Security: A Continuous Commitment, Not a Milestone

At Akeneo, we continuously strengthen our information security program and integrate security into all our operations. Our processes, products, and culture are designed to protect customer data, ensuring that security is an integral part of how we build, operate, and innovate.

Our security program follows a principle of continuous improvement, combining strong governance, employee awareness, and robust technical controls to ensure the confidentiality, integrity, and availability of customer data.

Certifications and Compliance

Akeneo’s commitment to security is backed by its ISO 27001:2022 certification and SOC 2 Type I compliance. Together, these frameworks ensure well-designed, effective controls and reinforce our commitment to trust, transparency, and resilience across all products and services.

• ISO 27001:2022 Certified
  Akeneo’s Information Security Management System (ISMS) is certified to ISO 27001:2022 by an independent accredited auditor. This certification covers our organization, infrastructure, policies, and products, confirming that our information security practices meet globally recognized standards.
• SOC 2 Type I Attested
  Akeneo is SOC 2 Type I compliant, demonstrating our commitment to robust security and industry best practices. This independent attestation confirms that our controls are properly designed and independently verified.
• Data Privacy Commitments
  We comply with global data protection laws including the GDPR (EU) and CCPA (U.S.). Akeneo does not process personal data from our customers’ end users and only handles a limited amount of customer PII necessary to deliver our products and services. Customers act as data controllers and retain full ownership and control of their clients’ personal information.

Governance and Leadership

Akeneo’s security program is led by the Director of Information Security, supported by the Security and Compliance team, and regularly reviewed by Akeneo’s senior leadership, including our CTO and CPO. This team defines, enforces, and continuously reviews security policies via our Information Security Management System (ISMS), integrating controls aligned with ISO 27001:2022, SOC 2, and GDPR requirements.

Regular internal and external audits, risk assessments, and management reviews ensure that our program evolves with emerging threats and business needs.

How We Protect Customer Data

Security Awareness & Culture

• All employees receive mandatory security awareness training upon onboarding and periodically thereafter.
• Technical roles (engineering, operations, support) complete specialized training on secure coding, cloud security, and incident response.
• Phishing simulations, tabletop exercises, and periodic awareness campaigns reinforce our security culture.

Identity and Access Management

• Access to production and internal systems is secured through Single Sign-On (SSO) via a best in class IdP, combined with Multi-Factor Authentication (MFA).
• Role-Based Access Control (RBAC) ensures users have only the permissions they require.
• Periodic access reviews are performed, and time-bound access is automatically revoked once no longer needed.

Network & Infrastructure Security

• Akeneo’s production environments are hosted on Google Cloud Platform (GCP), benefiting from Google’s security standards.
• Segregation of environments is enforced via network segmentation at both the project and environment levels within Google Cloud Platform (GCP). Development and production environments are fully isolated in separate GCP projects to ensure strict separation of resources, access, and data flows.
• Public exposure is restricted to HTTPS-only endpoints, and all network activities are continuously monitored via a Security Information and Event Management (SIEM).
• Firewall rules and VPC configurations are defined and version-controlled.

Endpoint & Workspace Protection

• All company laptops are managed and monitored via a Unified Endpoint Management (UEM) solution and protected by Endpoint Detection and Response (EDR) tools.
• Security measures include disk encryption, screen-lock enforcement, automatic patching, and web-filtering.

Backup & Business Continuity

• Customer data backups are encrypted, immutable, replicated across multiple regions, and tested regularly.
• Recovery Point Objective (RPO): ≤ 24 hours | Recovery Time Objective (RTO): ≤ 4 hours.
• Annual Disaster Recovery Plan (DRP) simulations validate effectiveness under our Business Continuity Framework.

Application Security

Security is embedded in Akeneo’s Software Development Life Cycle (SDLC).

• Secure by Design: Security is considered from the earliest stages of application design. We assess potential security impacts upfront to ensure risks are identify early and appropriate safeguards are built into our products, creating a strong and secure foundation.
• Secure Coding: Developers follow OWASP Top 10 and receive continuous secure development training.
• Code Review & Testing: All commits go through peer review, automated security scanning, and controlled CI/CD pipelines.
• Dependency Management: Only approved libraries and base images are used, and vulnerabilities are monitored and remediated promptly.
• Penetration Testing: Independent third-party penetration tests are conducted annually, and findings are remediated according to defined SLAs.

Incident Detection and Response

• Continuous monitoring through our SIEM, and Google Cloud audit logs detects anomalies or suspicious activity.
• A dedicated Incident Response Plan defines escalation paths, communication protocols, and containment procedures in line with ISO 27001, SOC 2, and security best practices.
• Incidents are tracked in our ticketing system, lessons learned are reviewed in post-mortems and integrated into our continuous improvement process.
• The Security Team conducts periodic tabletop exercises to validate readiness.

Data Protection & Privacy

• Encryption: All customer data and backups are encrypted in transit (TLS 1.3) and at rest (AES-256) in Google Cloud Platform.
• Data Segregation: Each customer’s data is logically isolated at both the application and database level.
• Access to Customer Data: Akeneo personnel may access customer environments solely for troubleshooting or support, under strict authorization and auditing.
• Privacy by Design: Akeneo’s solutions are built to primarily process product data rather than end-user personal data. In normal use, personal data is limited to user account details (such as names and email addresses). If customers choose to store additional personal data in the platform, it is protected by the same security controls as all other data, while customers, as data controllers, remain responsible for meeting their own obligations under applicable data protection laws.

Shared Responsibility Model

Security is a shared responsibility between Akeneo and its customers:

• Akeneo secures the platform, infrastructure, and operations.
• Customers manage user access, data accuracy, and integrations (APIs, middleware).
• We encourage customers to enable SSO, use strong authentication, and store only product-related data.

Transparency and Continuous Improvement

Security evolves constantly. Akeneo continuously refines its controls based on:

• Audit results and risk assessments.
• Emerging cybersecurity trends and threat intelligence.
• Feedback from customers, partners, and auditors.

Our commitment is simple: your trust is our most valuable asset.

AI Security & Compliance

Akeneo’s approach to AI security builds on the same foundations that support our ISO 27001:2022 certification and SOC 2 Type I compliance. AI features are built into our governance, risk management, and secure development processes. Key controls include:

• Integrated Governance: AI risks and controls are managed via our certified Information Security Management System (ISMS), ensuring all AI-related changes are reviewed and documented.
• Secure Architecture: Safeguards like Prompt Encapsulation Layer and Strict Multi-Tenant Data Isolation protect customer data and prevent cross-tenant access.
• Data Protection: Akeneo uses enterprise-grade AI APIs that prohibit data use for model training. All data, including prompts and responses, is encrypted in transit (TLS 1.3+) and at rest (AES-256).
• Continuous Validation: AI features are covered by our vulnerability management, penetration testing, and AI-specific threat modeling.
• Regulatory Alignment: Akeneo monitors and aligns, as needed, with emerging AI frameworks (EU AI Act, ISO 42001), ensuring our practices remain consistent with global standards for trustworthy and transparent AI.

Contact & Resources

For more information or to request documentation (e.g., SOC 2 Type I report, ISO certificate, or security white papers), please contact: 📧 [email protected] or reach out to your Customer Success Manager.