© 2002-2019 Axure Software Solutions, Inc. All rights reserved. Axure® is a registered trademark of Axure Software Solutions, Inc.

AXURE

RESOURCES

LEGAL

CONNECT

EMAIL

AXURE SECURITY

At Axure, we strive to deliver products and services that not only provide outsize value and a great customer experience, but are also worthy of your trust.

We implement security practices and tools to protect your information and data, starting from the system architecture through to how we operate. We understand that security needs and best practices change over time, and we aim to continue improving as these needs change.


We will work with you, our customer, to find the right security measures for your requirements. Below, we explain our structural and procedural security systems.

NETWORK


Building security in

We use Amazon Web Services (AWS) to host Axure Share and other cloud products. AWS datacenters meet security regulations and standards with industry-leading physical and environmental controls. Our applications benefit from a datacenter and network architecture built to meet the requirements of the most security-sensitive organizations. AWS meets numerous compliance standards and regulations including CSA, ISO, PCI, SOC, FedRAMP, and more.


Datacenter security


We are committed to maintaining the security of our servers. Maintaining a secure server requires constant attention and effort. On a routine basis, we evaluate the services and information accessible on our servers and their security requirements.


We adhere to the following NIST standards for server security:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf


Server security


By default, transmissions from the browser or Axure RP are sent to our servers using the HTTPS protocol. Our servers support Transport Layer Security (TLS) encryption to protect against unauthorized disclosure or modification.


Encrypted transmission

User credentials are required to publish to Axure Share or interact with the Axure Customer Portal. We store authentication and session data on our servers using AES-256 encryption so that your account credentials are protected.


Encryption of authentication and session data

PCI compliance certifies that the requirements for protecting cardholder data are met. We are PCI compliant for transmitting credit card information. Our third-party credit card processor meets the highest industry standard and guidelines, PCI DSS Level 1.


PCI compliant

We control access to our sensitive production networks through the use of strict firewall rules and require multi-factor authentication and encrypted connections. Our firewall is configured to block all but essential ports.

Firewall

PRODUCT SECURITY

Security is a key part of our product mindset. While we aim to provide high quality products to you in a timely manner, we take the time to consider security at every step. Our products include Axure RP, Axure Share, and the Axure Customer Portal, and our goal is to build systems and put processes in place that support each product according to its needs.


Changes to our products and systems are tested by our dedicated Quality Assurance (QA) team prior to release. However, all members of the product and development teams are responsible for testing. When there are changes that impact authentication or other security-related features, we take care to verify that information is not exposed inappropriately and that each user can only access their own data.


Testing

When you work in Axure RP, your data is saved to a file location that you designate. It is only transferred from your machine when you actively choose to store or publish it to a shared drive or the cloud. Axure RP can be used entirely offline.


Desktop security

Accounts on Axure Share and other Axure web properties transmit and store their data securely. By default, Axure Share prototypes are transmitted by HTTPS. Workspace and project settings provide additional security options that can be applied when needed.


Web services

Axure for Enterprise combines Axure RP Enterprise edition with the self-hosted Axure Share Enterprise server for an on-premises prototyping and sharing platform. Self-hosted Axure Share Enterprise servers allow your IT team to strictly control access and gives them full access to application infrastructure including logs, database, and application storage.


Self-hosting

Axure for Enterprise supports SAML, LDAP, and Active Directory user management for Axure Share Enterprise accounts. This gives you the option to centralize user management and provides more control of authentication.

User management

RELIABILITY

We host our web products across multiple AWS regions. Customers are connected to the region closest to them to ensure speed and performance. The redundancy of the servers across multiple regions provides added stability for customers; if one region becomes unavailable, another region can continue providing services.


Availability and redundancy

Database backups for Axure Share and Axure Customer Portal are made continuously and retained for 30 days. The window for data loss is 5 minutes or less. When data needs to be restored, we are able to use the backups to recover the data from any point in time during the past 30 days. Cross-region replicas also provide additional data redundancy.

Backups

OPERATIONAL SECURITY PRACTICES

Access to customer data is tightly controlled for security. Our support and sales teams have access to limited identifying information related to purchasing and account management. Customer files stored in the cloud can only be accessed by a small team, and only under limited circumstances.


Access to customer data

Our development team participates in regular training to review security policies and procedures. The procedures themselves are reviewed and updated by our security team regularly.


Training and awareness

We have prescribed incident response plans for a variety of scenarios, including reporting processes and recovery schemes. These response plans include recovery time objectives and recovery methods.


Incident response

We maintain a business continuity and disaster recovery plan to minimize the impact of disruptions to our operations on our customers. We aim to continue providing our products and services, provide product support, and perform essential functions without disruption.


Business continuity and disaster recovery

Our security team meets regularly to reinforce security policy and provides training to the development staff. The security team is responsible for managing and implementing ongoing security improvements.

Security team

PRIVACY

We understand our customers' needs for privacy and have systems and policies in place to protect your privacy. Our full policy privacy, including how we handle of Personally Identifying Information (PII) can be found here: https://www.axure.com/privacy

SHARED RESPONSIBILITY

We care about security and continue to work on improving our products, systems, and processes. However, the security of data and information is a shared responsibility between Axure and our customers. We are responsible for the security of our products, systems, and operations. Our customers manage their own information, accounts, credentials, computers, servers, and may have additional compliance requirements. The overall security of our customers' implementation of our products relies upon both Axure and our customers.