Security & Compliance

An independent validation of Devolutions Server, Remote Desktop Manager and Password Hub's features were determined to be consistent with the Administrative, Physical, and Technical requirements of HIPAA’s Security Rule.

Devolutions collects and processes personal data of European individuals in compliance with the GDPR, whether as a controller or as a processor, as detailed in its Privacy Policy and its Data Processing Addendum.

To ensure that Remote Desktop Manager complies with restrictions in highly sensitive environments, we have aligned it with this standard’s approved security functions for encryption at rest and in transit.

A SOC3/2 (Service Organization Control) report is an independent opinion aiming to provide reasonable assurance on the suitability of design and effectiveness of controls for a service. Devolutions Password Hub for Business and Personal are both covered by this annual report.

Devolutions Information Security Management System (ISMS) is compliant with the standard under the following scope: Information security for software development and customer support for password and remote connection products and services in accordance with the Statement of Applicability V.2.

Devolutions does not store, process, or transmit any payment card information. These functions are handled by our trusted and accredited partners Stripe and Paypal.

To better streamline vulnerability disclosure processes and promote transparency across the security of products, Devolutions has enrolled successfully in the CVE Numbering Authority (CNA) program managed by MITRE.

In-Sec-M aims to promote the cybersecurity industry and increase the innovation, commercialization, and growth capabilities of businesses in this field.

Our infrastructure and services leverage secure and resilient cloud services provided by Microsoft Azure. Security compliance and requirements are reviewed periodically by the Chief Security Officer and the Director of Legal Affairs to ensure alignment with high security standards.

Zero-knowledge encryption provides customer information confidentiality by leveraging cryptography that prevents Devolutions’s personnel from accessing data. Client-side encryption and asymmetric cryptography contribute to protecting customer data, even from us!

Devolutions uses GitHub, a well-known and widely accepted version control system, to protect and manage source code.

Our cryptographic library, DevolutionsCrypto, has been published on GitHub. We encourage the community to review this implementation and report any appropriate feedback for product safety and improvement.

All our products and services undergo penetration testing activities internally and by external firms. Our security team works closely with developers to provide help and contribute to secure coding.

Devolutions has a formal Responsible Disclosure process that includes channels for reporting vulnerabilities, risk evaluation and remediation processes, and public-facing Security Advisories to advise customers once they are fixed.

The organization has adopted a formal Enterprise Risk Management framework that covers all risks that could negatively affect our products and services as well as risks that may endanger business continuity.

The ERM framework is approved by the Board of Directors and managed under the responsibility of the Executive Committee and the Director of Legal Affairs, Risk, and Compliance.

Our supporting applications and infrastructure are configured to use MFA to prevent unauthorized access. All our products and services support the use of MFA for your own benefit.

Being a leader in remote connection and access management would not be credible without abiding by a strong Identity and Access Management (IAM) program that enforces the use of PIM and PAM technologies for privileged accounts. Dogfooding our own products and services allows us to deliver high quality and very useful feature sets for our customers.

The security program is managed and operated by a Devolutions-owned and highly qualified information security team that cumulates accreditations and certifications from the most respected authorities in the industry including, but not limited to: (ISC)2, ISACA, Cloud Security Alliance, Offensive Security, and Identity Management Institute.