Penpot

Penpot Security & Compliance Whitepaper

Table of Contents

Introduction

Penpot is the first open-source design and prototyping platform that brings true collaboration between designers and evelopers. Built on open web standards (SVG, HTML, CSS) and available both as a cloud service and as a self-hosted solution, Penpot delivers a unique approach to security and compliance. This whitepaper outlines Penpot's comprehensive security model, privacy practices, and compliance frameworks. Whether you're using our cloud service or deploying Penpot in your own secure environment, our commitment to security and data protection remains paramount. As an open-source platform, Penpot's codebase is transparent and continuously validated by our community. This transparency creates an additional layer of security through open verification and community-driven improvements. Throughout this document, we clearly distinguish between our Cloud Service and Self-Hosted deployment models, as security features, compliance capabilities, and responsibilities differ between these options.

Deployment Models

Penpot offers two distinct deployment models, each with different security characteristics and compliance capabilities.

Cloud Service

Description: Penpot's cloud service is hosted and managed by Penpot/Kaleidos. Users access the platform via web browser, with all data stored in Penpot's secure cloud infrastructure.

Key Characteristics:

  • Managed by Penpot's security team
  • Automatic updates and security patches
  • Standard security controls managed by Penpot
  • Multi-tenant architecture with tenant isolation
  • Accessible from any location with internet connectivity
  • Hosted in Europe for the free plan, option to host in the United States or anywhere in the world as an Enterprise Plan add-on

Best For:

  • Organizations without strict data residency requirements
  • Teams seeking minimal IT management overhead
  • Standard security controls managed by Penpot
  • Projects requiring rapid deployment
  • Organizations with limited security resources

Self-Hosted

Description: Self-hosted Penpot is deployed within your own infrastructure (on-premises or in your cloud environment). Your organization maintains full control over the deployment, configuration, and data.

Key Characteristics:

  • Deployed within your controlled environment
  • Complete data sovereignty
  • Customizable security controls
  • Integration with your existing security infrastructure
  • Support for air-gapped environments

Best For:

  • Organizations with strict security, compliance, or regulatory requirements
  • Environments requiring data sovereignty/residency controls
  • High-security sectors (defense, government, healthcare, financial services)
  • Organizations with existing secure infrastructure

Shared Responsibility Model

Security is a shared responsibility between Penpot and our customers. The distribution of these responsibilities varies significantly between deployment models.

Cloud Service Responsibilities

Area
Penpot's Responsibility
Customer Responsibility
Physical Infrastructure
Full responsibility for datacenter security, physical access controls, and environmental safeguards.
None
Network Security
Management of firewalls, DDoS protection, intrusion detection, and network segregation.
Secure access to Penpot from customer networks
Host Infrastructure
Operating system security, patching, hardening, and monitoring.
None
Application Security
Application code security, dependency management, patching, and updates.
None
Identity Management
Authentication infrastructure, SSO integrations, and session management
User account management, access control configuration, and password policies
Data Protection
Encryption implementation, backup management, and data isolation
Proper configuration of sharing settings and access controls
Compliance
Platform-level compliance controls and documentation
Organization-specific compliance requirements and documentation

Self-Hosted Responsibilities

Area
Penpot's Responsibility
Customer Responsibility
Physical Infrastructure
None
Full responsibility for datacenter security, physical access controls, and environmental safeguards.
Network Security
None
Management of firewalls, DDoS protection, intrusion detection, and network segregation
Host Infrastructure
None
Operating system security, patching, hardening, and monitoring
Application Security
Secure application development, dependency verification, and security patches
Timely application of updates and patches
Identity Management
Authentication framework and integration capabilities
Implementation and configuration of identity providers, SSO, and access controls
Data Protection
Encryption capabilities and secure data handling within the application
Implementation of encryption, backup strategies, and data lifecycle management
Compliance
Documentation support for compliance efforts
Full responsibility for compliance implementation and documentation

Security Infrastructure

This section outlines the security infrastructure for both deployment models.

Cloud Service Architecture

Penpot's cloud service operates on a robust, multi-tenant architecture with strong isolation between tenant data.

