Statement on Processing of Customer Data for Cloud Services

This Statement on Processing of Customer Data for Liferay Cloud Services (the “Statement”) describes how Liferay, Inc., Liferay International Limited or one of its respective affiliates (the applicable entity referred to as “Liferay” ) process information, relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”) provided to or submitted to or made accessible for Liferay by an authorized user (“Customer”) through the use or for the purposes of certain services and applications (the “Services”), on Customer's behalf.

Liferay will process the Personal Data only as set forth in this Statement, only for purposes set forth in this Statement, subject to the confidentiality and other relevant terms of Customer’s agreement with Liferay governing the provision of the applicable Services by Liferay to Customer ("Agreement"), and, if applicable, in accordance with the applicable data protection addendum (“DPA”). Any capitalized terms used but not defined here should have the meaning assigned to them in the applicable Agreement and/or DPA.

Liferay reserves the right to update this Statement from time to time by posting an updated version. Liferay encourages Customer to check this page for updates regularly, in particular, before Customer starts using any kind of additional Liferay Services offering Liferay might introduce in the future. Customer’s continued use of and access to the Services signifies Customer’s acceptance of the updated Statement. Notwithstanding the aforesaid, Liferay will notify Customer of any updates of this statement separately, if and as might be required under a written agreement between Customer and Liferay.

Subprocessors

All Services

Liferay utilizes the following Sub-processors for the purposes of all Services (including i.a. Liferay Experience Cloud Self-Managed (LXC-SM), formerly known as Liferay DXP Cloud, Liferay Experience Cloud (LXC), Liferay Analytics Cloud (AC), Managed Services, Professional Services):

