Axure Security

Building security in

We implement security practices and tools to protect your information and data, starting from the system architecture through to how we operate. We understand that security needs and best practices change over time, and we aim to continue improving as these needs change.

We will work with you, our customer, to find the right security measures for your requirements. Below, we explain our structural and procedural security systems.

Network

Datacenter security

We use Amazon Web Services (AWS) to host Axure Cloud and other cloud products. AWS datacenters meet security regulations and standards with industry-leading physical and environmental controls. Our applications benefit from a datacenter and network architecture built to meet the requirements of the most security-sensitive organizations. AWS meets numerous compliance standards and regulations including CSA, ISO, PCI, SOC, FedRAMP, and more.

Server security

We are committed to maintaining the security of our servers. Maintaining a secure server requires constant attention and effort. On a routine basis, we evaluate the services and information accessible on our servers and their security requirements.

We adhere to the following NIST standards for server security:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

Encrypted transmission

By default, transmissions from the browser or Axure RP are sent to our servers using the HTTPS protocol. Our servers support Transport Layer Security (TLS) encryption to protect against unauthorized disclosure or modification.

Encryption of authentication and session data

User credentials are required to publish to Axure Cloud or interact with the Axure License Portal. We store authentication and session data on our servers using AES-256 encryption so that your account credentials are protected.

PCI compliant

PCI compliance certifies that the requirements for protecting cardholder data are met. We are PCI compliant for transmitting credit card information. Our third-party credit card processor meets the highest industry standard and guidelines, PCI DSS Level 1.

Firewall

We control access to our sensitive production networks through the use of strict firewall rules and require multi-factor authentication and encrypted connections. Our firewall is configured to block all but essential ports.

Product Security

Security is a key part of our product mindset. While we aim to provide high quality products to you in a timely manner, we take the time to consider security at every step. Our products include Axure RP, Axure Cloud, and the Axure License Portal, and our goal is to build systems and put processes in place that support each product according to its needs.

Testing

Changes to our products and systems are tested by our dedicated Quality Assurance (QA) team prior to release. However, all members of the product and development teams are responsible for testing. When there are changes that impact authentication or other security-related features, we take care to verify that information is not exposed inappropriately and that each user can only access their own data.

Desktop security

When you work in Axure RP, your data is saved to a file location that you designate. It is only transferred from your machine when you actively choose to store or publish it to a shared drive or the cloud. Axure RP can be used entirely offline.

Web services

Accounts on Axure Cloud and other Axure web properties transmit and store their data securely. By default, Axure Cloud prototypes are transmitted by HTTPS. Project settings provide additional security options that can be applied when needed.

Self-hosting

Axure for Enterprise combines Axure RP Enterprise edition with the self-hosted Axure Cloud On-Premises server for an on-premises prototyping and sharing platform. Self-hosted Axure Cloud servers allow your IT team to strictly control access and gives them full access to application infrastructure including logs, database, and application storage.

User management

Axure Cloud for Business supports SAML, LDAP, and Active Directory user management. This gives you the option to centralize user management and provides more control of authentication.

Reliability

Availability and redundancy

We host our web products across multiple AWS regions. Customers are connected to the region closest to them to ensure speed and performance. The redundancy of the servers across multiple regions provides added stability for customers; if one region becomes unavailable, another region can continue providing services.

Backups

Database backups for Axure Cloud and Axure License Portal are made continuously and retained for 30 days. The window for data loss is 5 minutes or less. When data needs to be restored, we are able to use the backups to recover the data from any point in time during the past 30 days. Cross-region replicas also provide additional data redundancy.

Operational security practices

SOC 2 Type II Certification data

Through the SOC 2 Type II certification, Axure outlines the operational requirements that support the achievement of the principal service commitments, relevant laws and regulations, and other system requirements. Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed, and how employees are hired, trained, and managed.

Access to customer data

Access to customer data is tightly controlled for security. Our support and sales teams have access to limited identifying information related to purchasing and account management. Customer files stored in the cloud can only be accessed by a small team, and only under limited circumstances.

Training and awareness

Our development team participates in regular training to review security policies and procedures. The procedures themselves are reviewed and updated by our security team regularly.

Incident response

We have prescribed incident response plans for a variety of scenarios, including reporting processes and recovery schemes. These response plans include recovery time objectives and recovery methods.

Business continuity and disaster recovery

We maintain a business continuity and disaster recovery plan to minimize the impact of disruptions to our operations on our customers. We aim to continue providing our products and services, provide product support, and perform essential functions without disruption.

Security team

Our security team meets regularly to reinforce security policy and provides training to the development staff. The security team is responsible for managing and implementing ongoing security improvements.

Privacy

We understand our customers’ needs for privacy and have systems and policies in place to protect your privacy. Our full policy privacy, including how we handle of Personally Identifying Information (PII) can be found here: https://www.axure.com/privacy

Shared responsibility

We care about security and continue to work on improving our products, systems, and processes. However, the security of data and information is a shared responsibility between Axure and our customers. We are responsible for the security of our products, systems, and operations. Our customers manage their own information, accounts, credentials, computers, servers, and may have additional compliance requirements. The overall security of our customers’ implementation of our products relies upon both Axure and our customers.


Have a question about Axure security?