OutSystems Security

At OutSystems we believe you have a right to understand how we protect your applications and customer data. Our approach includes industry best practices and lessons learned from over 15-years of experience dealing with constantly evolving security threats.

José Casinha

“OutSystems has an extensive track record meeting strict security requirements in heavily regulated industries such as financial, healthcare, and defense. We are constantly looking for ways to strengthen the trust relationship with our customers through increased transparency and security controls.”

José Casinha, OutSystems CISO



Application Security

Web and mobile applications built using OutSystems are protected by default from the top security threats identified by OWASP. OutSystems low-code approach accelerates the development of secure applications in the following ways:

  • Each platform upgrade automatically incorporates the latest security features into all of your applications

  • Pre-built components simplify security-related tasks such as encrypting data at rest or integrating with Identity Management systems

  • Role-based access ensures the right team members have access to change and deploy applications

  • With each release, generated code is assessed for vulnerabilities using static code analysis tools

Learn more about application security

Infrastructure Security

Infrastructure Security

When leveraging the OutSystems Cloud to build and run your applications, you can rely on state-of-the-art security encompassing:

  • Dedicated virtual private cloud (VPC) infrastructure for all customers, secure access to on-premises systems with VPN, and easy uploading of custom SSL/TLS certificates

  • Proactive updating of operating system and application servers with updates and patches, including notification to customers for security-related issues

  • Penetration testing and vulnerability scanning support for customer applications

Learn more about infrastructure security

Security Operations

Security Operations

OutSystems maintains a robust set of operating procedures including:

  • Formal hiring procedures for employees and contractors including background checks

  • A dedicated security response team managing security threats 24/7 and proactively monitoring reputable industry sources for new security vulnerabilities

  • Security requirements built into our entire software lifecycle, from planning through deployment

  • A comprehensive business continuity strategy to protect the essential functions of the organization in the event of a disaster

Learn more about security operations

Compliance and Data Privacy

SOC 2 Compliance

SOC 2 Compliance

OutSystems is SOC 2 compliant. Service Organization Controls (SOC) reports demonstrate our commitment to securing our customers’ data. The AICPA defines their purpose as follows:

“A Software-as-a-Service (SaaS) or Cloud Service Organization that offers virtualized computing environments or services for user entities and wishes to assure its customers that the service organization maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when it is needed.”

Our SOC 2 report is available to customers under NDA and can be accessed by contacting your account manager.

Download our SOC 3 report

Data Center Compliance

Data Center Compliance

The OutSystems Cloud physical infrastructure is hosted within Amazon Web Services’ (AWS) secure and certified data centers.

  • AWS data centers have multiple layers of operational and physical security to ensure the integrity and safety of data.

  • AWS data center operations have been accredited under several security compliance standards, such as ISO 27001, SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3, FedRAMP, and FIPS 140-2.

  • Take advantage of the security and reliability of Microsoft Azure with OutSystems on Azure, or run OutSystems in your own secure data center

Learn more about data center security and compliance

Privacy and Data Protection

Privacy and Data Protection

OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems Cloud.

  • We carefully control employee access to your data and applications based on the task being performed.

  • Customers can choose the region for their data to comply with data residency regulations

  • You can access your own customer data at any time with your own tools during your OutSystems Cloud subscription. If you end your OutSystems Cloud subscription, established standards and processes govern how we remove your customer data.

Learn more about privacy and data protection

Read our privacy statement

contact pricing