Liferay Affiliates

Legal Entity and Contact Detail	Location	Function and Details of Processing	Personal Data	Data Transfer Mechanism (GDPR)
Liferay International Limited (Liferay IE) 100 Mount Street Lower Dublin 2 Ireland Privacy Office, [email protected]	Dublin, Ireland	Where Liferay IE is not the contracting entity selling the Services to the Customer, Liferay IE is the principal Subprocessor. Otherwise, Liferay IE directly subcontracts parts of the services to the Sub-processors listed below. Liferay IE owns a Google Cloud Platform (GCP) Account used for hosting of the service and subcontracts maintenance and support services to its Sub-processors as specified below. Liferay IE furthermore relies on several contractors, serving as staff-augmentation, located in the EEA, not individually called out in the list of Sub-processors below.	The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services.	n/a, EEA
Liferay Italy SRL (Liferay IT) via Torri Bianche 9 - Palazzo Quercia - 20871 Vimercate (MB), Italy [email protected]	Vimercate, Italy	Engineering, Maintenance & Support, globally	The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services.	n/a, EEA
Liferay Nordics Oy (Liferay Nordics) Hiilikatu 3, 00180 HELSINKI, Finland [email protected]	Helsinki, Finland	Engineering, Maintenance & Support, globally	The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services.	n/a, EEA
Liferay Hungary Kft (Liferay HU) 1138 Budapest Madarász Viktor Utca 47. a-b Hungary Privacy Office, [email protected]	Budapest, Hungary	Engineering, Maintenance & Support, globally	The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.	n/a, EEA
Liferay S. L. U. (Liferay ES) Paseo de Paseo de la Castellana, 280 Planta 1ª. Módulo B 28046 - Madrid Spain Privacy Office, [email protected]	Madrid, Spain	Engineering, Maintenance & Support, globally	The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.	n/a, EEA
Liferay Japan K. K. (Liferay JP) B1/1F Onden Flat, 1-10-9 Jingumae, Shibuya-ku Tokyo 150-0001 JAPAN Privacy Office, [email protected]	Tokyo, Japan	Engineering, Maintenance & Support, globally	The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.	Adequacy Decision
Liferay Latin America Ltda. (Liferay BR) 160 Arcos Street, rooms 7, 9 and 11-18, Poço, Recife, PE, Brazil 52061-180 Privacy Office, [email protected]	Recife and São Paulo, Brazil	Engineering, Maintenance & Support, globally Liferay BR furthermore relies on several contractors, located in Peru, serving as staff-augmentation, not individually called out in the list below.	The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.	EU SCC. In addition, in line with the EDPB guidelines, an assessment has been conducted by reputable law firms in Brazil and Peru confirming that there is nothing in the laws in Brazil and Peru that could impede on the level of protection afforded by the EU data protection laws.
Liferay India Pvt. Ltd., India (Liferay IN) #147, 1st floor, Green Glen Layout, Sobha City Outer ring road, Bellandur Bangalore - 560103 India Privacy Office, [email protected]	Bellandur, India	Engineering, Maintenance & Support for APAC Customers only (except Japan) and where explicitly requested by a NA Customer.	The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer.	n/a
Liferay Dalian Software Co. Ltd. (Liferay China) 537 Huangpu Road Taide Building, 1005 High-Tech Zone, Dalian Liaoning, 116023 Privacy Office, [email protected]	Dalian Liaoning, People’s Republic of China	Engineering, Maintenance & Support for APAC Customers only (except Japan) and where explicitly requested by a NA Customer.	The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer.	n/a
Liferay, Inc., USA (Liferay US) 1400 Montefino Ave Diamond Bar, CA 91765 Privacy Office, [email protected]	Diamond Bar, California, and Hamilton, Ohio, U. S.	Engineering, Maintenance & Support for NA & APAC Customers (except Japan) only. Globally, if and to the extent, a Customer chooses to purchase, activate and use Dynatrace services. Dynatrace provides additional performance monitoring services, the services are provided on behalf of Liferay, Inc. by Dynatrace LLC, USA (Dynatrace) Dynatrace utilizes certain subprocessors as identified here. Detailed information regarding retention terms can be found here. Globally, if and to the extent, a Customer shares personal data with Liferay through gDrive, provided on behalf of Liferay, Inc. by Google, LLC, USA (Google US). Globally, if and to the extent, Customer chooses to use tracking capabilities of the Services (Liferay Analytics Cloud).	The extent, categories, and types of Personal Data that the Customer submits to Liferay’s Support Team is fully controlled and determined by the Customer. Dynatrace service merely reports on metrics like memory, traffic, CPU, etc. However, it also provides for certain logging capabilities which might involve Personal Data. Detailed information regarding Personal Data captured by Dynatrace can be found here. GDrive might be used to share data dumps which might incorporate Personal Data, on rare occasions where unsanitized data dumps might be required for troubleshooting. The scope of Personal Data shared will be solely determined by the customer. Tracking features provided as part of some Services (Liferay Analytics Cloud) capture event data associated with a system generated unique online identifier assigned to each user and can be supplemented by further data if Customer decides to sync data from its Liferay DXP, LXC-SM (formerly known as Liferay DXP Cloud) or LXC instance. The scope of the data synced will be determined by the Customer.	Data Privacy Framework Dynatrace provides for smart obfuscation and Liferay applies it in accordance with Dynatrace instructions per default. Detailed information regarding Personal Data captured by Dynatrace can be found here. Data dumps are encrypted before sharing via gDrive and encryption keys are shared between the Customer and Liferay separately. Use of the tracking capabilities (Liferay Analytics Cloud) is optional. Tracking is deactivated by default. Scope of the data can be limited to the events data associated with the system generated unique online identifier.

