Akeneo focuses on improving information security and embedding security into all operations. Our operational processes help us to deliver reliable and secure services. We ensure the Akeneo employees are well-trained to protect client data and assets. We work with partners and suppliers who focus on security in our collaborations.
An Information Security Management System (ISMS) formalizes Akeneo’s security strategy. The ISMS is compliant with the ISO27001 standard. The framework has global policies for main security measures from the standard.
Our top managers lead the security policy and enforce it in the organization.
The Information Security Manager (ISM) is in charge of enforcing the security policy. He works with stakeholders to define risks, uses control, makes sure of compliance, and manages security measures.
Our security team’s main mission is to enforce security measures that follow the ISO27001 standard. They work with the ISM to make sure everyone in the organization is aware of security risks and follows security policies.
We use a risk management system that follows ISO 27005 standards. This helps us decide what security measures are most important and lowers the risks that could affect your data.
Akeneo is an ISO27001-certified cloud SaaS vendor. We commit to complying with GDPR and CCPA regulations. We have two goals for our ISMS: improving our security standards and promoting a secure culture. Also, we want to provide strong security assurance to our third parties.
Akeneo focuses on managing identity and access securely.
Authentication: We use personal identifiers for user identification. Our access policies have strong requirements, like a 10-character password and mandatory multi-factor authentication. We also use Single Sign-On for tools and services.
Authorization: We control access to customer environments, in line with the least privilege principle. Only teams that handle support and operations have access. Akeneo employees can only access customer environments for troubleshooting.
Audit logs: All changes in the production environments are logged. Those logs are used to detect malicious behavior.
Authentication: Akeneo’s products allow users to log in with a username and password. We strongly recommend setting up SAML Single Sign-On for a more secure authentication process.
Authorization: Akeneo offers Role-Based Access Control (RBAC) to protect data based on domain-specific requirements.
Logical isolation between customers is a key principle of our data protection strategy. Each customer’s data and features are isolated at the application and database levels. This segregation undergoes rigorous testing during security penetration tests, assuring the resilience of our protective measures.
Akeneo uses encryption at rest and in transit. Akeneo encrypts all stored data, including backups, using AES-256 on Google Cloud Platform. Google Cloud handles the encryption keys and infrastructure. Data in transit is protected with TLS v1.3.
Akeneo has put procedures in place in order to comply with the GDPR and CCPA regulations. Akeneo solutions are not designed to store and process Personal Data (PD). In most situation, the only personal data process in Akeneo’s products are email login for users. Akeneo acts as a processor and Akeneo’s customer is the controller of the data processing.
Google Cloud Platform (GCP) handles the physical infrastructure of our products. Hence, GCP takes full responsibility for its security. Akeneo focuses on the virtual infrastructure.
We use Infrastructure as Code (IaC) to set up GCP-managed infrastructures. Real-time data from GCP ensures continuous monitoring for proactive infrastructure security.
The security team watches for changes in GCP-managed infrastructures using our SIEM system. This helps identify any problematic behavior.
Strict limitation control access to GCP-managed infrastructures. Only a small, well-trained group has access, and it’s limited to short durations.
Akeneo prioritizes security in the development of its products to protect against potential threats. Here’s how we prioritize security at every stage:
During the design stage, ADRs (Architecture Decision Records) include a detailed security impact analysis. Taking action early helps create a strong foundation for a safe application design.
Highly skilled software engineers with security knowledge implement changes. They receive regular training to stay updated on threats and best practices. We carefully review code changes for quality and adherence to best practices.
Before changes are made, thorough reviews are done to check how they might affect security. These careful checks make sure that only secure and reliable code is used.
Critical vulnerabilities are fixed within a day and important ones within a week.
Every year, contractors conduct penetration tests on our products. This ensures an unbiased evaluation of our security measures. The results of penetration tests are addressed in the same manner as any other vulnerability.
As a SaaS vendor, we are responsible for securing the data you entrust to us. However, you are responsible for your access control and the data that you choose to store in the application.
Since you know who needs to access what, you are responsible for giving permission to read, modify, import, or export data from Akeneo products. You are also responsible for the nature of the data. We assume you stored only product-experience-related data in Akeneo products. The following types of data are considered out of the scope of PXM products:
When integrating, the client is responsible for security. When data goes through a client’s API or custom middleware with our API client, the service operator (like the client’s IT or a tech partner) is responsible for the data security.
All subparts of our services are monitored to detect degradation of the service. Our SREs organize a 24/7 on-call service and have all the documentation and tools needed to restore the service.
Our SIEM gathers security-relevant data (signal) from audit and access logs and the thread detection system. The security team leverages the SIEM to detect threats from external and internal actors. Upon detection of a security incident, a dedicated response team is swiftly assembled. The team has three important tasks. They investigate, contain the threat, and eradicate the security issue.
At Akeneo, our Disaster Recovery Plan (DRP) is designed to minimize the impact of adverse situations on our clients. We prioritize our recovery actions based on what matters most to your business. We test the plans regularly to make sure they work when needed. During these tests, we focus on meeting our service level commitment by closely monitoring the recovery time. During the recovery process, we ensure that our security standards stay in place.
All involved personnel conduct a detailed post-mortem analysis after service recovery. The goal is to address the threat and prevent it from happening again. We use post-incident analyses to improve our security and protect against future threats.
