data Entry Control
Objective: Verification, whether and by whom Personal Data is entered into a Personal Data Processing System, is changed or deleted.

Measures:
  • Liferay operated systems log the user that created or modified the Personal Data, including date and time.
Availability and Resilience
Availability Control
Objective: Prevention of accidental or willful destruction or loss.

Measures:
  • System availability is monitored and reported according to Liferay’s System Availability Policy.
  • Liferay operated systems in the cloud are configured with load balancing and auto-scaling to handle spikes in usual load. 
  • In a case of DoS attack, Customers are protected using standard Google strategy to scale and absorb the attack using Google Cloud Frontend load balancers, Google CDN and custom WAF rules for their web servers. Customers have also an option to purchase Google Cloud Armor to mitigate risks of large DDoS attacks.
Rapid Recovery
Objective: Prevention of accidental or willful destruction or loss.

Measures:
  • In the event of a disaster recovery or business continuity plan  scenario, backups can be used to restore systems.
  • Cloud systems are using self-healing capabilities to restore availability using kubernetes probes
  • A Disaster Recovery Plan is in place, documented and tested regularly.
  • In the event where an incident requires a full disaster recovery, the entire infrastructure can be brought back online within 2 hours.
  • For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest. Each backup is separately encrypted. For Personal Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest. 
Procedures for regular testing, assessment and evaluation
Objective: Internal and external technical and organizational measures are up-to-date.

Measures:
  • Firewall and network configurations are tested regularly.
  • Applications are tested regularly using SAST, DAST and SCA tools for vulnerabilities.
  • Penetration tests are conducted annually.
  • Systems are continuously monitored for availability and security incidents.
  • All incidents are promoted immediately to the Security Committee and logged in an incident registry and graded by impact. Incidents are treated by priority and a post mortem root cause analysis is completed by the Security Committee regarding every incident.
  • Sub-processors of the Personal Data are reviewed annually based on the respective DPA and TOM documents and additional supporting documentation.
  • This document and protections are reviewed annually.
Certifications
For further detail regarding security of Liferay’s cloud offerings, please visit the applicable Liferay Security page.