Key Infrastructure Components:

  • Containerized Environment: All services run in isolated containers with security monitoring
  • Network Segmentation: Strict separation between application tiers
  • Encryption in Transit: TLS 1.2+ for all data in motion
  • Encryption at Rest: AES-256 encryption for all stored data
  • Database Security: Hardened database configurations with regular security patching
  • Web Application Firewall: Protection against common web application attacks
  • DDoS Protection: Distributed denial of service mitigation capabilities
  • Monitoring: Continuous security monitoring and alerting
  • Backup Systems: Regular encrypted backups with secure recovery capabilities

Self-Hosted Architecture

For self-hosted deployments, Penpot provides the application with security capabilities that you can integrate into your existing security infrastructure.

Key Architecture Features:

  • Deployment Flexibility: Docker-based deployment compatible with Kubernetes, OpenShift, and other container platforms
  • Infrastructure Independence: Can be deployed in air-gapped environments with no external dependencies
  • Configuration Control: Full administrative control over security settings and configurations
  • Integration Capabilities: Webhooks and API support for integration with existing security tools and monitoring systems
  • Logging Framework: Comprehensive logging capabilities that can integrate with your SIEM or log management systems
  • Authentication Framework: Flexible authentication framework supporting various identity providers

Implementation Options:

  • Docker: Standard containerized deployment using single command setup
  • Kubernetes: Deployment via Helm chart for advanced infrastructure management
  • Elestio: Point-and-click solution for 3-minute deployment
  • OpenShift: Compatible with Red Hat's enterprise container platform

Data Protection & Privacy

Penpot's approach to data protection and privacy varies by deployment model, with consistent principles applied across both. Our practices align with GDPR and other regulatory requirements.

Data Handling Principles

Penpot adheres to the following data handling principles in all deployment models:

  • Data Minimization: Collection limited to what is necessary for service functionality
  • Purpose Limitation: Personal data used only for specified, explicit, and legitimate purposes
  • Storage Limitation: Data not kept longer than necessary for the purposes collected
  • Transparency: Clear documentation of data collection and processing activities
  • User Control: Tools for accessing, exporting, and deleting data

Cloud Service Data Protection

In our cloud service, Penpot implements and manages the following data protection measures:

  • Data Isolation: Strong tenant isolation to prevent cross-tenant data access
  • Encrypted Storage: All customer data encrypted at rest using AES-256
  • Secure Transmission: All data encrypted in transit using TLS 1.2+
  • Backup Protection: Backups encrypted and secured with strict access controls
  • Retention Controls: Data not kept longer than necessary, with retention policies
  • Data Destruction: Marked for deletion first, then actually deleted after 30 days (database records) or 15 days (media assets)
  • Access Monitoring: Monitoring for unauthorized access attempts
  • Data Location: Hosting in EU-based datacenters with strong privacy protections

Self-Hosted Data Protection

For self-hosted deployments, your organization implements and manages data protection using Penpot's built-in capabilities:

  • Local Data Control: All data remains within your controlled environment
  • Encryption Framework: Built-in encryption capabilities you configure and manage
  • Configurable Retention: Flexible retention settings you control
  • Integration Support: APIs to integrate with your existing data protection tools
  • Backup Integration: Can be integrated with your existing backup systems
  • Access Controls: Configurable controls that you manage
  • Data Sovereignty: Complete control over data location and residency

User Data Protection

Across both deployment models, Penpot includes these user data protection features:

  • Authentication: Support for social logins (Google, GitHub, GitLab) through OIDC implementation
  • Authorization: Role-based access controls with principle of least privilege
  • Session Management: Secure session handling with appropriate timeout controls
  • Secure APIs: Authentication and authorization for all API access

Operational Security

Cloud Service: Penpot implements these operational security measures:

  • Authentication: Support for social logins (Google, GitHub, GitLab) through OIDC implementation
  • Authorization: Role-based access controls with principle of least privilege
  • Session Management: Secure session handling with appropriate timeout controls
  • Secure APIs: Authentication and authorization for all API access

Self-Hosted: Your organization is responsible for most operational security, with support from Penpot:

  • Security Advisory: Notifications of security issues affecting the Penpot application
  • Security Patches: Timely security updates for the application
  • Security Documentation: Guidelines for secure deployment and operation
  • Open Source Audit: Transparency allowing for independent security review

Employee Data Protection

Penpot maintains strict controls regarding employee access to customer data:

  • Training Requirements: Support for social logins (Google, GitHub, GitLab) through OIDC implementation
  • Access Controls: Only individuals who require constant access to personal data have access
  • Training Material: Up-to-date training material related to personal data handling
  • External Audit: Training materials were the result of an external audit

Self-Hosting Capabilities

Penpot's self-hosting option provides organizations with complete control over their security posture. This model is particularly valuable for organizations with strict security, compliance, or sovereignty requirements.

