Security and Compliance
At WSO2, we prioritize the security and resilience of our products and services. We adhere to industry best practices and maintain a transparent security program to continuously improve our offerings.
Report a VulnerabilityRead Security Docs
Report Abuse
Certifications and Compliance
ISO 27001:2022 Certified
SOC 2® Type 2 Compliant
PCI DSS Certified
GDPR Compliant
CCPA Ready
DORA Compliant
HIPAA Compliant
ISO 27001:2022 Certified
Overview:
The International Organization for Standardization (ISO) is an independent nongovernmental organization. The ISO/IEC 27000 family of standards are global standards providing a framework for policies and procedures that help meet legal, physical and technical regulatory requirements involved in an organization's information risk management processes.
Product Scope:
WSO2 has obtained the ISO/IEC 27001:2022 certification for the Digital Operations function, which oversees the access management of WSO2 infrastructure and overall management of end-points.
SOC 2® Type 2 Compliant
Overview:
WSO2 has obtained the SOC 2® Type 2 attestation for its Public Cloud offerings. The SOC 2®/SSAE18 attestation covers the Security, Confidentiality, and Availability Trust Service Criteria (TSC) as well as HITRUST Common Security Framework (CSF) controls that align with the SOC 2® TSCs.
Product Scope:
Choreo Control Plane and Cloud Data Plane, Devant, Bijira & Asgardeo are SOC 2® Type 2 certified.
PCI DSS Certified
Overview:
The Payment Card Industry (PCI) Data Security Standard (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.
WSO2 conducts annual PCI DSS assessments using an approved independent Qualified Security Assessor (QSA) and certification can be viewed here.
Product Scope:
Choreo Control Plane and Cloud Data Plane, Devant & Bijira are certified on PCI-DSS v.4.0.1.
GDPR Compliant
Overview:
The General Data Protection Regulation (GDPR) requirements apply to the data collected by WSO2 for the services provided to our EU customers.
The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data.
Product Scope:
WSO2, as an organisation, follows the General Data Protection Regulation (GDPR) for all products and services offered to customers, to the extent applicable.
CCPA Ready
Overview:
The California Consumer Privacy Act along with subsequent amendments and related laws, is a state law in the United States that provides California residents with specific rights regarding their personal information, including the right to know, delete, and opt-out of the sale of their data.
Product Scope:
WSO2, as an organisation, follows the California Consumer Privacy Act of 2018 (CCPA) across all products and services, to the extent applicable.
DORA Compliant
Overview:
The EU DORA (Digital Operational Resilience Act) aims to provide a harmonized approach to achieving “a high level of digital operational resilience” of the financial services industry in the EU.
European Union (EU) financial entities and ICT third-party service providers must comply with this regulation.
DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector and EU member states.
DORA provides European Supervisory Authorities (ESAs) with direct supervisory powers over designated critical ICT providers.
Product Scope:
WSO2 has identified itself as a non critical ICT third party service provider for its on premise products offerings. As a non critical ICT third party we comply with DORA provisions to the extent applicable and this will help regulated financial institutions meet their own DORA requirements when using WSO2 products.
HIPAA Compliant
Overview:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the related regulations are a set of U.S. healthcare laws that establish requirements for the use, disclosure, and safeguarding of individually identifiable health information.
HIPAA regulations require that covered entities enter into a Business Associate Agreement (BAA) with the business associate (WSO2) to ensure that Protected Health information (PHI) is adequately protected.
Although there is no one certification standard that is approved by the Department of Health and Human Services to demonstrate compliance with HIPAA, WSO2 supports its customers to meet their obligations with HIPAA and also adheres to the Security Rule requirements of HIPAA as a business associate.
WSO2 will enter into BAAs at the request of its customers for the WSO2 product & services detailed in the Product Scope below. The WSO2 products detailed below have undergone audits conducted by accredited independent auditors.
Product Scope:
Choreo Control Plane and Cloud Data Plane, Devant & Bijira are attested by an independent auditor to be HIPAA compliant.
Security Programs
Vulnerability Management Process
Examine how we manage vulnerabilities related to our products and services.
Learn More
Secure Engineering
Guidelines
Discover security best practices followed by our engineering team for WSO2 products and services.
Learn More
Responsible Disclosure Program
Discover how we reward contributors who responsibly disclose vulnerabilities and contribute to our products and services through our Hall of Fame.
Learn More
WSO2 Product Security
Secure Software Development Process
Learn how we prioritize security throughout the Software Development Life Cycle.
Security Guidelines for Production Deployment
Follow our security guidelines for secure configuration of WSO2 products in production settings.
Security Announcements
Security Advisories
View our security advisories for information on vulnerabilities affecting our products and services.
CVE Justifications
Find justifications for CVEs associated with our products that do not require fixes.
Incident Clarifications
Get clarifications on security incidents that are relevant to WSO2 and our customers.
WSO2 Cloud Security
We secure all WSO2 cloud deployments by following industry-standard processes.
FAQs
Data is managed using WSO2 containers and Kubernetes clusters, which provide scalability, resilience, and security. Find out more here.
This is a detailed list of all subprocessors used by WSO2, including their name, location, and purpose. This information is updated frequently to ensure compliance with data protection regulations and can be found here.
WSO2 uses a range of security controls and design patterns to protect against a variety of threats, including internal attacks, software supply chain attacks, service and platform attacks, and more. Find out more regarding this here.
At WSO2, we value our users and the broader internet community. We are committed to maintaining the security and privacy of the content published using our platform. If you encounter any malicious, unauthorized, or abusive content, please report it here.
We are committed to promptly communicating security-related notifications and updates that may impact our users. Our Security Notification Policy outlines how we notify relevant stakeholders about security events in accordance with industry best practices. For detailed information, please refer to our full policy document here.