Other Subprocessors

Legal Entity and Contact Detail	Location	Function and Details of Processing	Personal Data	Data Transfer Mechanism (GDPR)
Google Cloud EMEA Ltd. (Google IE) 70 Sir John Rogersons Quay Dublin , Ireland, 2 Contact Details: https://support.google.com/cloud/contact/dpo	Dublin, Ireland	Only applicable to the extent the Services involve hosting of Customer Personal Data by Liferay. Google IE is the hosting provider. Hosting location of the data depends on the region that is chosen by the customer (according to setting in the admin console). Google utilizes certain subprocessors as identified at: https://cloud.google.com/terms/subprocessors. Liferay IE will remove Customer data from the Services upon expiration of a 30 day period after expiration of Customer’s subscription.	The extent, categories, and types of Personal Data that the Customer submits to the Services is fully controlled and determined by the Customer and may vary depending on Customer’s individual use of the Services.	n/a, EEA
Exabeam, Inc. 1051 E. Hillsdale Blvd. 4th Floor, Foster City, California 94404 [email protected]	CA, USA	SIEM. Exabeam utilizes certain sub-processors. A full list can be provided upon request.	Personal Data contained in GCP logs.	EU SCC, in addition Liferay utilizes the BYOK capability of the Exabeam SIEM with the key stored in HSM service to prevent access to the Personal Data by Exabeam and its sub-processors.
Amazon Web Services EMEA SARL (“AWS”) 38 Avenue John F. Kennedy, L-1855, Luxembourg	Luxembourg	Storage of backup files. AWS utilizes sub-processors identified at: https://aws.amazon.com/compliance/sub-processors.	Personal Data stored in Customer’s database	N/A, EEA, in addition Liferay applies BYOK encryption with the help of AWS KMS to prevent access to the Personal Data by AWS and its sub-processors. The keys are stored in HSMs in the AWS region corresponding to the GCP region selected by the customer for its production environment.

Liferay Analytics Cloud Subprocessors

In addition to the Subprocessors listed above, for purposes of Liferay Analytics Cloud (AC) Liferay also relies on the following Subprocessors:

Legal Entity	Location	Function	Personal Data Processed	Data Transfer Mechanism (GDPR)
Liferay, Inc. (Liferay US) 1400 Montefino Ave Diamond Bar, CA 91765 Privacy Office, [email protected]	Diamond Bar, California, and Hamilton, Ohio, U. S.	Engineering, Maintenance & Support, globally, if and to the extent, Customer chooses to use tracking capabilities of the Services (Liferay Analytics Cloud).	Liferay Analytics Cloud captures event data associated with a system generated unique online identifier assigned to each user and can be supplemented by further data if Customer decides to sync data from its Liferay DXP, LXC-SM (formerly known as Liferay DXP Cloud) or LXC instance. The scope of the data synced will be determined by the Customer.	Data Privacy Framework. Scope of the data can be limited to the events data associated with the system generated unique online identifier.

Liferay Experience Cloud (LXC) Subprocessors

In addition to the Subprocessors listed above, for purposes of Liferay Experience Platform Liferay also relies on the following Subprocessors:

Legal Entity	Location	Function	Personal Data Processed	Data Transfer Mechanism (GDPR)
Flowmailer B.V. (Flowmailer) Van Nelleweg 1, 3044BC Rotterdam, the Netherlands	Rotterdam, Netherlands	SMTP for SaaS	By default the service requires and saves at least the recipient’s email address and email status tracking information, including email headers and time stamps. In addition, any personal data contained in the email content created by the Customer.	N/A, EEA
Liferay, Inc. (Liferay US) 1400 Montefino Ave Diamond Bar, CA 91765 Privacy Office, [email protected]	Diamond Bar, California, and Hamilton, Ohio, US Waltham, Massachusetts, US	Liferay US procures the following services for all customers globally: DNS services by Cloudflare, Inc., USA (Cloudflare) 101 Townsend Street San Francisco, CA 94107 USA [email protected] Cloudflare utilizes certain sub-processors as identified here.	The DNS service processes the customers’ end users’ IP, pseudonymized by the customers’ users’ internet service provider in order to respond to their requests.	Data Privacy Framework.

Categories and Types of Personal Data

Within the scope of Customer’s use of the Services, Customer may submit Personal Data to the Services. The extent, categories, and types of such Personal Data that Customer submits to the Services is fully controlled and determined by Customer and may vary depending on Customer’s individual use of the Services.
Liferay anticipates that such Personal Data may, for example, include Personal Data of the following categories of data subjects:

Employees, agents, advisors, contractors of the Customer and Customer Affiliates.
Employees, agents, advisors and contractors of Customers’ and Customers’ Affiliates’ prospects, customers, business partners, vendors.