Key Self-Hosting Security Benefits

  • Physical Control: Deploy in your own secure data centers or cloud environment
  • Network Control: Implement your organization's specific network security controls
  • Access Control: Integrate with your existing identity providers and access management systems
  • Data Residency: Maintain complete control over where your data resides
  • Security Monitoring: Integrate with your existing security monitoring and incident response tools
  • Customization: Adapt the security configuration to meet your specific requirements
  • Audit Capability: Maintain full auditability of all system components
  • Compliance Management: Incorporate Penpot into your existing compliance program

Self-Hosting Implementation Options

Penpot offers flexible deployment options to fit your infrastructure requirements:

Deployment Method
Description
Best For
Docker
Standard containerized deployment using single command setup
Small to medium deployments with limited infrastructure
Kubernetes
Deployment via Helm chart for advanced infrastructure management
Large-scale enterprise deployments requiring orchestration
Elestio
Point-and-click solution for 3-minute deployment
Quick deployment with minimal configuration
OpenShift
Compatible with Red Hat's enterprise container platform
Organizations standardized on Red Hat infrastructure

Self-Hosting Architecture Considerations

When implementing self-hosted Penpot, consider these architectural components:

  • Infrastructure Layer: The underlying compute, storage, and networking infrastructure
  • Container Layer: Docker containers running Penpot services
  • Database Layer: PostgreSQL database for persistent storage
  • File Storage Layer: Storage for design files and assets
  • Identity Integration Layer: Connection to your identity provider
  • Monitoring Layer: Integration with your monitoring and logging systems
  • Security Layer: Implementation of your security controls

Self-Hosting Security Recommendations

For optimal security in self-hosted deployments, we recommend:

  • Deploying in a network-isolated environment with appropriate firewall rules
  • Implementing encryption for all data at rest and in transit
  • Integrating with your identity management system for SSO
  • Implementing a regular backup strategy for Penpot data
  • Setting up monitoring and alerting for the Penpot environment
  • Keeping Penpot up to date with the latest security patches
  • Conducting regular security assessments of your Penpot deployment

Compliance Framework

Penpot's compliance approach varies significantly between cloud and self-hosted deployments, with each model offering different advantages for regulatory compliance.

Core Compliance Principles

Across both deployment models, Penpot maintains these core principles:

  • Security by Design: Security considerations built into the product from inception
  • Privacy by Design: Privacy considerations integrated throughout the development lifecycle
  • Configurability: Ability to adjust settings to meet specific compliance requirements
  • Documentation: Comprehensive documentation of security features and configurations
  • Transparency: Open source code allows for direct verification of security implementations

Cloud Service Compliance

For our cloud service, Penpot implements and maintains:

  • Baseline Compliance Controls: Standard controls mapped to common compliance frameworks
  • Security Documentation: Documentation of implemented controls and security practices
  • Third-Party Assessments: Regular security assessments and testing
  • Continuous Monitoring: Ongoing monitoring for security events and compliance issues
  • Data Protection Agreements: Standard agreements addressing data protection requirements

Limitations: While our cloud service implements strong security controls, organizations with specialized compliance requirements (e.g., FedRAMP, specific industry regulations) may face limitations due to the shared infrastructure model.

Self-Hosted Compliance Capabilities

Self-hosted deployments offer the most flexible compliance capabilities:

  • Full Control: Complete control over the compliance environment
  • Integration: Can be integrated into your existing compliant infrastructure
  • Customization: Adaptable to your specific regulatory requirements
  • Documentation Support: Documentation to support your compliance efforts
  • Audit Support: Transparency for audit and assessment activities

Self-hosting allows you to implement Penpot within your existing compliance framework, applying your established controls and documentation to the Penpot deployment.

