OutSystems Security

At OutSystems we believe you have a right to understand how we protect your applications and customer data.
Our approach includes industry best practices and lessons learned from over 15 years of experience dealing with constantly evolving security threats.

"OutSystems has an extensive track record meeting strict security requirements in heavily regulated industries such as financial, healthcare, and defense. We are constantly looking for ways to strengthen the trust relationship with our customers through increased transparency and security controls."José Casinha, OutSystems CISO


Application Security

Web and mobile applications built using OutSystems are protected by default from the top security threats identified by OWASP. OutSystems low-code approach accelerates the development of secure applications in the following ways:

  • Each platform upgrade automatically incorporates the latest security features into all of your applications.
  • Pre-built components simplify security-related tasks such as encrypting data at rest or integrating with Identity Management systems.
  • Role-based access ensures the right team members have access to change and deploy applications.
  • With each release, generated code is assessed for vulnerabilities using static code analysis tools.

Learn more about application security

Infrastructure Security

When using the OutSystems Cloud to build and run your applications, you can rely on state-of-the-art security encompassing:

  • Dedicated virtual private cloud (VPC) infrastructure for all customers, secure access to on-premises systems with VPN, and easy uploading of custom SSL/TLS certificates.
  • Proactive updating of operating systems and application servers with updates and patches, including notification to customers for security-related issues.
  • Penetration testing and vulnerability scanning support for customer applications.

Learn more about infrastructure security

Security Operations

OutSystems provides a dedicated computer security incident response team (CSIRT) for managing security threats 24/7 and proactively monitoring reputable industry sources for newly discovered security vulnerabilities.
To report incidents, such as copyright issues, spam, and abuse, send an email to: csirt@outsystems.com.
For non-incident related topics, please check outsystems.com/support.
OutSystems CSIRT RFC 2350 Profile: https://www.outsystems.com/trust/csirt/
OutSystems maintains a robust set of operating procedures including:

  • Formal hiring procedures for employees and contractors including background checks.
  • Security requirements built into our entire software lifecycle, from planning through deployment.
  • Access management, patching management, change management, event management, and incident handling.
  • A comprehensive business continuity strategy to protect the essential functions of the organization in the event of a disaster.

Learn more about security operations

Forum of Incident Response and Security Teams (FIRST)

FIRST is a premier organization recognized globally as a leader in incident response. Because computer security incidents do not respect geographical, timezone, or administrative boundaries in the global Internet, OutSystems CSIRT is a member of FIRST’s trusted group of global organizations. By providing access to best practices, tools, and timely communication with other trusted member teams, we can facilitate more effective responses to security incidents.

Compliance and Data Privacy

SOC 2 Compliance

OutSystems is SOC 2 compliant. Service Organization Controls (SOC) reports demonstrate our commitment to securing your data. The AICPA defines their purpose as follows:

“A Software-as-a-Service (SaaS) or Cloud Service Organization that offers virtualized computing environments or services for user entities and wishes to assure its customers that the service organization maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when it is needed.”

Our SOC 2 report is available to customers under NDA and can be accessed by contacting your account manager.

Download our SOC 3 report

ISO 27001 and ISO 22301 Certification

OutSystems is certified to be compliant with the ISO 27001 and ISO 22301 standards, two key international standards governing information security management and business continuity management. Adherence to these standards assures that your data and services are protected to the fullest extent possible.

ISO 27001 is the international standard for information security management. ISO 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.

Download our ISO 27001 Certification

ISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of and ensure your business recovers from disruptive incidents. ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

Download our ISO 22301 Certification

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”

As part of our commitment to security best practices in cloud computing, OutSystems is a member of the CSA. In addition, we have completed the CSA STAR Self-Assessment and published the results to their website. This is the latest CAIQ (v3) released by the CSA.

PCI Data Security Standard SAQ A

PCI DSS SAQ A was developed to address requirements applicable to merchants whose cardholder data functions are completely outsourced to validated third parties. OutSystems Sentry is compliant with PCI DSS v3.2, SAQ A for e-commerce applications that integrate with external payment processors.

Data Center Compliance

The OutSystems Cloud physical infrastructure is hosted within Amazon Web Services’ (AWS) secure and certified data centers.

  • AWS data centers have multiple layers of operational and physical security to ensure the integrity and safety of data.
  • AWS data center operations have been accredited under several security compliance standards, such as ISO 27001, SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3, FedRAMP, and FIPS 140-2.
  • Take advantage of the security and reliability of Microsoft Azure with OutSystems on Azure, or run OutSystems in your own secure data center.

Learn more about data center security and compliance

Privacy and Data Protection

OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems Cloud.

  • We carefully control employee access to your data and applications based on the task being performed.
  • Customers can choose the region for their data to comply with data residency regulations.
  • You can access your own customer data at any time with your own tools during your OutSystems Cloud subscription. If you end your OutSystems Cloud subscription, established standards and processes govern how we remove your customer data.

Learn more about privacy and data protection

Read our privacy statement

GDPR at OutSystems