Liferay anticipates that such Personal Data may, for example, include, the following types of Personal Data:

First and last name
Gender
Title
Position
Company
Private or professional Email
Phone number
Business or private address
Further contact information, such as e. g. Skype ID
Geo-localization data
Language preferences
IP addresses
Access data
Usage data
Authorization data
Other use case specific data, such as posts, documents transmitted, contract or invoice data, etc.

Technical and Organizational Measures

Services Including Hosting

The following describes the technical and organizational measures implemented by Liferay to to ensure confidentiality, integrity and availability of Personal Data submitted by Customer to the Services Liferay Experience Cloud Self-Managed (LXC-SM, formerly Liferay DXP Cloud), Liferay Experience Cloud (LXC), Liferay Analytics Cloud (AC) and Managed Services on Liferay Infrastructure:

Liferay takes the following security measures to process Personal Data submitted by Customer to the Services, as certified by the SOC 2 Type 2 and ISO 27001: 2013 compliance report available upon request, and assures that any sub-processors utilized by Liferay provide for at least the same level of protection:

Office Space: Access to Liferay’s office space is physically secured through a badge management system, lockdown procedures, and access monitoring.
Passwords and Credentials: Not only are the systems protected from inappropriate access by employees involved in the performance of the Service ("Team Members”), but also from unwanted access from non-Team Members. For this reason, all Team Members are obliged to use strong and protected credentials.
Password Protection: All Team Members are obliged to use a password management system, verified by Liferay’s committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this password management system.
Automatic blocking is enabled on all personal machines and internal systems.
Multi-Factor Authentication (MFA): Wherever possible, MFA is enforced, and even mandatory, on all system accounts. If MFA is not possible, accounts must authenticate through a third-party account that provides MFA (e.g. Google, GitHub). If neither of these options are possible and only basic authentication is available (e.g. computer login), the account password must follow strict standards.
Encryption: All private and restricted data is encrypted at rest using AES-256. All data is encrypted at rest and in transit.
Need to Know: Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks. Security Committee revokes any unnecessary access when it does not comply with this policy.
User Roles: Access control privileges to systems are assigned to users via user roles wherever possible and practical. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
Review of Administrator Access: When a change to an individual’s access privileges is needed, they must contact the Security Committee. Then, at least one of the members of the Security Committee will review the individual's role and make system changes to grant or maintain access. The Security Committee must review all systems and all individuals’ administrator access according to the Compliance Monitoring Policy.
Group Credentials: Whenever possible, no administrator access is given in the form of a group account, that is, one credential that validates multiple individuals. This way of authentication provides no way of monitoring individual access and introduces risks from shared passwords and tokens. If a system requires this type of authentication, the password or token is changed when an individual is removed from the group.
All direct access to servers via SSH will be connected through a Bastion Host solution to prevent brute force attacks. All SSH activity is being logged and kept forever. Only members who must have access, may have access. All Security Policies also apply to remote access situations. All credentials must be compliant with the Access Control Policy.
Customers' databases are segregated in their own virtual machines and every project environment is segregated on it's own private network.
No production data is used in any development environment.
Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks.
It is the Security Committee’s responsibility to revoke any unnecessary access when it does not comply with this policy.
All data in transit uses enforced TLS connections with minimum AES-256 encryption.
All requests are signed by the request actor in the form of user access token or ID.
All server and database history is logged and retained forever.
All document creation, changes, and deletion are kept in recorded logs. These logs are retained for 6 months and protected against unauthorized tampering by secure redundancy and access controls.
For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest, and permanently retained. For Personal Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.
Firewall configurations provide rugged inbound/outbound rules that are tested annually by internal/external penetration testing.
System availability is monitored and reported according to Liferay’s System Availability Policy.
A disaster recovery plan is in place, documented and tested regularly.
In the event where an incident requires a full disaster recovery, the entire infrastructure can be brought back online within 2 hours.
The screens of Liferay employee computers are always locked when left unattended; Personal Data is not shared informally; Personal Data is not saved to personal computers.
All incidents are promoted immediately to the Security Committee and logged in an incident registry and graded by impact. Incidents are treated by priority and a post mortem root cause analysis is completed by the Security Committee regarding every incident.
All systems are built to provide adequate pseudonymisation and data protection to not risk their availability, confidentiality, or integrity.