Compliance Documentation

Penpot provides documentation to support your compliance efforts:

For Cloud Service:

  • Security controls documentation
  • Privacy and data protection information
  • Subprocessor information
  • Security incident procedures

For Self-Hosted:

  • Security implementation guidance
  • Integration documentation
  • Configuration recommendations
  • Compliance mapping templates

Security Controls

Penpot implements a comprehensive set of security controls that vary between cloud and self-hosted deployments. These controls align with the requirements outlined in our security compliance framework.

Access Control

Cloud Service:

  • Authentication: Support for OpenID Connect (OIDC) and OAuth with social logins (Google, GitHub, GitLab)
  • SSO Integration: Support for SAML-based Single Sign-On (Enterprise Plan)
  • Role-Based Access: Team access controls defined by team owners
  • Account Management: Comprehensive user management capabilities
  • MFA: Available through supported single sign-on services

Self-Hosted:

  • Authentication Framework: Flexible authentication system you configure
  • Identity Integration: Ability to integrate with your identity providers
  • Custom Roles: Team-level access controls that can be customized
  • Access Control Integration: Can be integrated with your access management systems
  • MFA Options: Support for your existing MFA solutions

System Security

Cloud Service:

  • Secure Configuration: Hardened default configurations managed by Penpot
  • Patch Management: Regular updates performed by Penpot's team
  • Security Monitoring: Monitoring by Penpot's security team
  • IP-Based Access Restrictions: Support for IP-based access restrictions (managed centrally)
  • Malware Protection: Controls to prevent, detect, and eradicate malicious code
  • Vulnerability Management: Regular scanning and remediation

Self-Hosted:

  • Configuration Guidance: Documentation for secure configuration
  • Update Notifications: Security patch announcements
  • Logging Framework: Comprehensive logging for your monitoring systems
  • Integration Support: APIs for integration with your security tools
  • Deployment Hardening: Guidelines for secure deployment

Data Security

Cloud Service:

  • Data Classification: Support for classifying data based on sensitivity
  • Data Encryption: TLS 1.2+ for data in transit, AES-256 encryption for data at rest
  • Data Integrity: Controls to maintain the integrity of stored information
  • Data Deletion: Secure deletion capabilities for data no longer required
  • Backup Management: Regular encrypted backups performed by Penpot
  • EU Data Storage: Customer data stored in EU-based data centers

Self-Hosted:

  • Encryption Support: Framework for implementing your encryption strategy
  • Integrity Verification: Support for data integrity verification
  • Deletion Capabilities: Tools for secure data deletion
  • Backup Integration: Can be integrated with your backup systems
  • Data Lifecycle Management: Support for your data lifecycle policies
  • Data Sovereignty: Complete control over data location

Communication Security

Cloud Service:

  • Network Security: Secure network architecture with appropriate segregation
  • API Security: Authenticated and encrypted API communications
  • Web Security: Protection against common web application vulnerabilities
  • DDoS Protection: Distributed denial of service protection
  • TLS Configuration: Strong TLS configuration and management

Self-Hosted:

  • Network Isolation: Support for deployment in isolated networks Support:
  • Secure API Framework: Framework for secure API communications
  • Security Headers: Implementation of secure HTTP headers
  • Protocol Support: Support for secure communication protocols
  • TLS Implementation: Support for your TLS implementation

Rate Limiting and Throttling

Cloud Service:

  • API Rate Limiting: Controls to prevent API abuse
  • Request Throttling: Mechanisms to limit excessive resource consumption
  • Concurrency Limits: Prevention of internal resource abuse
  • DoS Protection: Multiple security mechanisms to prevent DoS attacks

Self-Hosted:

  • Configuration Options: Available settings for rate limiting
  • Implementation Guidance: Documentation for implementing appropriate limits
  • Integration Capabilities: Support for external rate limiting solutions

FedRAMP Alignment

FedRAMP (Federal Risk and Authorization Management Program) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by US government agencies. Penpot's approach to FedRAMP varies significantly between deployment models.

Cloud Service FedRAMP Status

Penpot's cloud service does not currently hold a FedRAMP authorization. Organizations requiring FedRAMP compliance should utilize our self-hosted solution, which can be deployed within their existing FedRAMP-authorized environment.

Self-Hosted FedRAMP Capabilities

While Penpot does not have a FedRAMP authorization, our self-hosted solution allows organizations to deploy Penpot in FedRAMP-compliant environments. Organizations can apply their existing FedRAMP security controls to a Penpot deployment.

