This statement is issued to support Axway’s Security Policy which defines the security framework at Axway. It declares Axway’s commitment to provide products and services that meet or exceed our external and internal customers' security requirements and to continually improve our efficiency and effectiveness in doing so.
Security at Axway is designed, operated and controlled to continually assure that:
- Axway’s infrastructures and assets are protected
- Customer data that are stored and processed as part of the SaaS and Cloud services we provide are protected
- Products and services that Axway builds and sells are secured-by-design and tested to comply with industry level security best practices
- Axway complies with data protection regulations, including EU GDPR and US HIPAA
Axway Security Policies and Procedures: All security policies and procedures are documented as part of our Information Security Management System (ISMS) and Axway employees and contractors, acting on Axway’s behalf, are required to cooperate and support Axway’s pursuit of security and continual improvement and to adhere to the policies and procedures contained within the ISMS.
Certifications and Audits: Axway maintains several certification programs and is audited annually by reputable external auditing agencies on security standards including:
- ISO 27001:2013
- AICPA/SOC2 Type II
- Common Criteria
Axway is also regularly audited by many of our customers. We respond to these audits seriously and value the feedback from our customers. The audit findings are remediated by Corrective Actions, entered in our CAPA management system, and we work with our customers to develop agreeable action plans to make any improvements needed with our processes.
Secure Software Development Lifecycle (SSDLC): Axway is in constant examination of security tools and methodologies. Our SSDLC methodologies and processes include best practices adopted from Build Security-In Maturity Model (BSIMM) and OWASP Open Source Software Assurance Maturity Model (OpenSAMM). Axway’s SSDLC defines the secure development procedures and security gates to be reached by each Axway product before being released to customers. Our secure development controls include:
- Security of communication protocols and OWASP best practices
- Threat Modeling
- Third party / open-source software composition analysis (SCA)
- Attack surface analysis
- Dynamic application security testing (DAST)
- Static application security testing (SAST)
- Container security analysis
- Manual pentesting
Developer Security Training: Axway R&D teams undergo continual training to reinforce security topics, using commercial training platforms and in-house developed classes and materials, including:
- Mandatory secure development training completed by all developers covering a wide spectrum of Application Security topics
- Supplemented by internal security education workshops
- Bi-Annual training to keep skills current
- Advanced Role-based Certifications and Training for developers
- Hands-on Programming Challenges, Assessments, and Tournaments
Penetration Tests: Axway performs its own penetration testing as needed by security requirements and works with Customers to organize specific penetration tests as required by their company’s requirements.
Data Protection: Axway maintains HIPAA and GDPR compliance through a thorough set of policies and procedures which guide best practice behavior of our IT and consulting organizations, provides processes for risk assessment and risk management, and drives action plans to resolve issues in a timely manner.
Other Compliance Programs: In parallel with our Security Management Program, Axway has an active Quality Management Program, driven by the requirements of ISO 9001:2015. Axway maintains certification for ISO 9001 that covers our Customer Success Organization (Technical Support, Professional Services, Managed Cloud Services).
Responsible Disclosure: If you’ve discovered a security vulnerability, we want to hear about it, please see our policy to disclose in a responsible manner.
To report a security finding, please email us at firstname.lastname@example.org.
Axway requests that you don’t post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability. We’ll work with you to make sure we understand the scope of the issue and fully address any potential security issues.