Compliance

OutSystems undergoes regular verification of security and compliance controls enabling you to fulfill your policies and to keep your data private.

Meet your requirements using OutSystems.

Security and Compliance Overview

To learn more and access OutSystems security and compliance posture, please reference our Security and Compliance Overview page.

cta-test
offgrid image

SOC 2 Compliance

OutSystems provides a SOC 2 compliant cloud offer. Service Organization Controls (SOC) reports demonstrate our commitment to securing your data. The AICPA defines their purpose as follows:

“A Software-as-a-Service (SaaS) or Cloud Service Organization that offers virtualized computing environments or services for user entities and wishes to assure its customers that the service organization maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when it is needed.”

Our SOC 2 report is available to customers under NDA and can be accessed by contacting your account manager.

Quality, Information Security, and Business Continuity

The OutSystems mission is to help our customers innovate faster. OutSystems works toward this mission by ensuring that the OutSystems platform consistently delivers benefits to customers. Our purpose is to protect all forms of information with improved resilience, thereby creating lasting relationships that guarantee customer success. To that end, OutSystems has implemented an Integrated Management System for Quality, Information Security, and Business Continuity, in the scope of OutSystems Support services, in its offices located in Portugal, Japan, and Malaysia.

offgrid image

ISO Certifications

ISO 27001 Certification
OutSystems is certified to be compliant with the ISO 27001 and ISO 22301 standards, two key international standards governing information security management and business continuity management. Adherence to these standards assures that your data and services are protected to the fullest extent possible.
ISO 27001 is the international standard for information security management. ISO 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.
ISO 22301 Certification
ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of and ensure your business recovers from disruptive incidents. ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

ISO 27017 Certification
OutSystems is certified to be compliant with the ISO 27017 and ISO 27018 standards, defining security requirements for today’s fastest-growing industry – cloud computing.
ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. It demonstrates OutSystems ongoing commitment with globally-recognized best practices to make cloud services as safe and secure as the rest of the data included in our certified information management system.
ISO 27018 Certification
ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It provides implementation guidance on controls applicable to public cloud Personally Identifiable Information (PII). The third-party assessment of this internationally recognized code of practice demonstrates our commitment to the privacy and protection of customers' data, ensuring that their data will only be used for the agreed purposes.

ISO 9001 Certification
OutSystems is certified to be compliant with ISO Standard 9001, the international standard for Quality Management. With over 1.1 million sites certified worldwide, ISO 9001 is the world's best-known quality management standard for companies and organizations of any size. ISO 9001 helps organizations demonstrate to customers that they can offer products and services of consistently good quality. It also acts as a tool to streamline processes and enhance effectiveness.

Health Insurance Portability and Accountability Act (HIPAA)

OutSystems Sentry has been attested to comply with the HIPAA security requirements. The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides data privacy and security provisions for safeguarding medical information.

After executing a Business Associate Agreement, customers can securely process and store electronic protected health information (ePHI) in the OutSystems Sentry Cloud.

offgrid image
offgrid image

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”

As part of our commitment to security best practices in cloud computing, OutSystems is a member of the CSA. In addition, we have completed the CSA STAR Self-Assessment and published the results to their website.

Center for Internet Security (CIS) SecureSuite® Member

Membership in CIS’ SecureSuite gives OutSystems access to numerous assessment tools and compliance benchmarking and reporting capabilities to help ensure that we are building the most up-to-date security protections into our platform. CIS membership also lets us track our internal information and communications technologies, and our customers’ cloud-based systems’ compliance over time, which helps us respond to changes in benchmark recommendations or compliance updates quickly, for a more agile cybersecurity posture.

offgrid image
offgrid image

PCI Data Security Standard SAQ D Service Provider

PCI DSS SAQ D was developed to provide a streamlined set of requirements for merchants and service providers that process cardholder data and online payments, allowing them to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) in a comprehensive yet efficient manner.

OutSystems PCI DSS SAQ D Attestation of Compliance, issued by a PCI Qualified Security Assessor, demonstrates to our customers, the card brands, and other relevant parties that OutSystems as a service provider has taken the appropriate security measures to protect cardholder data and ensure a secure environment is consistently maintained throughout all payment processing operations, in use-cases where the merchant's cardholder data functions are outsourced to validated third parties.

TISAX Assessments

The ENX Association supports TISAX (Trusted Information Security Assessment Exchange) on behalf of VDA, the common acceptance of Information Security Assessments in the automotive industry. The TISAX Assessments are conducted by audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public.

For OutSystems, confidentiality, availability and integrity of information have great value. We have taken extensive measures on protection of sensitive information. Therefore, we follow the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The Assessment (Assessment-ID AZ2NY1-1) was conducted by an independent TISAX audit provider, covering our OutSystems Cloud Sentry offer (Scope-ID SLF9L6). The result is available through the ENX Portal.

offgrid image

Privacy and Data Protection

OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems Cloud.

  • We carefully control employee access to your data and applications based on the task being performed.
  • Customers can choose the region for their data to comply with data residency regulations.
  • You can access your own customer data at any time with your own tools during your OutSystems Cloud subscription. If you end your OutSystems Cloud subscription, established standards and processes govern how we remove your customer data.

"OutSystems has an extensive track record meeting strict security requirements in heavily regulated industries such as financial, healthcare, and defense. We are constantly looking for ways to strengthen the trust relationship with our customers through increased transparency and security controls."

José Casinha
OutSystems CISO