Key FedRAMP Alignment Features:

  • Deployment in Compliant Infrastructure: Can be deployed within existing FedRAMP authorized boundaries
  • Security Control Implementation: Architecture supports implementation of FedRAMP required controls
  • Documentation Support: Security documentation aligns with FedRAMP documentation requirements
  • Authentication Integration: Support for integrating with FedRAMP-compliant identity providers
  • Logging Capabilities: Comprehensive logging for integration with monitoring tools
  • Data Protection: Security features to protect sensitive government data

Self-Hosted FedRAMP Implementation

Organizations seeking to deploy Penpot in a FedRAMP environment can follow this approach:

  • Deploy Penpot within their existing FedRAMP authorized infrastructure
  • Apply appropriate security controls from their FedRAMP System Security Plan
  • Include Penpot in their existing continuous monitoring program
  • Leverage Penpot's documentation to support FedRAMP documentation requirements

This implementation strategy allows federal agencies and their partners to utilize Penpot while maintaining their FedRAMP compliance posture.

FedRAMP Security Control Compatibility

Penpot's self-hosted deployment can operate within existing control frameworks including:

  • Access Control: Role-based access controls and least privilege principles
  • Identification and Authentication: Support for SSO integration with FedRAMP-compliant identity providers
  • Audit and Accountability: Comprehensive logging framework
  • System and Communications Protection: Support for TLS 1.2+ and data encryption
  • System and Information Integrity: Regular security updates and patching capabilities

Data Sovereignty for Federal Agencies

Self-hosted Penpot allows federal agencies to maintain complete control over their data location, ensuring compliance with data sovereignty requirements. This is particularly important for agencies with strict data residency policies that prohibit storing federal data outside government-controlled environments.

GDPR Compliance

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. Penpot's approach to GDPR compliance differs between cloud and self-hosted deployments.

Data Controller and Processor Roles

The allocation of GDPR responsibilities depends on the deployment model:

Cloud Service:

  • Penpot acts as the data processor
  • Your organization acts as the data controller
  • Responsibilities are outlined in our Data Processing Agreement (DPA)

Self-Hosted:

  • Your organization acts as both the data controller and processor
  • Penpot provides the software with capabilities to support your GDPR compliance
  • Your organization maintains full responsibility for GDPR compliance

Cloud Service GDPR Compliance

As a data processor, Penpot implements these GDPR compliance measures:

  • Data Processing Agreement: Standard DPA detailing processing activities and safeguards
  • Subprocessor Management: Careful selection and oversight of subprocessors
  • EU Data Storage: Customer data stored in EU-based data centers
  • Data Subject Rights Support: Tools to help you fulfill data subject requests
  • Breach Notification: Commitment to notify affected parties within 72 hours of a breach
  • Data Protection Officer: Designated DPO for GDPR-related matters
  • Records of Processing: Maintained for all processing activities
  • Technical Measures: Implementation of appropriate security measures
  • Staff Training: All staff who handle personal data receive comprehensive training

Self-Hosted GDPR Capabilities

For self-hosted deployments, Penpot provides these GDPR-supporting features:

  • Data Isolation: Complete data isolation in your controlled environment
  • Access Controls: Configurable access controls to restrict data access
  • Export Functionality: Tools to export user data for data portability
  • Deletion Capabilities: Mechanisms to delete user data when required
  • Logging Framework: Logs to support accountability requirements
  • Security Features: Security capabilities to implement appropriate safeguards
  • Documentation: Documentation to support your GDPR compliance efforts

GDPR Compliance Features

Across both deployment models, Penpot includes features to support GDPR principles:

  • Data Minimization: Only essential personal data is collected
  • Purpose Limitation: Clear purposes for all data collection
  • Consent Management: Mechanisms for obtaining and recording user consent
  • Data Subject Rights: Features to support data access, rectification, and erasure requests
  • Records of Processing: Clear documentation of data processing activities

Subprocessors and Third Parties

Cloud Service:

  • FLOSSystems SL (Spain): Infrastructure optimization services with server access
  • Marketing/Analytics Services: CUSTOMER.IO, POSTHOG, HUBSPOT, Inkeep, Google Analytics
  • Transparency: Clear documentation of all subprocessors

Self-Hosted:

