OutSystems allows the development of enterprise web and mobile applications that run in different infrastructure models:
OutSystems cloud: deployed on Amazon Web Services (AWS) and managed by OutSystems
Customer-managed: including on-premises, public, and private cloud
When activating a subscription, and depending on infrastructure choice, all environments are deployed to either the OutSystems cloud or the customer-managed infrastructure.
Learn more in Possible setups for an OutSystems infrastructure.
Shared Responsibility Model
In the OutSystems cloud model, OutSystems shares control of the cloud environments with you. This approach relieves you of the operational burden as OutSystems operates, manages, and controls the components from the platform down to the infrastructure (illustrated in the left red banner of the picture below).
OutSystems part in this shared responsibility model is to provide a highly secure cloud environment to protect the applications you build and the data they use. OutSystems is responsible for applying security fixes to the platform and underlying infrastructure, and conducting security scans to detect potential vulnerabilities.
Your responsibilities include securing the applications and integrations you develop with OutSystems using approaches such as:
Applying secure development techniques and conducting code security reviews
Using OutSystems identity and access management capabilities
Encrypting sensitive data
Identifying application vulnerabilities through vulnerability assessments and penetration testing
Cooperating to mitigate product vulnerabilities and associated risks
You are responsible for the management of applications during their life cycle, from development to production. Customers should carefully consider the security and compliance requirements of their applications, applying one or more control layers, as required.
OutSystems communicates its cloud security and controls in a number of different ways:
Obtaining industry certifications and independent third-party attestations;
Publishing information about OutSystems security and control practices;
Providing trust certificates and reports, and other documentation to OutSystems customers, some of them under NDA (as required).
Refer to OutSystems ISO 27017 certification for details on cloud-specific information security controls, and the shared responsibility model.