Liferay uses several systems to manage Personal Data. The main system used for processing of Personal Data is Google Cloud Platform. The runtime services operated by Liferay Employees, hosted on Google Cloud Platform. Liferay Employees’ workstations are used to remotely manage the solution.

Prior to processing of Personal Data by a Sub-processor, each service or system provided by such a Sub-processor is reviewed and approved based on a vendor assessment, Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documentation describing the respective system protections and compliance with the applicable data protection laws.

Liferay has implemented the following technical and organizational measures to protect Personal Data accessed and operated by Liferay employees:

Confidentiality

Physical Access Control

Objective: No unauthorized physical access to facilities processing Personal Data.

Measures:

Facilities processing Personal Data are Google Cloud Platform (GCP) facilities and facilities of other Sub-Processors. GCP is the main storage of personal data.
Personal Data can be accessed and stored on Liferay Employee workstations only in order to provide the services to customers. Liferay Employees are prohibited to store Personal Data on any other devices, BYOD or data carriers.
Liferay Employee workstations computers have a password protected access, screen-saver locks, disk encryption and anti-malware solution installed with 24/7 monitoring.
Personal Data is not stored in Liferay facilities or Work-From-Home locations, these are only providing internet connection for employees.

Electronic Access Control

Objective: No unauthorized use of the Personal Data processing and storage systems.

Measures:

Liferay uses a centralized Identity Management System and SSO login provider with MFA to protect from unauthorized access to systems. Where not available, non-authenticated access is forbidden, local accounts must use strong passwords and MFA.
All Liferay Employees are obliged to use a password management system, verified by Liferay’s committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this password management system. Access to the password management system is protected using a password and a strong key as a second factor.
Not only are the systems protected from inappropriate access by employees involved in the performance of the Service ("Team Members”), but also from unwanted access from non-Team Members using authorization access controls.
Privileged access to the systems and backups is limited only to selected IT administrators.
Firewall rules deny any incoming traffic, only ports 80 and 443 are allowed by default.
System access is monitored through audit log alerts.

Internal Access Control

Objective: No unauthorized reading, copying, changes or deletions of Personal Data within the system (permissions for user rights of access to and amendment of data).

Measures:

Only authorized users within Liferay can access the systems and modify Personal Data, access and roles are based on their work department.
Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks. The Security Committee is responsible for revoking any unnecessary access when it does not comply with this policy.
Access control privileges to systems are assigned to users via user roles wherever possible and practical. Roles are established based upon department and job function and are reviewed and updated when job or departmental functions change.
There are background checks executed prior to hiring new employees. Access is removed or reviewed, credentials and tokens are rotated for termination of employment or change of role.
Employees are regularly trained on Data Protection and General Security Awareness.
When a change to an individual’s access privileges is needed, the employee must contact the Security Committee. Then, at least one of the members of the Security Committee will review the individual's role and make system changes to grant or maintain access. The Security Committee must review all systems and all individuals’ administrator access.

Isolation Control

Objective: Data isolation during processing of Personal Data, which is collected for differing purposes.

Measures:

Customers' databases are segregated in their own virtual machines and every project environment is segregated on its own private network.
No production data is used in any development environment.
Personal Data is processed in isolation by sandboxing, separating production vs test systems, logical client separation, physical separation of data (different systems, data carriers), encryption of data processed for same purposes, segmented access control list, or others.

Pseudonymisation

Objective: Processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.

Measures:

Manual pseudonymisation is applied where reasonably possible.
Services provide tools/features to enable pseudonymization/anonymization to be applied by the Customer.

Integrity

Data Transfer Control

Objective: No unauthorized reading, copying, changes or deletions of Personal Data during electronic transfer or transport.