  • No third-party data processing by Penpot
  • Your organization controls all data processing activities
  • Your organization determines which third parties have access to data

International Data Transfers

Cloud Service:

  • EU-based data center hosting
  • Appropriate safeguards for any necessary data transfers
  • Data transfer impact assessments
  • Standard contractual clauses where applicable

Self-Hosted:

  • Complete control over data location
  • No data transfer to Penpot
  • Data remains within your chosen jurisdiction the data controller and processor
  • Penpot provides the software with capabilities to support your GDPR compliance

Cloud Service GDPR Compliance

As a data processor, Penpot implements these GDPR compliance measures:

  • Data Processing Agreement: Standard DPA detailing processing activities and safeguards
  • Subprocessor Management: Careful selection and oversight of subprocessors
  • EU Data Storage: Data stored in EU-based data centers
  • Data Subject Rights Support: Tools to help you fulfill data subject requests
  • Breach Notification: Procedures for timely notification of data breaches
  • Data Protection Officer: Designated DPO for GDPR-related matters
  • Records of Processing: Maintained for all processing activities
  • Technical Measures: Implementation of appropriate security measures

Self-Hosted GDPR Capabilities

For self-hosted deployments, Penpot provides these GDPR-supporting features:

  • Data Isolation: Complete data isolation in your controlled environment
  • Access Controls: Configurable access controls to restrict data access
  • Export Functionality: Tools to export user data for data portability
  • Deletion Capabilities: Mechanisms to delete user data when required
  • Logging Framework: Logs to support accountability requirements
  • Security Features: Security capabilities to implement appropriate safeguards
  • Documentation: Documentation to support your GDPR compliance efforts

GDPR Compliance Features

Across both deployment models, Penpot includes features to support GDPR principles:

  • Data Minimization: Only essential personal data is collected
  • Purpose Limitation: Clear purposes for all data collection
  • Consent Management: Mechanisms for obtaining and recording user consent
  • Data Subject Rights: Features to support data access, rectification, and erasure requests
  • Records of Processing: Clear documentation of data processing activities

International Data Transfers

Cloud Service:

  • EU-based data center hosting
  • Appropriate safeguards for any necessary data transfers
  • Data transfer impact assessments
  • Standard contractual clauses where applicable

Self-Hosted:

  • Complete control over data location
  • No data transfer to Penpot
  • Data remains within your chosen jurisdiction the data controller and processor

Continuous Monitoring & Improvements

Penpot is committed to continuous security monitoring and improvement across both deployment models, though responsibilities differ significantly.

Cloud Service Monitoring

For our cloud service, Penpot implements comprehensive monitoring:

  • Security Monitoring: Automated monitoring of security events
  • Intrusion Detection: Monitoring for unauthorized access attempts
  • Vulnerability Scanning: Regular automated scanning for vulnerabilities
  • Penetration Testing: Periodic penetration testing conducted by qualified third parties (e.g., Tarlogic Security S.L.)
  • Code Reviews: Security-focused code reviews as part of the development process
  • Dependency Analysis: Monitoring of third-party components for vulnerabilities
  • Community Security Reports: Process for handling security issues reported by the community
  • Compliance Monitoring: Ongoing verification of compliance requirements
  • Threshold Controls: Monitoring for unusual activity patterns, like surges in signups or resource usage

Self-Hosted Monitoring Support

For self-hosted deployments, monitoring responsibilities fall to your organization, with Penpot providing:

  • Logging Framework: Comprehensive logging capabilities you can integrate with your monitoring systems
  • Security Alerts: Notifications about discovered vulnerabilities affecting Penpot
  • Monitoring Guidance: Recommendations for effective security monitoring
  • Integration Capabilities: APIs for integration with your security monitoring tools
  • Documentation: Documentation to support your monitoring configuration

Security Updates

Cloud Service:

  • Automatic Updates: Regular security updates applied automatically
  • No-Downtime Patching: Updates applied with minimal service disruption
  • Emergency Response: Expedited process for critical security vulnerabilities
  • Update Verification: Testing before deployment to production environment
  • Update Notification: Communication about significant security updates

Self-Hosted:

  • Update Availability: Timely availability of security patches
  • Update Notifications: Communication about security-related updates
  • Documentation: Clear update instructions and release notes
  • Version Support: Clear policy on supported versions
  • Update Flexibility: You control when and how updates are applied

