OutSystems Security Overview

In the landscape of digital transformation and mounting cyber threats, OutSystems places paramount importance on enterprise security. We recognize how critical it is to safeguard not only our high-performance low-code development platform but also the entire organization and the universe of applications built by our customers. Our dedication to security extends beyond ensuring the integrity of our end-to-end operations; it encompasses the protection of our customers' most sensitive data. Our platform allows customers to build secure applications, leveraging OutSystems technology and cloud based services without requiring deep technical expertise in security.

Such a rigorous stance on security extends across all facets of our low-code development platform. Our commitment to end-to-end elite security enables us to protect digital portfolios and empower organizations to thrive securely in the digital landscape. The most important aspects of our security posture are as follows.

Table of contents

• Security certifications
• Incident response
• Application security
• Secure mobile application development
• Access control
• Data protection
• Network security
• Deployment and infrastructure

Security certifications

To ensure security in cloud computing, we are a member of the CSA (Cloud Security Alliance). Our membership in the Center for Internet Security (CIS) SecureSuite provides access to assessment tools, compliance benchmarking, and reporting capabilities, enabling us to incorporate the latest security protections into our platform. It also allows us to monitor internal technologies and customer cloud-based systems for compliance, ensuring a proactive and adaptable cybersecurity approach.

Both the internal processes of OutSystems and the OutSystems low-code development platform are certified in a wide range of industry-standards, including:

• GDPR
• HIPAA
• ISO 22301
• ISO 27001
• ISO 28001 SoA
• ISO 27017
• ISO 27018
• ISO 9001
• PCI DSS
• SOC 2
• TISAX

Learn more about OutSystems certifications, governance, and compliance

Incident response

To ensure we rigorously protect your applications, we have set up a dedicated Computer Security Incident Response Team (CSIRT) that is responsible for security monitoring and investigating cyber attacks and intellectual asset loss. The mission of the OutSystems CSIRT includes conducting comprehensive investigations, proactive threat assessment, incident trend analysis, security architecture review, and vulnerability management to prevent incidents and preserve the integrity of your company, systems, and data.

Learn more about our threat intelligence and incident response approach

Application security

At OutSystems, we understand the significance of secure application development, and because of that, proactive platform upgrades include the latest security features and fixes available to all customer applications. A wide array of available prebuilt components simplifies security-related tasks like data encryption and identity management integration. Additionally, a vast list of security measures enable us to implement protections against the top security threats identified by OWASP, such as:

• Role-based access controls that enable the right team members to make changes and deploy applications.
• Generated code that defends against common threats like SQL and JavaScript injection.
• Continuous validation of OutSystems-generated code security, using advanced vulnerability scanning during regression testing.
• IDE (OutSystems visual IDE) warnings for developers about unsafe application patterns, detecting risks such as code injection, cross-site scripting, unvalidated redirects, and data isolation violations.

Learn more about how we ensure the applications you build are fully secure

Secure mobile application development

Our platform offers dedicated mechanisms and best practices to ensure that your mobile applications align with the latest and most stringent mobility security guidelines. OutSystems addresses modern cyber threats with AppShield, a dedicated capability that hardens the protection of native Android and iOS apps. It adds layers of security during deployment to resist intrusion, tampering, and reverse engineering. When they use AppShield, OutSystems customers are also protected from compromised devices, repacked apps, code injection, and unauthorized access through lost or stolen devices. AppShield is a straightforward add-on with a simple implementation that does not require coding expertise.

Learn more about building secure mobile applications with OutSystems

Access control

The OutSystems identity service ensures seamless authentication and authorization, providing role-based access to secured screens, data, and logic flows. Administrators have complete control over permissions, enabling developers, DevOps engineers, and architects to access only the tools necessary to perform their roles. Our formal logical access procedure guarantees authorized employee access, assigning unique user IDs through request, approval, and provisioning processes. For a seamless login experience across apps, OutSystems supports single sign-on (SSO) and external authentication methods.

Learn more about how the OutSystems platform eases implementation of access controls

Data protection

Safeguarding customer data and preventing loss, unauthorized access, misuse, disclosure, alteration, or destruction are among our top priorities. We employ a range of security measures for your data that allow you to choose the region of your choice and that address compliance with data residency regulations.

Access to customer data in OutSystems is restricted to the OutSystems support team and used solely for essential service provisioning. Additionally, and to minimize potential data loss, OutSystems automatically backs up production databases and allows database restoration to any point in the retention period. Our platform considers data classification for appropriate access controls and also follows stringent encryption practices.

Learn more about how you can safeguard your data with the OutSystems platform

Network security

OutSystems shields your applications and data with robust intrusion detection technology. For additional fortification against cyberattacks, OutSystems uses state-of-the-art technologies such as AWS Shield and content delivery networks (CDN), all in secure cloud environments that ensure complete customer infrastructure isolation for maximum data privacy and security. Additionally, you can also seamlessly integrate your on-premises infrastructure with OutSystems Cloud for streamlined and secure data flow.

Learn more about network security with OutSystems

Deployment and infrastructure

To ensure secure communication between clients and browsers, OutSystems-built applications run in secure app containers with protected API endpoints. Also, and by following an infrastructure as code (IaC) approach, OutSystems enables automated procedures and eliminates manual errors. Infrastructure source files are scanned to uncover any misconfigurations or policy issues that may impact security and compliance. Lastly, for physical infrastructure security, OutSystems is hosted in secure and certified data centers through Amazon Web Services (AWS). These data centers implement multiple layers of operational and physical security to ensure the safety and integrity of your data.

Learn more about deploying apps with OutSystems and its secure underlying infrastructure