Measures:

All data is encrypted at rest and in transit.
All Personal Data is encrypted at rest using AES-256, including but not limited to live systems, databases and backups.
Only encrypted network transport protocols (TLS, SSH and similar) are allowed for access and transfer of the Personal Data. It is prohibited to use insecure cryptography ciphers.

Data Entry Control

Objective: Verification, whether and by whom Personal Data is entered into a Personal Data Processing System, is changed or deleted.

Measures:

Data access logs are enabled by Google Cloud Platform.
The logs are protected from unauthorized modification by Google Cloud Platform.
Liferay DXP service logs the user that created or modified the Personal Data of DXP User data, including date and time.

Availability and Resilience

Availability Control

Objective: Prevention of accidental or willful destruction or loss.

Measures:

System availability is monitored and reported according to Liferay’s System Availability Policy.
Liferay operated systems in the cloud are configured with load balancing and auto-scaling to handle spikes in usual load.
In a case of DoS attack, customers are protected using standard Google strategy to scale and absorb the attack using Google Cloud Frontend load balancers, Google CDN and WAF rules. Customers using LXC-SM have also an option to purchase Google Cloud Armor to mitigate risks of large DDoS attacks.

Rapid Recovery

Objective: Prevention of accidental or willful destruction or loss.

Measures:

In the event of a DR or BCP scenario, backups can be used to restore systems.
Cloud systems are using self-healing capabilities to restore availability using Kubernetes Probes
A disaster recovery plan is in place, documented and tested regularly.
In the event where an incident requires a full disaster recovery, the entire infrastructure can be brought back online within 2 hours.
For the system infrastructure, backup routines are run every 30 minutes, all backups are replicated in different regions, encrypted at rest. For Personal Data, backup routines are run by default every day and retained for 30 days. All backups are replicated in different regions and encrypted at rest.

Procedures for regular testing, assessment and evaluation

Objective: Internal and external technical and organizational measures are up-to-date.

Measures:

Liferay performs access audits at least annually.
Firewall and network configurations are tested regularly.
Applications are tested regularly using SAST, DAST and SCA tools for vulnerabilities.
Penetration tests are conducted annually for the Cloud infrastructure and its elements.
Systems are continuously monitored for availability and security incidents.
All SEV-1 security incidents are promoted immediately to the Security Committee and logged in an incident registry and graded by impact. Incidents are treated by priority and a post mortem root cause analysis is completed by the Security Committee regarding every incident.
Liferay External Processors of the Personal Data are reviewed annually based on the respective DPA and TOM documents and additional supporting documentation.
This document and protections are reviewed annually.

Other Services

The following describes the technical and organizational measures implemented by Liferay to ensure confidentiality, integrity and availability of Personal Data made accessible to Liferay for purposes of Managed Services on Customer premises.

Liferay uses several systems to manage Personal Data. The systems consist of Customer infrastructure operated by the Customer, external systems provided by Liferay Sub-processors, the runtime services operated by Liferay, hosted on Customer infrastructure and Liferay employee workstations used to remotely manage the solution.

Prior to processing of Personal Data by a Sub-processor, each service or system provided by such a Sub-processor is reviewed and approved based on a vendor assessment, Data Processing Agreement (DPA), Technical and Organizational Measures (TOM) documents and additional supporting documentation describing the respective system protections and compliance with the applicable data protection laws.

Security measures implemented to protect the infrastructure of the environment are the responsibility of customers. The annex A describes recommendations based on the shared responsibility model of the solution.

Liferay has implemented the following technical and organizational measures to protect Personal Data accessed and operated by Liferay employees:

Confidentiality

Physical Access Control

Objective: No unauthorized physical access to facilities processing Personal Data.

Measures:

Facilities processing Personal Data are Customer chosen facilities in customer chosen data locations and facilities of other Sub-Processors. It is the main storage of personal data.
Customers are responsible to secure physical access to the customer environment with Personal Data.
Personal Data can be accessed and stored on Liferay Employee workstations only in order to provide the services to customers. Liferay Employees are prohibited to store Personal Data on any other devices, BYOD or data carriers.
Liferay Employee workstations computers have a password protected access, screen-saver locks, disk encryption and anti-malware solution installed with 24/7 monitoring.
Personal Data is not stored in Liferay facilities or Work-From-Home locations, these are only providing internet connection for employees.