Vulnerability Management

Cloud Service:

  • Vulnerability Assessment: Regular internal and external vulnerability assessments
  • Assessment Results: Documented results of vulnerability assessments
  • Remediation Process: Structured process for addressing discovered vulnerabilities
  • Customer Notification: Process for notifying customers of vulnerabilities affecting their data
  • Remediation SLAs: Defined timeframes for addressing vulnerabilities based on severity

Self-Hosted:

  • Security Bulletins: Notifications of vulnerabilities affecting Penpot
  • Patch Availability: Timely provision of security patches
  • Guidance: Recommendations for assessing and addressing vulnerabilities in your deployment

Security Incident Response

Penpot takes a structured approach to security incident response, with significant differences between deployment models.

Cloud Service Incident Response

For our cloud service, Penpot manages the full incident response lifecycle:

  • Preparation: Documented procedures, tools, and regular training for effective response
  • Analysis: 24/7 monitoring to identify and assess potential incidents
  • Containment: Rapid containment to limit the impact of confirmed incidents
  • Eradication: Removal of threat actors and vulnerability remediation
  • Recovery: Systematic restoration of systems to normal operation
  • Post-Incident Analysis: Thorough review to identify improvements

Incident Communication:

  • Customer Notification: Timely notification of security incidents affecting customer data
  • Transparency: Clear communication about incident details and remediation steps
  • Regulatory Reporting: Support for customer regulatory reporting requirements
  • Status Updates: Regular updates during prolonged incidents

Self-Hosted Incident Response Support

For self-hosted deployments, your organization leads incident response, with Penpot providing:

  • Security Advisories: Timely notifications about discovered vulnerabilities
  • Remediation Guidance: Technical guidance for addressing security issues
  • Patch Availability: Emergency patches for critical vulnerabilities
  • Technical Support: Support for security-related issues (Enterprise tier)
  • Documentation: Reference materials for effective incident response

Your Incident Response Responsibilities:

  • Monitoring your Penpot deployment for security events
  • Implementing an incident response plan for your Penpot deployment
  • Containing and remediating incidents within your environment
  • Conducting post-incident analysis and implementing improvements
  • Handling any required regulatory or customer notifications

Incident Severity Classification

Both Models: Penpot classifies security incidents based on severity:

Severity
Description
Response Time
Critical
Major data breach, significant service disruption
Immediate response
High
Limited data exposure, functional impairment
Response within hours
Medium
Minor security issue, limited impact
Response within days
Low
Minimal security concern, no immediate risk
Scheduled remediation

Cloud Service: We handle incidents according to defined SLAs based on severity.

Self-Hosted: We provide patches at these priority levels, but implementation remains your responsibility.

Conclusion

Penpot's security and compliance approach combines the transparency benefits of open source with robust security practices and flexible deployment options. Our dual-model approach—Cloud Service and Self-Hosted—provides organizations with options that align with their specific security and compliance requirements.

Cloud Service Summary

Our Cloud Service offers:

  • Professionally managed security infrastructure
  • Automatic updates and security patches
  • Implemented compliance controls
  • Continuous security monitoring
  • Incident response capabilities
  • Standardized compliance documentation

This option is ideal for organizations seeking a secure, managed solution without the overhead of maintaining their own infrastructure.

Self-Hosted Summary

Our Self-Hosted option provides:

  • Complete control over your security environment
  • Data sovereignty and residency control
  • Integration with your existing security infrastructure
  • Flexibility to meet specific compliance requirements
  • Deployment in air-gapped or high-security environments
  • Support for implementing custom security controls

This option is ideal for organizations with specific security or compliance requirements, particularly those in regulated industries or government sectors.

Commitment to Security

Regardless of deployment model, Penpot is committed to security:

  • Our open-source approach ensures transparency in our security implementations
  • Community scrutiny adds an additional layer of security validation
  • Regular updates address emerging security threats
  • Comprehensive documentation supports your security efforts
  • Responsive security team addresses emerging vulnerabilities

We believe that secure design collaboration is essential and should be accessible to all organizations, regardless of their security or compliance requirements.

References and contact information

For security-related inquiries or to report security concerns:

Contacts

Legal documents:

Technical documents:

Last updated: February 10th 2025