OutSystems Security

At OutSystems we believe you have a right to understand how we protect your applications and customer data.
Our approach includes industry best practices and lessons learned from over 15 years of experience dealing with constantly evolving security threats.

"OutSystems has an extensive track record meeting strict security requirements in heavily regulated industries such as financial, healthcare, and defense. We are constantly looking for ways to strengthen the trust relationship with our customers through increased transparency and security controls."José Casinha, OutSystems CISO


Application Security

Web and mobile applications built using OutSystems are protected by default from the top security threats identified by OWASP. OutSystems low-code approach accelerates the development of secure applications in the following ways:

  • Each platform upgrade automatically incorporates the latest security features into all of your applications
  • Pre-built components simplify security-related tasks such as encrypting data at rest or integrating with Identity Management systems
  • Role-based access ensures the right team members have access to change and deploy applications
  • With each release, generated code is assessed for vulnerabilities using static code analysis tools

Learn more about application security

Infrastructure Security

When leveraging the OutSystems Cloud to build and run your applications, you can rely on state-of-the-art security encompassing:

  • Dedicated virtual private cloud (VPC) infrastructure for all customers, secure access to on-premises systems with VPN, and easy uploading of custom SSL/TLS certificates
  • Proactive updating of operating system and application servers with updates and patches, including notification to customers for security-related issues
  • Penetration testing and vulnerability scanning support for customer applications

Learn more about infrastructure security

Security Operations

OutSystems provides a dedicated computer security incident response team (CSIRT) for managing security threats 24/7 and proactively monitoring reputable industry sources for new security vulnerabilities.
Send incident reports that relate to the OutSystems CSIRT, such as copyright issues, spam, and abuse to: csirt@outsystems.com.
Send non-incident related mail to: support@outsystems.com.
OutSystems CSIRT RFC 2350 Profile: https://www.outsystems.com/trust/csirt/
OutSystems maintains a robust set of operating procedures including:

  • Formal hiring procedures for employees and contractors including background checks
  • Security requirements built into our entire software lifecycle, from planning through deployment
  • Access management, patching management, change management, event management, and incident handling
  • A comprehensive business continuity strategy to protect the essential functions of the organization in the event of a disaster

Learn more about security operations

Compliance and Data Privacy

SOC 2 Compliance

OutSystems is SOC 2 compliant. Service Organization Controls (SOC) reports demonstrate our commitment to securing our customers’ data. The AICPA defines their purpose as follows:

“A Software-as-a-Service (SaaS) or Cloud Service Organization that offers virtualized computing environments or services for user entities and wishes to assure its customers that the service organization maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when it is needed.”

Our SOC 2 report is available to customers under NDA and can be accessed by contacting your account manager.

Download our SOC 3 report

ISO 27001 and ISO 22301 Certification

OutSystems is certified to be compliant with the ISO 27001 and ISO 22301 standards, two key international standards governing information security management and business continuity management. Adherence to these standards gives OutSystems customers confidence knowing that their data and services are protected to the fullest extent possible.

ISO 27001 is the international standard for information security management. ISO 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.

Download our ISO 27001 Certification

ISISO 22301 specifies the requirements for a management system to protect against, reduce the likelihood of and ensure your business recovers from disruptive incidents. ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

Download our ISO 22301 Certification

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”

As part of our commitment to security best practices in cloud computing, OutSystems is a member of the CSA. In addition, we have completed the CSA STAR Self-Assessment and published the results to their website. This is the latest CAIQ (v3) released by the CSA.

Data Center Compliance

The OutSystems Cloud physical infrastructure is hosted within Amazon Web Services’ (AWS) secure and certified data centers.

  • AWS data centers have multiple layers of operational and physical security to ensure the integrity and safety of data.
  • AWS data center operations have been accredited under several security compliance standards, such as ISO 27001, SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3, FedRAMP, and FIPS 140-2.
  • Take advantage of the security and reliability of Microsoft Azure with OutSystems on Azure, or run OutSystems in your own secure data center.

Learn more about data center security and compliance

Privacy and Data Protection

OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems Cloud.

  • We carefully control employee access to your data and applications based on the task being performed.
  • Customers can choose the region for their data to comply with data residency regulations.
  • You can access your own customer data at any time with your own tools during your OutSystems Cloud subscription. If you end your OutSystems Cloud subscription, established standards and processes govern how we remove your customer data.

Learn more about privacy and data protection

Read our privacy statement

GDPR at OutSystems