Security
OutSystems dramatically accelerates application development. This speed cannot be at the expense of security.
OutSystems provides a secure runtime environment and the tools necessary for secure development.
More About Trust
Application Security
Web and mobile applications built using OutSystems are protected by default from the top security threats identified by OWASP. OutSystems low-code approach accelerates the development of secure applications in the following ways:
- Each platform upgrade automatically incorporates the latest security features into all of your applications.
- Pre-built components simplify security-related tasks such as encrypting data at rest or integrating with Identity Management systems.
- Role-based access ensures the right team members have access to change and deploy applications.
- With each release, generated code is assessed for vulnerabilities using static code analysis tools.

"OutSystems Sentry gave us the peace of mind we were looking for, which was important considering we are handling sensitive financial data for hundreds of credit unions and millions of their members."
Jim Horlacher
EVP, Chief Information Officer
Infrastructure Security
When using the OutSystems Cloud to build and run your applications, you can rely on state-of-the-art security encompassing:
- Dedicated virtual private cloud (VPC) infrastructure for all customers, secure access to on-premises systems with VPN, and easy uploading of custom SSL/TLS certificates.
- Proactive updating of operating systems and application servers with updates and patches, including notification to customers for security-related issues.
- Penetration testing and vulnerability scanning support for customer applications.
Security Operations
OutSystems provides a dedicated computer security incident response team (CSIRT) for managing security threats 24/7 and proactively monitoring reputable industry sources for newly discovered security vulnerabilities.
To report incidents, such as copyright issues, spam, and abuse, send an email to: csirt@outsystems.com.
For non-incident related topics, please check success.outsystems.com/Support.
OutSystems CSIRT RFC 2350 Profile: https://www.outsystems.com/trust/csirt/
OutSystems maintains a robust set of operating procedures including:
- Formal hiring procedures for employees and contractors including background checks.
- Security requirements built into our entire software lifecycle, from planning through deployment.
- Access management, patching management, change management, event management, and incident handling.
- A comprehensive business continuity strategy to protect the essential functions of the organization in the event of a disaster.

"Navies trust us to manage their critical and often complex assets using our asset management solution. That's why we rely on OutSystems to help us meet their expectations."
Neil Crump
Head of Digital Transformation and Customer Services
Forum of Incident Response and Security Teams (FIRST)
FIRST is a premier organization recognized globally as a leader in incident response. Because computer security incidents do not respect geographical, timezone, or administrative boundaries in the global Internet, OutSystems CSIRT is a member of FIRST’s trusted group of global organizations. By providing access to best practices, tools, and timely communication with other trusted member teams, we can facilitate more effective responses to security incidents.
Cloud Shared Responsibility Model
In the OutSystems cloud model, OutSystems shares control of the cloud environments with you. This approach relieves you of the operational burden as OutSystems operates, manages, and controls the components from the platform down to the infrastructure. Your responsibilities include securing the applications and integrations you develop with OutSystems.
Information Security
OutSystems has implemented a formal information security program designed to protect the confidentiality, integrity, and availability of customer systems and data. OutSystems identifies security risks and puts controls in place to manage or eliminate those risks and gain stakeholders and customers trust that their confidential data is protected and available.

"OutSystems provides the governance, compliance and controls we need so that the apps we deploy are not only safe and secure, but also ready to withstand any audit."
Dave Peppard
CIO