Electronic Access Control

Objective: No unauthorized use of the Personal Data processing and storage systems.

Measures:

Liferay access to the customer environment with Personal Data is through a bastion host protected with an authentication with a strong password and 2FA with audit logging. The bastion host allows network connections only from Liferay facilities.
Liferay owned systems use a centralized Identity Management System and SSO login provider with MFA to protect from unauthorized access to systems. Where not available, non-authenticated access is forbidden, local accounts must use strong passwords and MFA.
All Liferay Employees are obliged to use a password management system, verified by Liferay’s committee for security and dependability (“Security Committee”). All Services related account credentials must be stored in this password management system. Access to the password management system is protected using a password and a strong key as a second factor.
Not only are the systems protected from inappropriate access by employees involved in the performance of the Service ("Team Members”), but also from unwanted access from non-Team Members using authorization access controls.

Internal Access Control

Objective: No unauthorized reading, copying, changes or deletions of Personal Data within the system (permissions for user rights of access to and amendment of data).

Measures:

Only authorized users within Liferay can access the systems and modify Personal Data, access and roles are based on their work department.
Individuals are prohibited from accessing information they otherwise would not have a need to know, unless required to do so in the performance of specific authorized tasks. The Security Committee is responsible for revoking any unnecessary access when it does not comply with this policy.
There are background checks executed prior to hiring new employees. Access is removed or reviewed, credentials and tokens are rotated for termination of employment or change of role.
Employees are regularly trained on Data Protection and General Security Awareness.
When a change to an individual’s access privileges is needed, the employee must contact the Security Committee. Then, at least one of the members of the Security Committee will review the individual's role and make system changes to grant or maintain access. The Security Committee must review all systems and all individuals’ administrator access according to the Compliance Monitoring Policy.

Isolation Control

Objective: Data isolation during processing of Personal Data, which is collected for differing purposes.

Measures:

The service is deployed and running in an isolated environment. Customers are responsible for isolating the Managed Service environment and networks from the rest of their infrastructure.
Liferay operated databases are stored in isolated services created only for the purpose of this solution.
Liferay operated non-production environments are isolated from production environments, no production data is used in any development environment.

Pseudonymisation

Manual pseudonymisation is applied where reasonably possible.
If any data is extracted outside the customer environment the data is pseudonymised by using AES-256 encryption, all encryption keys are safely stored in Liferay’s secrets management solution with limited access.

Integrity

Data Transfer Control

Objective: No unauthorized reading, copying, changes or deletions of Personal Data during electronic transfer or transport.

Measures:

Customer is responsible to encrypt data at rest and in transit.
Liferay access to the bastion host is protected with TLS, SSH or similar.
Liferay Employees are required to use only encrypted network transport protocols (TLS, SSH and similar) for access and transfer of the Personal Data. It is prohibited to use insecure cryptography ciphers.

Data Entry Control

Objective: Verification, whether and by whom Personal Data is entered into a Personal Data Processing System, is changed or deleted.

Measures:

Liferay access to the customer environment is recorded through the bastion host with audit logs.
Web server access logs are recorded and stored.
Customer is responsible for providing backup storage for logs and protecting the data from unauthorized modification or deletion.
Liferay DXP service logs the user that created or modified the Personal Data of DXP User data, including date and time.

Availability and Resilience

Availability Control

Objective: Prevention of accidental or willful destruction or loss.

Measures:

System availability is monitored and reported to customers in case of any disruptions.
Liferay provides and manages a fail-over environment with optional load-balancing to ensure data availability. When requested by the Customer, auto-scaling with load-balancing of services can be enabled.
Customers are responsible for providing external CDN services, if needed.
In case of (D)DoS attack risk, customers are strongly encouraged to protect their infrastructure using Web Application Firewalls or other security solutions.

Rapid Recovery

Objective: Prevention of accidental or willful destruction or loss.

Measures:

In the event of a DR or BCP scenario, backups are used to restore systems.
A disaster recovery plan is in place, documented and tested regularly.
In the event where an incident requires a full disaster recovery, customers are responsible for saving and restoring backups of the underlying infrastructure (VM, network, disk storage, etc.). Liferay is responsible for backup and restore of the deployed solution and the data.
Liferay data backup routines are run every 4 hours. Backups with customer data are stored in customer provided storage. Configuration management of deployed Liferay services is stored externally in a private secure GitHub repository.
Customers are responsible for the retention date of the storage data for Liferay to be able to restore the systems.
Customers are advised to have off-site storage replication to avoid data loss in case of environmental disaster.

Procedures for regular testing, assessment and evaluation

Objective: Internal and external technical and organizational measures are up-to-date.

Measures:

Liferay performs access audits at least annually.
Customers are recommended to test firewall and network configurations regularly.
Liferay products are tested regularly using SAST, DAST and SCA tools for vulnerabilities. Penetration tests are conducted annually. Security audits of the deployed product configurations are executed annually.
Customers are recommended to execute penetration tests at least annually.
Liferay External Processors of the Personal Data are reviewed annually based on the respective DPA and TOM documents and additional supporting documentation.
This document and protections are reviewed annually.

Annex A: Shared responsibility model for Liferay Managed Services on Customer Premises

The following list describes recommended security measures to be implemented by Customers to protect Personal Data processed and saved in Customer infrastructure.

Physical Access Control

Customers must ensure only authorized personnel have access to the physical locations where Personal Data is stored and processed. Using CCTV or other area monitoring systems with alarms is recommended. Access to the locations must be protected with physical keys and/or access cards with audit logs enabled and monitored.
All data at rest must be encrypted, including backups.

Electronic and Internal Access Control

Customers are responsible to secure other accesses to the customer environment with Personal Data including, but not limited to, firewall rules, proper authentication and authorization access controls and securing access credentials.
Electronic access to the operating systems must be protected by password and ideally 2nd factor using hardware keys.
It’s not recommended to reuse accounts, every authorized user must have separate access credentials and OS user.
Customer is responsible for providing and maintaining secure storage for secrets, credentials and keys that are used by the solution. Customer is responsible for applying proper key management lifecycle.

Isolation Control

Physical or virtualized environment used for the purpose of this service must be isolated from the rest of the Customer’s environment using physical or logical security measures.
Customers must provide an isolated development, test a production environment for Liferay to deploy and maintain the solution.
Storage for backups must be separated from the other storage to preserve durability and ensure correct retention control.

Pseudonymisation

When Personal Data is processed outside the regular operations of this service Customers are recommended to apply any pseudonymisation available, either by sanitizing/removing Personal Data or by encrypting.

Data Transfer Control

Customer is responsible to encrypt data at rest and in transit. They are strongly suggested to encrypt all Personal Data using TLS 1.2, AES-256 and RSA 2048/Ed25519 or higher.
Customer environment must be configured to allow only encrypted inbound connections that carry Personal Data.
Customers must encrypt any internal network connections between physical servers.
Any media or data carries used for backups must be encrypted at rest.

Data Entry Control

Customers must ensure they log and audit Personal Data modifications of their employees and any personnel with access to the Personal Data.
Customers must protect the audit logs from unauthorized modification or deletion.

Availability Control

Storages for the systems and backups must be protected against ransomware attack.
Customers are recommended to provide external CDN services and protect their infrastructure against (D)DoS attacks.

Rapid Recovery

Customers are responsible for backing up and restoring the infrastructure used to run the solution.
Customers are responsible for controlling the retention date of the backup storage for Liferay to be able to restore the services in a timely manner.
Customers are advised to have off-site storage replication to avoid data loss in case of environmental disaster.

Certifications

ISO 27001:2013

For further detail regarding security of Liferay’s cloud offerings, please visit the applicable Liferay Security page.